Cyber Incident Victim: Rp Online
Date:
Jun 2023
Location:
Germany
Summary
A cyber attack targeted the IT service provider Circ IT, which serves the Rheinischen Post Mediengruppe, causing widespread technical issues. This supply-chain attack disrupted numerous regional news websites, rendering them either completely offline or severely limited, though ePaper services remained accessible in some cases. The company stated no user data was accessed and brought in external security experts to work on restoring secure operations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On the evening of Friday, June 16, 2023, a cyber attack targeted Circ IT, the in-house IT service provider for the Rheinische Post Mediengruppe. This incident caused widespread technical failures that severely disrupted the online operations of numerous news publications under the media group's umbrella. The attack was identified as the root cause of the technical problems that subsequently brought down multiple websites. The primary and most prominent website affected was that of the Rheinische Post itself, rp-online.de. In addition to this flagship publication, the attack impacted the online presence of the Saarbrücker Zeitung, which includes the Pfälzischer Merkur, the Aachener Zeitung and Aachener Nachrichten, the Generalanzeiger Bonn, the Trierischer Volksfreund, and the Wuppertaler Rundschau. The scope of the outage was significant, encompassing a major regional media network in Germany.
The immediate impact of the attack was the complete or severely restricted availability of these news portals. In place of their normal content, the affected websites displayed only a brief message informing visitors of a general technical disturbance. This rendered the primary news publishing function of these sites inoperable. However, some services remained accessible despite the main website outages. The ePaper digital editions of the newspapers were reportedly still available for retrieval, allowing subscribers to access the traditional print format. In some cases, the teams responsible for the sites attempted to provide a reduced news overview on a subpage, a partial workaround to deliver minimal information to their readership during the disruption.
According to insider information reported by tagesschau.de, the attackers breached the systems of the full-service provider Circ IT. The attack was characterized as a supply-chain attack, where the compromise of a third-party service provider is used as a vector to attack its clients. In this instance, the IT infrastructure and services provided by Circ IT to the Rheinische Post Mediengruppe became the conduit for the attack, which ultimately led to the takedown of the client news websites. The website of Circ IT itself was also unreachable in the aftermath of the incident, indicating the severity of the compromise within its own systems.
Upon discovery of the incident, the Rheinische Post Mediengruppe initiated its response. The company immediately began working on restoring the disrupted services and mitigating the technical problems. A company spokesperson provided an official statement, confirming that, based on the current assessment, no user data had been accessed by the attackers. This early analysis suggested that the primary impact was operational disruption rather than a confirmed data breach. The spokesperson also stated that no further damage had occurred apart from the obvious loss of revenue resulting from the outage. To assist with the investigation and recovery, the media group engaged external IT security experts. These specialists were brought in to support the internal efforts to return to a secure and normal state of operations.
The response efforts focused on diagnosing the full extent of the compromise within Circ IT's environment and cleansing the systems to ensure a secure restoration of services for all affected client publications. The work involved forensic analysis to understand the attack vector used by the threat actors and to identify any persistent threats within the network. The overarching goal was to eradicate the attacker's presence and restore the publishing platforms to full functionality without compromising the security of the systems or the data they host. The incident highlighted the vulnerabilities inherent in relying on a centralized IT service provider, as a single point of failure there can cascade into a multi-organizational outage. The disruption lasted for an extended period, keeping the major news outlets from fulfilling their primary online function of delivering timely news to their audience. The financial impact, as acknowledged by the company, was direct revenue loss due to the inability to serve content and advertisements through their digital platforms. The full duration of the outage and the complete timeline for restoration were not detailed in the immediate reports following the attack.