Cyber Incident Victim: Stadt Essen

On Thursday, September 28, 2023, an attack by previously unknown actors targeted the IT systems of the Konzern Stadt Essen, constituting a significant security incident. The attack was detected in a timely manner by the Essener Systemhaus (ESH), the city's internal IT service provider. Upon discovery, the ESH immediately initiated countermeasures. These initial response actions were successful in preventing more severe damage from occurring. A key finding from the initial assessment was that no systems experienced outages as a direct result of the attack, allowing municipal operations to continue without immediate public disruption.

Despite the lack of system outages, the incident triggered a comprehensive and cautious internal response. As a standard security precaution, all employees of the city administration were instructed to change their passwords to secure accounts against potential unauthorized access gained during the breach. The full scope and impact of the attack were not immediately apparent, necessitating a detailed forensic investigation. To facilitate this investigation and to prevent any potential lateral movement by the attackers, a decision was made to power down all computers within the city's network completely. This sweeping action involved shutting down the entire fleet of workstations and servers to isolate the threat and preserve evidence for analysis.

The process of forensic analysis, conducted by IT forensic specialists, extended over several days due to the extensive nature of the systems involved. Investigators meticulously examined the compromised systems to determine the attack's entry point, its methods, and, most critically, the extent of any data exfiltration or system compromise. Following the thorough investigation, the systems were carefully restarted and brought back online in a controlled manner. The forensic review ultimately confirmed that the prompt detection and response had been highly effective. It was determined that no personal data was accessed or exfiltrated during the incident. This finding was a crucial outcome, indicating that citizen information remained secure and that the attack did not result in a data privacy breach.

Concurrently with the technical response, the incident was reported to the relevant authorities in compliance with standard regulatory and legal protocols. The City of Essen formally notified the State Data Protection Officer (Landesdatenschutz), a routine procedure for any security incident involving IT systems that process personal data, even when a breach is not confirmed. Additionally, the Essen police department was notified of the crime, and they subsequently opened an investigation to determine the identity and motives of the perpetrators. The specific actors behind the attack remained unknown at the time of reporting, with no group claiming responsibility and no definitive attribution established by investigators.

By the beginning of the following week, specifically by Monday, October 2, the city administration reported that all systems were operating normally again. The municipality also publicly confirmed that there had been no discernible impacts or service interruptions for customers of the city administration, meaning residents were able to access public services without delay or issue throughout the incident and its aftermath. The city's spokesperson characterized the defensive effort as successful, stating the attack had been successfully fended off. The incident drew public attention partly due to its temporal proximity to a previous significant cyber attack in Essen, specifically the one that targeted the University of Duisburg-Essen in late 2022, which had caused major operational problems and involved data theft, creating a context of heightened awareness regarding cyber threats against public institutions in the region.