Cyber Incident Victim: Wirtschaftsförderung Bremen
Date:
Jan 2025
Location:
Germany
Summary
A series of cyberattacks targeted Bremen authorities, including an unsuccessful distributed denial-of-service (DDoS) attempt against Wirtschaftsförderung Bremen, among five incidents over four months. The only successful attack disrupted multiple government websites by overwhelming a police contact form with 18,000 requests per minute, causing partial inaccessibility for approximately 90 minutes before mitigation. The pro-Russian hacker group NoName057(16) claimed responsibility, aligning with their pattern of targeting Ukraine supporters to spread propaganda. While no data compromise occurred during these DDoS incidents, separate phishing attacks compromised education department email accounts for spam distribution. Authorities attribute the attacks to general cybercrime trends rather than specific targeting of Bremen, noting Germany's broad susceptibility to such threats.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Between January and February 2025, Bremen authorities experienced five documented cyberattacks targeting their online infrastructure, with two unsuccessful Distributed Denial-of-Service (DDoS) attempts occurring in January against the websites of the Health Senator and Wirtschaftsförderung Bremen (WFB). These early attacks involved bombarding servers with high volumes of simultaneous requests to overwhelm systems, though neither resulted in service disruption. The first successful breach occurred on February 12, 2025, when pro-Russian hacker group NoName057(16) targeted the Bremen Police website's contact form and local search function, flooding them with up to 18,000 requests per minute. This sustained assault caused server failure between 7:00 AM and approximately 8:30 AM, rendering websites across Bremen's entire administration partially or completely inaccessible. While the active attack continued until evening, IT service provider Dataport identified and disabled the compromised functionalities within two hours, restoring critical access.
The Bundesamt für Sicherheit in der Informationstechnik (BSI) issued a warning to Bremen authorities around 9:00 AM during the ongoing February 12 attack, coinciding with NoName057(16)'s public claim of responsibility via Telegram. This group, known for targeting Ukrainian allies since Russia's invasion, typically focuses on government agencies, media outlets, and private companies to disrupt Ukrainian support networks and spread pro-Russian propaganda. Subsequent forensic analysis confirmed no data exfiltration or loss occurred during the DDoS incident. In response, Dataport deployed a February software update introducing automated request throttling and functional deactivation during abnormal traffic spikes targeting internal search features or contact forms. Separate cybersecurity incidents included a late-February phishing attack compromising two Bremen School Administration email accounts for spam distribution and a mid-December 2023 botnet spamming campaign exploiting contact forms. The Bremen Senate explicitly denied operational or motivational links between these events and the DDoS attacks, emphasizing Germany's broad targeting by diverse threat actors seeking both tangible disruption and psychological destabilization.