Cyber Incident Victim: Brekom
Date:
Feb 2025
Location:
Germany
Summary
A series of cyberattacks targeted Bremen authorities, including five DDoS incidents over four months, with one successfully disrupting police website access and causing partial outages across administrative sites for over an hour. The pro-Russian group NoName057(16) claimed responsibility, prompting federal investigations. Separate phishing and botnet attacks compromised school administration email accounts, enabling spam distribution. While no data breaches occurred during the DDoS events, the Senate dismissed connections between incidents and denied specific targeting, attributing the attacks to Germany's broader vulnerability to cyber threats aimed at causing disruption and public uncertainty.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Between January and February 2025, Bremen's government agencies experienced a series of cyberattacks, including five documented incidents within four months. The first two attacks occurred in January as unsuccessful distributed denial-of-service (DDoS) attempts targeting the websites of Bremen's health senator and economic promotion office, where attackers flooded servers with simultaneous requests but caused no operational disruptions. The first successful breach happened on February 12 against the Bremen police website, when the pro-Russian hacker group NoName057(16) bombarded its contact form with approximately 18,000 requests per minute. This overload caused partial or complete inaccessibility of all Bremen administration websites between 7:00 AM and 8:30 AM, with residual attack activity continuing until evening. During the incident, the Federal Office for Information Security (BSI) issued a specific warning to Bremen authorities around 9:00 AM, coinciding with the ongoing attack. Service provider Dataport identified the police website's contact form and local search function as intrusion vectors, disabling both features within approximately two hours to contain the breach. NoName057(16), active since Russia's invasion of Ukraine, publicly claimed responsibility on the same day via Telegram, aligning with their pattern of targeting Ukrainian allies' government portals, media outlets, and private enterprises to spread pro-Russian propaganda.
Additional security breaches affected Bremen's systems during this period, though authorities confirmed no operational or motivational links between them. In late February, attackers compromised two email accounts at the school administration through phishing, enabling spam distribution from @schulverwaltung.bremen.de addresses. A separate December 2024 incident involved botnet-driven spam campaigns exploiting contact forms on unspecified Bremen websites. The Senate emphasized that none of these attacks resulted in data theft, loss, or compromised information, including the February 12 DDoS event. In response to the successful DDoS breach, authorities implemented a software update by late February introducing automatic request throttling and functional deactivation during abnormal traffic spikes targeting internal search features or contact forms. Federal Criminal Police Office (BKA) investigations into NoName057(16) remained ongoing, while Bremen officials rejected notions of being specifically targeted, characterizing the attacks as part of broader cyber campaigns against German infrastructure aimed at causing operational damage and public unease.