Cyber Incident Victim: HEAG Holding AG
Date:
Jun 2022
Location:
Germany
Summary
A cyberattack targeting IT service provider Count and Care, a subsidiary of Entega and Stadtwerke, disrupted multiple municipal companies in Darmstadt including HEAG Holding AG, its public transport operator Heag mobilo, property management firm Bauverein AG, and waste management services. The ransomware attack, attributed to professional actors, compromised internal and external communications, forcing several corporate websites and customer portals offline while causing service delays for commercial waste disposal and customer inquiries. Critical infrastructure operations—including energy supply, public transportation, and waste collection—remained unaffected due to segregated protective measures. Law enforcement agencies and cybersecurity specialists from state and federal authorities collaborated with the company’s IT teams to investigate, preserve evidence, and restore systems, though full recovery was expected to take several days. No customer data breaches were confirmed at the time.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 5 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On June 12, 2022, a cyberattack targeted Darmstadt-based energy provider Entega, initially disrupting employee email accounts and corporate websites. The attack occurred overnight, with Entega confirming the incident on Sunday and assuring customers that critical infrastructure—including electricity, gas, and water networks—remained unaffected due to segregated protections. By Monday, June 13, the attack’s scope expanded significantly when investigators identified Count and Care, Entega’s IT services subsidiary, as the primary target. This Darmstadt-based provider managed IT systems and energy-sector processes for multiple municipal enterprises, causing cascading disruptions across affiliated organizations. The Hessen Interior Ministry later confirmed the incident as a ransomware attack.
The breach impacted internal and external communications for HEAG Holding AG and its subsidiaries—public transport operator Heag mobilo, real estate firm Bauverein AG, waste management provider EAD, and Mainz municipal utilities. Digitalstadt Darmstadt GmbH and Frankfurt’s waste disposal service FES also experienced outages, forcing FES to process waste collection orders manually via phone, fax, or email. Multiple customer portals and websites remained offline, though operational services like public transit and energy delivery continued uninterrupted. Law enforcement agencies including the Federal Criminal Police Office (BKA), Hessen State Criminal Police Office (LKA), and the state’s Cyber Competence Center (Hessen3C) initiated forensic investigations while Entega’s IT teams worked to restore systems. Company spokespersons described the attackers as "professionals" acting with deliberate intent but declined to confirm potential data compromises or the attack’s origin during ongoing investigations. Recovery efforts focused on rebuilding compromised infrastructure, with full service restoration anticipated by week’s end.