Cyber Incident Victim: Bauverein AG
Date:
Jun 2022
Location:
Germany
Summary
A ransomware attack targeting IT service provider Count and Care disrupted operations at multiple municipal entities in Darmstadt, including bauverein AG. The incident compromised internal and external communications, rendering websites and customer portals inaccessible, though critical infrastructure like energy and public transport remained unaffected. Response efforts involved law enforcement agencies, forensic IT teams, and the Hessen3C Cyber Competence Center working to restore systems. Service disruptions impacted customer-facing operations such as waste management scheduling and tenant communications, with full recovery expected to take several days. Investigators attributed the attack to professional threat actors employing targeted methods, though no confirmed data breaches or attacker origins were disclosed during ongoing investigations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On June 12, 2022, a cyberattack targeted Entega, a Darmstadt-based energy provider, initially disrupting employee email accounts and corporate websites. The attack expanded significantly by June 13, revealing a broader compromise of Count and Care, an IT services subsidiary jointly owned by Entega and Stadtwerke Mainz, which managed IT operations for multiple municipal enterprises. This subsidiary’s compromise cascaded to affiliated entities, including the municipal real estate company Bauverein AG, public transport operator Heag mobilo, waste management service EAD, and the Digitalstadt Darmstadt GmbH. Internal and external communication systems across these organizations were disrupted, though critical infrastructure—such as Entega’s energy grids, Heag mobilo’s transit services, and waste collection operations—remained operational due to segregated security measures. Attackers deployed ransomware, blocking access to IT systems and forcing organizations like Bauverein AG and EAD to take customer portals and websites offline. The Frankfurt-based waste management firm FES preemptively disconnected servers linked to Count and Care, limiting its ability to process new service requests digitally.
Authorities responded swiftly, with Hesse’s Cyber Competence Center (Hessen3C) dispatching a mobile forensics team to assist Count and Care in evidence preservation, system analysis, and recovery efforts. Entega’s internal IT specialists worked continuously alongside law enforcement, including the State Criminal Police Office (LKA) and Federal Criminal Police Office (BKA), to restore systems. Bauverein AG partially restored telephone customer service by midday on June 13, while other entities like EAD and FES warned of prolonged portal outages, estimating delays in commercial services until at least the week’s end. Officials, including Darmstadt’s Mayor Jochen Partsch, emphasized no confirmed compromise of customer data but acknowledged the attackers’ sophistication, describing them as “professionals acting with targeted criminal energy.” Recovery timelines remained uncertain, with Entega’s spokesperson noting restoration could take days. The incident did not disrupt physical utilities or transit, but communication-dependent services faced significant operational constraints during the remediation period.