Cyber Incident Victim: Mainzer Stadtwerke
Date:
Jun 2022
Location:
Germany
Summary
A cyberattack targeted the Darmstadt-based IT service provider "Count + care," impacting multiple client organizations including Mainzer Stadtwerke. The attackers deployed ransomware, disrupting internal systems such as email networks for employees and rendering public websites, customer portals, and online ticket sales temporarily inaccessible. Critical infrastructure systems—including electricity, gas, and water networks—remained operational due to separate security measures, with no reported supply disruptions or customer data breaches. Investigations involving state and federal cybersecurity authorities indicated a likely supply-chain attack vector, where compromised provider systems facilitated access to client networks. Additional affected entities included municipal waste management services in Frankfurt. Recovery efforts were expected to take several days, with authorities noting the incident followed common ransomware tactics involving encryption and ransom demands.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around June 5, 2022, a cyberattack targeted the Darmstadt-based IT service provider "Count + care," which managed systems for multiple clients including Mainzer Stadtwerke and the energy supplier Entega. The attack disrupted operations by compromising internal networks and encrypting systems, with perpetrators issuing ransom demands. By the start of the following week, Mainzer Stadtwerke’s public-facing websites—including those of Mainzer Mobilität, Taubertsbergbad, and Mainzer Netze GmbH—became unreachable. Internal systems, particularly the email network serving 1,800 employees, were paralyzed. Ticket sales via the customer center were suspended, forcing customers to use mobile apps, ticket machines, or third-party vendors. Entega experienced similar disruptions, with 2,000 employee mail accounts inaccessible and corporate websites offline. The attackers employed a supply-chain method, initially breaching the IT service provider before moving laterally to client networks, potentially by embedding malware in system updates distributed to downstream customers.
Authorities from Hesse’s State Criminal Police Office (LKA), the Federal Criminal Police Office (BKA), and Rhineland-Palatinate’s cybercrime unit (ZAC) were immediately engaged. Investigations focused on the IT provider’s Darmstadt headquarters, placing Hesse’s agencies in charge. Forensic analysis confirmed no compromise of critical infrastructure—electricity, gas, and water networks remained operational due to segregated protections. No customer data breaches were identified. Recovery efforts required several days, with Entega and Mainzer Stadtwerke prioritizing system isolation and manual workarounds. Additional affected clients, including Frankfurt’s waste management provider FES, preemptively disconnected all servers linked to the compromised IT provider. FES maintained essential services like trash collection and street cleaning but suspended online bulk waste registrations and customer portal access. The incident highlighted broader vulnerabilities in third-party service dependencies, with attackers exploiting trusted vendor relationships to maximize disruption across multiple entities.