Cyber Incident Victim: Entega AG
Date:
Jun 2022
Location:
Germany
Summary
A German energy provider experienced a ransomware attack targeting its IT service subsidiary, disrupting internal and external communications, websites, and customer portals across multiple municipal companies, including public transport and waste management services. Critical infrastructure operations such as electricity, gas, and water supply remained unaffected due to segregated protections. The incident, attributed to professional attackers, required law enforcement and cybersecurity experts to assist with forensic analysis and system recovery. While no customer data compromise was confirmed, service disruptions persisted for several days, impacting online transactions and requiring alternative customer service channels. Recovery efforts focused on restoring compromised systems, with full service restoration anticipated by the end of the week.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 6 motives | 3 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The cyber incident targeting Darmstadt-based energy provider Entega began on June 12, 2022, with attackers compromising employee email accounts and corporate websites. Entega's initial assessment indicated no immediate risk to critical infrastructure operations—including electricity, gas, and water networks—due to segregated protective measures. By June 13, the attack's scope expanded significantly, revealing that Count and Care, an IT services subsidiary jointly owned by Entega and municipal stakeholders, served as the primary intrusion point. This subsidiary managed IT infrastructure for multiple municipal enterprises, causing cascading disruptions across Darmstadt's city-owned companies including public transit operator Heag mobilo, real estate firm Bauverein AG, waste management provider EAD, and Mainzer Stadtwerken in a neighboring city. The Frankfurt-based waste disposal service FES also disconnected its systems from Count and Care as a precautionary measure.
Authorities from the Hessen Cyber Competence Center (Hessen3C), State Criminal Police Office, and Federal Criminal Police Office initiated a coordinated response, deploying mobile forensic teams to preserve evidence and analyze the ransomware attack. Internal IT specialists worked continuously to restore systems, estimating recovery would require several days. Operational impacts included disabled customer portals for waste management services, disrupted telephone systems at Bauverein, and temporary suspension of online appointment scheduling for FES's bulk waste collection. Municipal leadership confirmed no service interruptions occurred in energy distribution or public transportation, though corporate communications and public-facing websites remained offline. The attackers' professional methodology suggested deliberate targeting of shared IT infrastructure rather than direct assaults on physical utility controls. Ongoing police investigations prevented disclosure of potential data compromises or attribution details while recovery efforts prioritized reinstating full customer service capabilities.