Cyber Incident Victim: Heag mobilo
Date:
Jun 2022
Location:
Germany
Summary
A ransomware attack targeted IT service provider Count and Care, impacting multiple Darmstadt-based municipal entities including Heag mobilo, disrupting internal and external communications, customer portals, and waste management systems. Critical infrastructure operations such as energy supply and public transport remained unaffected. The incident caused widespread website outages and forced manual processing of service requests, with recovery efforts involving forensic analysis and system restoration supported by regional cybersecurity authorities. Law enforcement agencies investigated the professionally executed attack, though no customer data compromise was confirmed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 12, 2022, the Darmstadt-based energy provider Entega experienced a cyberattack initially compromising employee email accounts and corporate websites. The attack occurred overnight, with Entega confirming the incident on Sunday afternoon while emphasizing its critical infrastructure—electricity, gas, and water networks—remained unaffected due to segregated protections. By Monday, June 13, the scope expanded significantly as investigators identified Count and Care, Entega’s IT services subsidiary, as the primary target. This Darmstadt-based provider managed IT systems and energy-sector processes for multiple municipal enterprises, leading to cascading disruptions across affiliated organizations. The attack impacted Heag mobilo (public transit), Heag Mobibus, Bauverein AG (municipal real estate), Heag-Holding, Entsorgungsbetriebe Darmstadt (EAD), Digitalstadt Gesellschaft, and Frankfurt’s waste management service FES. External websites, customer portals like EAD’s "Kundenportal" and FES’s "KundenPlus," and internal communication systems became inaccessible, forcing entities to revert to manual processes for services such as bulk waste pickup scheduling.
Authorities, including Hesse’s Cyber Competence Center (Hessen3C), State Criminal Police Office, and Federal Criminal Police Office, initiated a coordinated response. Hessen3C deployed an on-site mobile task force to assist Count and Care with evidence preservation, forensic analysis, and system restoration. Entega’s spokesperson described the attackers as “professionals” employing ransomware with “targeted and criminally energetic” methods, though no group claimed responsibility. Darmstadt’s Mayor Jochen Partsch confirmed no operational disruptions to energy distribution or public transit but acknowledged prolonged communication and customer service impairments across municipal businesses. Count and Care’s recovery efforts focused on reactivating severed network connections, with full restoration expected to take several days. FES preemptively disconnected all servers linked to Count and Care, anticipating commercial service delays through at least June 17. While no customer data breaches were confirmed, investigations into data compromise origins remained ongoing, with authorities withholding operational details to avoid compromising the inquiry.