Cyber Incident Victim: Count and Care
Date:
Jun 2022
Location:
Germany
Summary
A ransomware attack targeted Count and Care, an IT service provider for municipal companies in Darmstadt, disrupting internal and external communications across multiple entities including energy, public transport, waste management, and housing services. Critical infrastructure operations such as energy supply and transit remained unaffected, but customer portals, websites, and business systems were taken offline, leading to service delays and alternative processing methods. Forensic investigations by federal and state authorities indicated involvement of professional attackers. Recovery efforts focused on restoring compromised systems, with no confirmed compromise of customer data. The incident impacted several affiliated organizations reliant on the provider's infrastructure, requiring days to resolve.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On June 12, 2022, a cyberattack targeted Entega, a Darmstadt-based energy provider, compromising approximately 2,000 employee email accounts and disrupting the company's public websites. Initial assessments confirmed Entega's critical infrastructure—including electricity, gas, and water networks—remained operational due to segregated protective measures. By June 13, the attack's scope expanded significantly, revealing Count and Care, Entega's IT services subsidiary, as the primary target. Count and Care provided IT infrastructure and energy-sector process management for multiple municipal entities, including the public transport operator Heag mobilo, real estate firm Bauverein AG, waste management provider EAD, and Frankfurt-based waste services company FES. The attack disrupted internal and external communications across these organizations, forcing offline customer portals, websites, and digital service platforms. FES suspended its online bulky waste booking system and disconnected all servers linked to Count and Care as a precaution, reverting to manual order processing via phone, email, or fax.
The incident was identified as a ransomware attack by Hessian authorities, with forensic support provided by the state's Cyber Competence Center (Hessen3C). Law enforcement agencies, including the Federal Criminal Police Office (BKA) and Hessian State Criminal Police Office (LKA), initiated investigations alongside Entega's internal IT teams, who worked continuously to restore systems. Attackers were characterized as professional actors employing targeted methods, though no attribution or geographic origin was disclosed. Service disruptions persisted for several days, with FES anticipating operational delays in commercial waste services until at least the week's end. No confirmed compromise of customer data occurred, and critical municipal services like public transportation, waste collection, and energy distribution maintained uninterrupted operations throughout the incident. Full restoration of IT systems remained ongoing as of June 13, with recovery timelines dependent on Count and Care's ability to reactivate its data center.