Cyber Incident Victim: Südwestfalen-IT
Date:
Oct 2023
Location:
Germany
Summary
A criminal cyberattack targeted Südwestfalen-IT, prompting an immediate shutdown of all systems and coordination with law enforcement to impose an information blackout. A crisis team, including external IT forensics, was formed to analyze the attack and implement stricter security protocols before restoring unaffected systems. The incident disrupted critical services across 72 member municipalities in South Westphalia and external clients using specialized applications, causing limitations in citizen services, email, and phone communications, though emergency services remained operational. A central coordinator was established to develop temporary solutions while prioritizing security over speed in recovery efforts. The organization emphasized ongoing collaboration with authorities and municipalities to resolve the crisis and restore functionality.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On the night of October 29-30, 2023, Südwestfalen-IT (SIT), a regional IT service provider for municipalities in Germany's South Westphalia region, suffered a highly professional cyberattack. The organization immediately shut down all systems to contain the threat. In coordination with the State Criminal Police Office (LKA) and the Central Office for Combating Cybercrime (ZAC-NRW) of the Cologne Public Prosecutor's Office, SIT imposed an information blackout to prevent attackers from exploiting potential additional vulnerabilities. By October 30, SIT established a crisis management team that included external IT forensic specialists. The same day, specialized forensic investigators were engaged to analyze the attack using advanced tools while conducting individual checks of all production systems to rule out infections. New security policies were drafted, with plans to gradually restore unaffected systems only after implementing stricter security standards, prioritizing safety over operational speed.
The incident primarily disrupted services across SIT's 72 member municipalities in the Hochsauerlandkreis, Märkischer Kreis, Olpe, Siegen-Wittgenstein, Soest districts, parts of Rheinisch-Bergischer Kreis, and the city of Schwerte, along with external customers using specialized applications. While emergency services including fire departments, rescue operations, and police remained functional, municipal operations faced severe limitations: citizen offices, registry offices, and driver's license departments experienced restricted appointment availability and processing capabilities. Email and telephone communications with municipalities were partially or completely unavailable. On November 1, SIT appointed a central emergency solutions coordinator to develop temporary workarounds with affected communities. Deputy Managing Director Jörg Kowalke acknowledged the widespread service disruptions caused by the emergency shutdown and emphasized collaborative recovery efforts involving municipal and SIT staff. The organization committed to providing daily updates as forensic analysis and system restoration progressed.