Cyber Incident Victim: Landesportal Sachsen-Anhalt
Date:
Aug 2017
Location:
Germany
Summary
A malware attack targeting the parliament of Saxony-Anhalt originated from a spear-phishing email containing ransomware, which an employee inadvertently executed, compromising their device and portions of the network. The incident prompted immediate contingency measures, including disconnecting computers and telephones to contain the spread, while unresolved technical issues with building access systems raised additional concerns. Occurring shortly before a national election, the attack heightened existing anxieties about foreign interference, particularly given prior cyber incidents against German governmental entities linked to Russian intelligence operations aimed at information theft. Investigations by IT specialists and law enforcement focused on identifying the malware's source.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On August 31, 2017, the parliament of Saxony-Anhalt, Germany, experienced a disruptive cyber incident originating from a spear-phishing email containing ransomware. Criminal investigators confirmed that an employee opened the malicious email attachment on Wednesday, August 30, triggering the infection. The ransomware compromised the employee's workstation and propagated to segments of the parliamentary computer network, necessitating immediate operational shutdowns. Katja Schmidt, a parliamentary spokesperson, disclosed that contingency protocols required all employees and representatives to disconnect computers and telephones from the network to contain the spread. Concurrently, automatic doors at the parliament building malfunctioned earlier that day, though authorities could not confirm any connection to the cyber intrusion. The malware's impact crippled core IT infrastructure, forcing offline operations and disrupting legislative activities. No data theft or encryption ransom demands were explicitly reported in available sources.
IT forensic specialists and Saxony-Anhalt state police initiated an investigation to trace the malware's origin, though initial findings did not publicly identify the threat actors. The incident occurred three weeks before Germany's September 24 federal election, amid heightened national security concerns over potential foreign interference. German intelligence agencies had previously attributed cyberattacks against the Bundestag, Chancellor Angela Merkel's CDU party, and other political entities to Russian state-sponsored groups seeking intelligence. While authorities maintained high alert for election-related threats following allegations of Russian meddling in the 2016 U.S. presidential race, investigators did not formally link the Saxony-Anhalt attack to any specific nation-state or group. The parliament's IT teams worked to restore systems, but the duration of downtime and full recovery timeline remained unspecified in public statements.