Cyber Incident Victim: mainzplus CITYMARKETING GmbH
Date:
Jun 2022
Location:
Germany
Summary
A cyberattack targeting IT service provider Count + Care disrupted systems for multiple clients, including mainzplus CITYMARKETING GmbH. The attackers deployed ransomware, encrypting systems and demanding payment, causing operational disruptions such as inaccessibility of websites, email networks, and internal platforms. Critical infrastructure like energy and water networks remained unaffected due to separate security measures, and no customer data breaches were confirmed. Law enforcement agencies, including state and federal cybercrime units, initiated investigations into the supply-chain attack vector, where the perpetrators compromised the provider to infiltrate linked organizations. Service restoration efforts were ongoing, with some functionalities like online ticket sales and customer portals remaining offline during recovery.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around June 5, 2022, a cyberattack targeted the Darmstadt-based IT service provider "Count + care," which managed systems for multiple clients including mainzplus CITYMARKETING GmbH and Mainzer Stadtwerke. The attack disrupted operations across these organizations, with internal systems experiencing significant impairments. Mainzer Stadtwerke reported immediate inaccessibility of their public websites and critical internal networks, including email systems serving 1,800 employees. Customer-facing services such as online ticket sales through the Mainzer Mobilität portal and the Taubertsbergbad swimming pool’s booking platform were rendered unavailable. The attack also affected mainzplus CITYMARKETING GmbH’s operations, though specific system disruptions were not detailed in public reports. Authorities confirmed the attackers issued ransom demands, though no payment specifics or communication channels were disclosed.
Response efforts began immediately after detection, with Entega (Count + care’s parent company) and affected clients like Mainzer Stadtwerke isolating compromised systems. Critical infrastructure—including electricity, gas, and water networks operated by Mainzer Stadtwerke—remained operational due to segregated protections. Law enforcement agencies, including Hesse’s State Criminal Police Office (LKA), the Federal Criminal Police Office (BKA), and Rhineland-Palatinate’s cybercrime unit (ZAC), initiated a coordinated investigation. Forensic analysis suggested the attackers likely exploited third-party vendor access, consistent with supply-chain attack patterns, though ransomware involvement was not ruled out. Additional companies linked to Count + care, such as Frankfurt’s waste management provider FES, preemptively disconnected servers as a precaution. Recovery timelines extended several days, with full restoration of email systems and customer portals progressing gradually. No data breaches or compromises of customer information were confirmed. Investigations remained ongoing as of June 12, with no attribution to specific threat actors.