Cyber Incident Victim: Landespolizei Mecklenburg-Vorpommern

On the morning of April 4, 2023, various websites belonging to the government portal of Mecklenburg-Vorpommern (M-V) became unreachable. The incident affected numerous public-facing web properties, including the websites of various state ministries, the official homepage of the Landespolizei Mecklenburg-Vorpommern (State Police), and the MV-Serviceportal. These internet services are all provided and technically maintained by the state's IT service provider, the Datenverarbeitungszentrum (DVZ) M-V, or Data Processing Center. The technical teams at the DVZ and the state's computer emergency response team, CERT M-V, registered a significantly increased volume of requests targeting their websites early that morning. This anomalous activity was the first indication of a developing incident, prompting immediate investigation by the state's IT specialists.

Initial analysis conducted by the IT experts quickly determined that the unusually high volume of traffic was not legitimate user activity but a deliberate attack. The nature of the attack was identified as an attempt to overload the servers through a massive number of requests, characterizing it as a distributed denial-of-service (DDoS) attack designed to render the services unavailable. Upon confirming the malicious intent behind the service disruptions, Landesdigitalisierungsminister (State Minister for Digitalization) Christian Pegel was informed. The situation was deemed serious enough to warrant the immediate formation of a dedicated task force to coordinate the response effort. In accordance with standard protocols for cyber incidents affecting public infrastructure, the national cybersecurity authority, the Bundesamt für Sicherheit in der Informationstechnik (BSI) or Federal Office for Information Security, was also formally notified of the attack.

The newly established task force, comprising specialists from the DVZ and CERT M-V, worked at high pressure to analyze the attack vectors and implement defensive measures. Their primary objectives were to fully understand the events that had transpired and to prevent further waves of attacks from succeeding. The technical response involved identifying the origin points of the malicious traffic. The teams were successful in this early stage of containment, as they pinpointed and subsequently blocked some of the attackers responsible for the flood of requests. Additional technical countermeasures were deployed to strengthen the infrastructure's resilience against ongoing and future attempts to disrupt service availability. These actions were part of a concerted effort to mitigate the impact and restore normal operation.

As the investigation continued, the CERT M-V reached a preliminary attribution based on its current information stand. The analysis led to the identification of a Russian cyber group that had publicly claimed responsibility for the attack on its social media channels. This external claim of responsibility provided context for the motivation behind the incident but did not alter the immediate technical response focused on securing the state's digital assets. The public statement from Minister Pegel confirmed that the specialists were working to clarify the events and prevent further attacks, having already implemented blocks and other technical measures.

A critical distinction was made regarding the scope of the impact. While the public websites were disrupted, the internal police network, or intranet, was confirmed to be completely unaffected by the attacks. The Innenministerium (Ministry of the Interior) explicitly stated that all internal police processes that rely on the intranet continued to operate without any impairment. This meant that the core operational capabilities of the Landespolizei remained intact. The police force was able to maintain its full workload and remained available to the public through all local police stations and via telephone. The only police service impacted was the Onlinewache, or online police station, which is a public-facing web service used for filing reports. This service was temporarily unavailable due to its reliance on the affected external web infrastructure. The public was assured that emergency services were fully functional, with instructions to continue using the standard emergency number 110 for all urgent requests for assistance.

The incident primarily resulted in a loss of availability for the state's public web portals for a period of time on April 4th. The specific duration of the outage was not detailed in the official communication, but the response actions were focused on restoring access. The impact was confined to service disruption; no breach of data or compromise of internal systems was reported. The consequences were operational and reputational, affecting citizen access to online government services and information. The ability to file police reports online was temporarily suspended, though alternative methods for contacting the police remained fully operational. The response effectively contained the incident to the public web layer, preventing any spillover into critical internal networks and ensuring that the state's essential functions, particularly those of the police, could continue without interruption.