Cyber Incident Victim: Convotis
Date:
Nov 2023
Location:
Germany
Summary
A hacker attack targeted an IT service provider primarily serving tax consulting firms, prompting an immediate shutdown of all systems as a precaution. The company stated the rapid network isolation prevented compromise of customer systems, though a ransom note demanding contact was discovered without further financial or temporal conditions specified. No communication occurred with the attackers following law enforcement consultation. Indirect disruption affected all clients due to preventive server deactivation, though no data exfiltration was detected through automated scans or manual reviews. Customer systems resumed normal operations with enhanced security measures, while some tax advisors advised clients to change passwords preemptively.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On November 21, 2023, German IT service provider Convotis confirmed a cyberattack targeting its servers. The company immediately shut down all systems as a precautionary measure following the breach detection. Convotis stated the rapid response and network isolation prevented the attack from compromising customer systems, though indirect impacts occurred due to the preventative shutdowns. Attackers left a ransom note instructing the company to contact them, but no financial demands or deadlines were specified. Convotis consulted with the State Criminal Police Office (Landeskriminalamt) and declined to engage with the threat actors. The incident primarily affected tax advisory firms relying on Convotis' services, as all client-facing servers were proactively disconnected during containment efforts.
All Convotis customer systems resumed normal operations by Sunday afternoon following the attack, though the company implemented additional security measures before restoration. Convotis reported no evidence of data exfiltration through automated scans or manual forensic reviews. Some tax advisory firms independently notified their clients about the incident, recommending precautionary password changes despite the absence of confirmed data compromise. The company maintained that the attack was contained within its infrastructure, with no lateral movement to client environments achieved due to the immediate containment actions. Service disruptions stemmed solely from preventative server deactivations rather than direct manipulation of customer systems by attackers.