Cyber Incident Victim: City of Potsdam
Date:
Jan 2020
Location:
Germany
Summary
The City of Potsdam experienced a cyberattack resulting in the shutdown of administrative servers to prevent further unauthorized access and potential data exfiltration. The incident disrupted email communications and online citizen services, including motor vehicle registrations and digital portals, forcing residents to rely on postal submissions or phone contact for urgent matters. While emergency services and payment systems remained operational, card payments at citizen service centers were temporarily unavailable. The attack was linked to a vulnerability in an external provider's system, with evidence suggesting exploitation of unpatched Citrix ADC servers susceptible to CVE-2019-19781. External IT forensic teams were engaged to assess damages, and criminal charges were filed against unknown perpetrators. Although unconfirmed, indicators pointed to ransomware deployment via the Citrix flaw, consistent with broader attack patterns targeting similar vulnerabilities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 21, 2020, the City of Potsdam, capital of Germany’s Brandenburg state, detected unauthorized access to its administrative servers. By Wednesday evening, January 22, the city severed all internet connections to these systems to prevent data exfiltration, following confirmation of a cyberattack. Mayor Mike Schubert publicly attributed the incident to an "illegal cyberattack" exploiting a vulnerability in an external provider’s system, though the provider was not named. The city’s emergency services, including fire departments, remained operational, and payment systems were unaffected. However, critical citizen-facing online services—including the motor vehicle authority, registry office, Maerker and Maerker Plus portals, and citizen service centers—became unavailable. Email communications with external parties were disrupted, forcing citizens to submit applications via postal mail or phone. Card payments at citizen service centers were also suspended due to the outage.
The city engaged external IT security firms and forensic experts to analyze the breach, assess data security, and restore systems. Criminal charges were filed against unknown perpetrators, with notifications sent to federal and state IT security and data protection agencies. Independent analysis by journalist Hanno Böck revealed vulnerable Citrix ADC servers on Potsdam’s network, unpatched against the CVE-2019-19781 vulnerability despite Citrix releasing mitigation measures over a month prior. Cybersecurity agencies, including CISA and the Dutch NCSC, had previously advised immediate patching or shutdown of vulnerable Citrix systems due to active exploitation. Security researchers linked the same Citrix flaw to ransomware campaigns, noting its use for initial network access and lateral movement to deploy ransomware like REvil. While Potsdam did not confirm ransomware involvement or data theft, the attack’s methodology and the Citrix vulnerability’s association with coordinated ransomware operations suggested a potential alignment with these tactics. Restoration efforts prioritized securing systems before reactivation, with no public timeline for full recovery provided.