Cyber Incident Victim: Bundesrechtsanwaltskammer

On or around August 2, 2023, the Bundesrechtsanwaltskammer (BRAK), the German Federal Bar Association, discovered that its Brussels office had fallen victim to a criminal cyberattack. The incident resulted in a complete failure of the IT systems at that location. Upon discovery, BRAK immediately took action by disconnecting all network connections to contain the breach and prevent further unauthorized access. The organization identified the attack as a ransomware incident targeting a server operated at the Brussels site. The primary immediate effect was the encryption of the Brussels office's systems, with the mail server being specifically mentioned as compromised. This encryption rendered the systems inoperable and disrupted normal business operations. In the wake of the attack, BRAK engaged an external IT security service provider to conduct a comprehensive forensic analysis of the affected IT systems. The primary objectives of this forensic investigation were to fully clarify the circumstances of the incident, understand the extent of the intrusion, and work towards remediating the damage caused by the attackers.

As part of the attack, a data exfiltration occurred. The forensic investigation determined that approximately 160 gigabytes of data were siphoned from the compromised systems. The attackers have threatened to publish this stolen data publicly. At the time of the official communication from BRAK, the only action taken by the threat actors was an initial demand for contact; no further steps, such as the actual publication of data or a specific ransom demand, had yet been observed. BRAK is actively working to determine the precise nature and sensitivity of the exfiltrated data. The organization has stated that it is proceeding under the assumption that personal data of individuals who were in contact with the Brussels office may have been compromised. This could include contact information and the contents of communication histories. A thorough review is ongoing to identify any specific individuals whose data was affected, and BRAK has committed to separately informing any such persons should further findings point to a concrete data breach involving their information.

In accordance with regulatory obligations, BRAK reported the cybersecurity incident within the mandated deadline to the Federal Commissioner for Data Protection in Germany. Furthermore, the organization is in contact with relevant law enforcement and cybersecurity authorities to support the investigation. These agencies include the Belgian police, the State Criminal Police Office of Berlin (Landeskriminalamt Berlin), and the Cyber Emergency Response Team of the Belgian Centre for Cyber Security. This multi-jurisdictional engagement highlights the cross-border nature of the incident, involving both German and Belgian authorities due to the physical location of the compromised office in Brussels and the national affiliation of the targeted organization.

BRAK issued a warning to all potentially affected parties, urging increased vigilance concerning suspicious emails. The advisory specifically highlighted emails that falsely appear to originate from the BRAK Brussels office. These phishing attempts could leverage the stolen data to create highly convincing and targeted communications. The warning instructed recipients to be exceptionally cautious of any messages that request unusual actions, such as wire transfers to altered bank account details, even if the email seems to reference or continue a previous legitimate correspondence. BRAK explicitly advised against replying to such suspicious emails and emphatically warned against opening any attachments or clicking on links contained within them, as these are common vectors for deploying additional malware.

Despite the severity of the attack, BRAK has made significant progress in restoring its operations. The Brussels office has been able to resume email communications using its known email addresses, marking a key step towards normalcy. Work continues on the full restoration of all systems and the preparation for a complete resumption of normal business operations. BRAK has also been able to provide assurances regarding the isolation of the incident. Due to completely separate system and operational structures, the organization has confirmed that there is no connection between this attack and the besondere elektronische Anwaltspostfach (beA), the special electronic mailbox for lawyers. Similarly, the Bundesweite Amtliche Anwaltsverzeichnis (BRAV), the nationwide official directory of lawyers, and any correspondence with the BRAK headquarters in Berlin remain unaffected and entirely separate from the compromised Brussels systems.

The incident underscores the persistent threat ransomware groups pose to professional and legal organizations, combining system encryption with data theft to exert maximum pressure on victims. The dual tactics of disabling critical infrastructure and threatening to release sensitive information create a complex challenge for incident response teams. BRAK's response demonstrates a methodical approach focused on containment, forensic investigation, regulatory compliance, and transparent communication with stakeholders and authorities. The engagement of external cybersecurity experts indicates a recognition of the specialized skills required to properly investigate such a sophisticated attack and to guide the recovery process. The ongoing forensic analysis is crucial for understanding the full impact of the data breach and for implementing measures to prevent a similar occurrence in the future. The restoration of email services is a positive development, but the complete resolution of the incident's aftermath, particularly concerning the stolen data, remains an active and ongoing process.