Cyber Incident Victim: Stadtgemeinde Feldbach
Date:
Sep 2022
Location:
Austria
Summary
A Styrian municipality experienced a ransomware attack after hackers infiltrated its IT systems via a compromised home office computer, encrypting data and demanding payment for decryption. The attackers' unauthorized access disrupted municipal operations, limiting public services to phone, in-person, or postal channels until restoration. Officials confirmed the presence of a ransom demand but refused compliance due to existing cybersecurity insurance and functional backups. Recovery efforts involved replacing all workstations' hard drives, reinstalling system software to eliminate residual threats, and restoring data from unaffected backups, with full operational resumption anticipated within days. The municipality had previously conducted simulated cyberattack drills and maintained insurance coverage since 2021.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Feldbach municipality in Styria, Austria, experienced a cyberattack beginning on or around September 1, 2022, which disrupted administrative operations. Attackers infiltrated the municipal IT system through a compromised home office computer, exploiting an external access point to gain entry. The intrusion was detected on Saturday, September 2, when an employee encountered system malfunctions while preparing election materials for the upcoming Austrian presidential election. IT personnel were immediately alerted to investigate the anomalies. Municipal officials, including Mayor Josef Ober, confirmed the attackers issued a ransom demand, threatening permanent data lockout unless payment was made. The exact ransom amount remained undisclosed, as the municipality’s cyber insurance provider managed this aspect of the incident. Feldbach had proactively obtained cyberattack insurance in 2021, making it one of Austria’s few insured municipalities at the time. This foresight included a prior simulated attack exercise, which had yielded favorable preparedness results, though the real-world incident demonstrated inherent vulnerabilities despite safeguards.
Municipal leaders refused to comply with the ransom demand, relying instead on existing backup systems to restore operations. Recovery efforts involved replacing all workstation hard drives with new hardware and reinstalling system software to eliminate potential attacker persistence mechanisms. Mayor Ober stated the municipality could immediately reactivate systems using backups but prioritized thorough infrastructure cleansing to prevent residual compromises. This process delayed full service restoration until September 12, 2022. During the outage, residents could only conduct municipal business via telephone, in-person visits, or postal mail. The attack’s operational impact included temporary paralysis of digital services but did not result in permanent data loss due to the availability of unaffected backups. No evidence suggested data exfiltration beyond the system encryption and ransom demand. Insurance coverage mitigated financial exposure, though specific recovery costs and policy details were not publicly disclosed.