Cyber Incident Victim: Handwerkskammer Hannover
Date:
Oct 2020
Location:
Germany
Summary
The Hanover Chamber of Crafts experienced a ransomware attack by the Sodinokibi group, compromising networks across all four locations and a subsidiary. Following malware detection, emergency protocols were activated, including disconnecting networks and shutting down systems; preliminary analysis indicated potential exfiltration of all local network data, though external provider servers remained unaffected. Impacted information included employee records, communications with member companies, trainees, funding providers, and service partners. The organization refused ransom demands, notified supervisory and law enforcement authorities, and acknowledged potential unlawful data publication risks while confirming no verified leaks had occurred at the time of reporting.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On the night of October 21, 2020, the Hanover Chamber of Crafts experienced a ransomware attack affecting its networks across all four locations and those of its wholly owned subsidiary, Projekt- und Servicegesellschaft. The Sodinokibi group deployed an extortionate Trojan, compromising systems despite the organization’s adherence to high IT security standards aligned with international protocols. Upon detecting the malware intrusion, the Chamber activated its IT emergency plan, implementing immediate containment measures. All network connections were severed, and every computer system was powered down to prevent further spread of the infection. Peter Karst, General Manager of the Chamber and head of the crisis team, confirmed that while forensic analysis remained ongoing, preliminary findings indicated attackers likely exfiltrated all data stored within local networks. Data hosted on servers managed by an external IT service provider remained unaffected, with no encryption or infection observed in those systems.
The breach primarily compromised employee data, communications with member companies (including trainee records), and correspondence involving funding providers and service providers. The Chamber publicly refused to pay the ransom demanded for decryption, adhering to guidance from investigative authorities. Karst acknowledged the possibility that attackers might publish stolen data, creating legal risks under data protection regulations due to potential third-party misuse. Formal notifications were submitted to relevant legal supervisory bodies and the state data protection officer, while the State and Federal Criminal Police Offices initiated investigations. The Chamber established a dedicated email contact ([email protected]) managed through a ticket system to address inquiries regarding compromised data. As of the latest update, no evidence indicated unauthorized publication of exfiltrated information, though the organization emphasized the persistent threat of illicit data exploitation and declined to disclose further specifics pending the investigation’s progress.