Cyber Incident Victim: ITZBund
Date:
May 2022
Location:
Germany
Summary
Unidentified hackers compromised three German IT service providers working with federal and state authorities, potentially exfiltrating extensive email communications containing personal data, project details, and documents. The attackers likely aimed to exploit stolen information for targeted social engineering attacks to infiltrate networks or extract sensitive data, with indications such efforts may have already commenced. A separate DDoS attack targeting ITZ Bund's clients, including intelligence and tax agencies, temporarily disrupted services via traffic overload traced to a non-EU source. While federal authorities assessed no immediate threat to core systems, cybersecurity experts highlighted the attacks' sophistication and possible state-sponsored origins, prompting enhanced security measures and ongoing investigations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In late April 2023, the Informationstechnikzentrum Bund (ITZBund), the central IT service provider for approximately 200 German federal and state authorities, issued a confidential warning regarding cyberattacks targeting three of its partner IT firms: Adesso, Materna, and Init. The attacks, believed to have exfiltrated extensive email communications, compromised sensitive data including personal information, phone numbers, employee work locations, project details, email threads, and attached documents. Adesso, serving clients such as the Federal Interior Ministry, Federal Transport Ministry, and North Rhine-Westphalia’s Economics Ministry, first detected unauthorized network access in January 2023, with forensic analysis revealing the initial breach occurred in May 2022. Materna, providing services to entities including the Federal Customs Administration, Robert Koch Institute, and Autobahn GmbH, confirmed its compromise in March 2023 but stated no evidence of email data leakage involving federal agencies had been found. Init, linked to the Federal Interior and Economic Affairs Ministries, acknowledged its breach in late April 2023, with investigations ongoing. The ITZBund warned that stolen data could enable highly targeted social engineering attacks to infiltrate networks or extract additional sensitive information, noting indicators suggesting such follow-on operations might already be underway.
Authorities initiated multiple response actions following the breaches. The North Rhine-Westphalia and Berlin State Criminal Police Offices launched investigations into the incidents at Materna and Init, respectively. The Federal Interior Ministry and Federal Office for Information Security (BSI) assessed no immediate threat to federal IT systems, while the Federal Finance Ministry (overseeing ITZBund) stated security measures were implemented in January 2023 to contain potential malicious code propagation. Separately, on February 16, 2023, ITZBund declared a "Major Incident" after distributed denial-of-service (DDoS) attacks targeted its clients, including the Federal Intelligence Service, multiple federal ministries, the Federal Central Tax Office, and the BSI, with traffic originating from a non-EU country. Political figures, including Parliamentary Control Panel chair Konstantin von Notz (Greens) and Left Party MP Anke Domscheit-Berg, criticized the government’s cybersecurity preparedness, citing systemic vulnerabilities in critical infrastructure protection and the high sophistication of the attacks. ITZBund and affected firms declined further public commentary, citing ongoing investigations.