Cyber Incident Victim: Duale Hochschule Baden-Württemberg
Date:
Sep 2023
Location:
Germany
Summary
The DHBW Villingen-Schwenningen proactively severed most internet connections following an IT employee's detection of technical anomalies, initiating an investigation into a potential security risk with external specialists. Critical services including email, internal platforms like Moodle, and local internet access remain disrupted, forcing manual processes such as paper-based library operations, while the institution maintains external communication via telephone and its off-site hosted website. Authorities including police and state criminal investigators are assessing possible links to a separate university cyberattack, though no definitive conclusions or damage assessments exist; academic operations including exams and the upcoming semester start proceed as scheduled despite the ongoing technical isolation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On September 19, 2023, an IT employee at the Duale Hochschule Baden-Württemberg (DHBW) Villingen-Schwenningen detected technical inconsistencies within the institution's systems, prompting immediate precautionary measures. The DHBW implemented a network isolation strategy, disconnecting all local servers in Villingen-Schwenningen from the internet to protect its information technology infrastructure from potential damage. This action severed most external connectivity, with the exception of the institution's centralized website, which remained operational because its servers were hosted externally. The response included notifying law enforcement authorities, including local police and the Baden-Württemberg State Criminal Police Office (LKA), though no formal investigation status was confirmed. An external service provider was engaged to conduct forensic analysis starting from the detection date. Initial impacts included complete disruption of email services—preventing both sending and receiving messages—and inaccessibility of internal platforms such as the Moodle learning management system. Campus internet access was blocked for students and faculty, restricting digital operations. The DHBW shifted critical communications exclusively to telephone channels, directing stakeholders to contact personnel via numbers listed on the unaffected central website.
By September 22, the DHBW maintained its isolation stance while analysis continued, with no public updates regarding the origin, scope, or potential threat actor behind the technical anomalies. Operational adaptations included reverting the campus library to analog processes, using paper-based lists to manage book loans after digital systems went offline. Academic activities faced partial disruption, though the institution confirmed that ongoing examinations would proceed as scheduled and the October 1 semester start date remained unaffected. The LKA was examining possible connections to a separate cyber incident targeting Hochschule Furtwangen on September 18, though DHBW spokesperson Johannes Stumpf emphasized no conclusive link had been established. Institutional communications described sustained vigilance against security risks, referencing heightened alertness over preceding months. Service restoration timelines remained undefined, with the DHBW advising students to monitor its website or contact staff via phone for updates. Core administrative functions persisted through workarounds, maintaining academic continuity despite the loss of digital infrastructure.