Cyber Incident Victim: Leibniz-Informationszentrum Wirtschaft (ZBW)
Date:
Mar 2023
Location:
Germany
Summary
The Leibniz-Informationszentrum Wirtschaft (ZBW) was hit by a cyber attack, resulting in the library's closure and the unavailability of numerous services. Email systems were among the many services rendered unreachable, though the institution remained contactable by phone. The incident was part of a broader wave of DDoS attacks targeting official German state websites, with a pro-Russian group claiming responsibility for the wider campaign.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around March 28, 2023, the Leibniz-Informationszentrum Wirtschaft (ZBW) / German National Library of Economics became the target of a significant cyber attack. The incident was part of a broader, coordinated series of attacks targeting official government and institutional websites across multiple German states. The ZBW, a major research infrastructure located in Kiel, confirmed it was a victim via a notice posted on its own website and through a social media announcement on April 1st. The library was forced to close its physical location as a direct result of the attack's impact on its operational capabilities. The core of the incident involved a severe disruption to the institution's digital services, rendering many of them completely unavailable to users and staff.
The attack had an immediate and profound effect on the ZBW's service availability. Numerous critical services were taken offline. The library's email systems were rendered inoperable, severing a primary communication channel for the institution. While the specific technical nature of the attack on the ZBW was not detailed in public statements, the broader campaign it was part of was characterized by widespread Distributed Denial-of-Service (DDoS) attacks. The timing and targeting of the ZBW incident align with these simultaneous attacks, suggesting it was one component of a larger offensive. The library's main website, zbw.eu, was also compromised and displayed a notice informing visitors of the ongoing cyber attack.
In response to the incident, the ZBW implemented immediate containment measures. The physical library was closed to the public to manage the crisis and prevent further operational complications. The institution established an alternative communication line, providing a telephone number for urgent contact while its email systems remained down. Recovery efforts were initiated to restore access to the affected digital services and website. A spokesperson for the ZBW publicly stated that they anticipated the attack would include a ransom demand, indicating the possibility of a ransomware component alongside the service-disruption attacks, though no specific group was initially named in connection with their incident.
The attack on the ZBW occurred within a specific context of a large-scale cyber campaign targeting German public infrastructure. Throughout that week, official websites and portals for multiple German states, including Mecklenburg-Vorpommern, Saxony-Anhalt, Brandenburg, Berlin, Thuringia, and Schleswig-Holstein, were hit by DDoS attacks. These attacks caused widespread but temporary outages, making government and police websites unreachable or slow to load. Officials from these states confirmed the attacks and their DDoS nature, consistently noting that while service availability was impacted, the underlying infrastructure and data security were not breached.
The broader campaign was publicly claimed by a pro-Russian hacker group identified as "NoName057(16)". This group used social media channels to post boastful messages, or "Bekennernachrichten," taking credit for the attacks. These messages often featured a Russian flag and the phrase "Victory will be ours." German authorities, such as a spokesperson from the Lower Saxony interior ministry, acknowledged these claims and stated it was believed the attacks against police websites originated from outside the country. A Berlin official described the events as the largest attack on the city-state's administration websites and characterized it as part of an "attack on all of Germany."
The response from other affected states mirrored the steps taken by the ZBW in terms of containment and restoration. For example, the State Chancellery of Thuringia detected attacks on selected websites, particularly those of the state's interior ministry and police, starting at 8:00 AM on Wednesday. In accordance with their IT security concept, they executed countermeasures which involved taking the affected websites offline for approximately thirty minutes. They noted that while service largely returned to normal, further short-term availability restrictions were possible due to ongoing defensive measures or continued attacks. The primary consequence across all entities was a loss of service availability and public access to online information, with no reports of data exfiltration or theft resulting from these specific DDoS events. The incident at the ZBW and the simultaneous attacks on state portals represented a significant coordinated effort to disrupt German digital public services.