Cyber Incident Victim: Hochsauerlandwasser GmbH
Date:
Sep 2023
Location:
Germany
Summary
Hochsauerlandwasser GmbH and its affiliated energy company suffered a cyberattack involving malware contamination of their IT infrastructure, prompting a forensic review to eliminate the threat and ensure system security. Customer service portals, billing systems, and financial operations were temporarily disabled, though critical water and energy delivery remained unaffected. The companies refused ransom demands, emphasizing ethical objections to funding criminal activities, and reported the incident to law enforcement. Customer inquiries were redirected to alternative communication channels while restoration efforts prioritized securing operational systems before resuming full service capabilities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early October 2023, Hochsauerlandwasser GmbH (HSW) and HochsauerlandEnergie GmbH (HE), regional utility providers in Germany’s Hochsauerland district, experienced a cyberattack compromising segments of their IT infrastructure. Attackers deployed malicious software that contaminated operational systems, prompting immediate containment measures. The companies isolated affected components and initiated a forensic investigation to assess the breach’s scope and eliminate residual threats. Critical customer-facing systems, including online service portals (www.hochsauerlandwasser.de and www.hochsauerlandenergie.de), billing services, and financial accounting software, were taken offline as a precaution. Management prioritized system integrity over service continuity, with Geschäftsführer Christoph Rosenau stating security required "highest priority." The forensic review confirmed no disruption to core utility services—drinking water delivery, electricity, and gas supplies remained fully operational throughout the incident.
The attack caused significant service limitations: customers could not process routine requests such as adjusting advance payments, submitting meter readings, or modifying contracts electronically. Staff maintained limited availability via phone, email, and physical customer centers in Bestwig, Bigge, and Meschede-Enste, though manual processing delays occurred until IT restoration. October’s scheduled utility advance payments were postponed indefinitely. HSW and HE refused to engage with attackers’ ransom demands, citing ethical objections and operational uncertainty. Rosenau emphasized capitulation would fuel criminal enterprises, making compliance "unthinkable." Legal actions were pursued against the perpetrators via criminal complaint. Recovery timelines focused on purging malware from financial management systems, which remained offline for multiple days post-incident. No evidence confirmed customer data exfiltration, though investigative outcomes were pending at the time of reporting.