Cyber Incident Victim: Swp
Date:
May 2023
Location:
Germany
Summary
A cyber attack targeted an external service provider hosting the online portals for Südwest Presse and other regional newspapers, causing a widespread outage. The incident rendered the primary news websites and all associated mobile application content completely inaccessible. This disruption affected multiple media outlets across southwest and eastern Germany simultaneously due to their shared reliance on the compromised third-party data center.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around May 18, 2023, the online news portals of the Neue Pressegesellschaft were rendered unreachable. The affected entities included the "Südwest Presse (SWP)", the "Märkische Oderzeitung", and the "Lausitzer Rundschau". The corresponding websites swp.de, moz.de, and lr.de became inaccessible to the public. This outage was not isolated to the web portals; it also extended to the full suite of online content delivered through the three separate mobile applications associated with these news titles. The publisher, based in Ulm, confirmed the widespread nature of the disruption in a formal statement released on Friday, May 19th.
The root cause of the extensive service failure was identified as a hacker attack. The intrusion did not directly target the publishing company's own internal infrastructure. Instead, the attack was successfully executed against the computing center of an external service provider. This third-party vendor was responsible for hosting the websites for the Neue Pressegesellschaft. By compromising the infrastructure of this hosting provider, the attackers were able to disrupt the digital services of all its affected clients simultaneously. The incident demonstrates a supply chain attack vector, where targeting a single service provider can create cascading effects across multiple dependent organizations.
The timeline of events indicates that the services first became unavailable on Thursday, May 18th. The publishing group's official communication on the following day, Friday, May 19th, served as the public acknowledgment of a significant cybersecurity incident. The announcement confirmed the nature of the event as a malicious hacker attack and provided initial details regarding its scope and impact. The prolonged duration of the outage, spanning from Thursday into Friday without immediate resolution, suggests a severe compromise that required substantial investigation and mitigation efforts before a public statement could be issued.
The impact of this incident was severe and multifaceted. The primary and most immediate consequence was the complete denial of service for readers attempting to access news through the primary digital channels. The websites remained offline and were not resolving for users. The apps, while potentially still installed on user devices, were unable to retrieve or display any new or existing online content, effectively rendering them useless. This resulted in a significant interruption to the dissemination of news and information across the regions served by these publications, impacting public access to current events.
For the publishing house itself, the operational impact was considerable. The inability to publish stories to its digital platforms halted a core business function. The incident prevented the delivery of content to its digital subscriber base, potentially violating service agreements and undermining reader trust. The attack disrupted the normal business operations of the media group, forcing a shift in resources towards incident response and crisis management. The reliance on an external vendor for a critical service highlighted a vulnerability in its operational model, where control over the availability and security of its primary digital assets was outsourced.
The response actions taken by the organization involved public communication and likely engaged internal and external technical teams. The first confirmed response was the issuance of a public statement to inform the readership and the public of the situation. This transparency effort aimed to manage expectations and clarify that the outage was due to a malicious cyber incident rather than an internal technical failure. The statement specified the cause, the external party involved, and the full extent of the known impact across the brands and platforms.
Given that the attack occurred on a third-party system, the containment and remediation efforts necessarily involved close coordination with the external service provider. The publishing group's internal IT and security teams would have collaborated with the vendor's incident response personnel to understand the breach's mechanics, contain the threat actor's access, and begin the process of restoring services. The restoration process was complex, requiring ensuring that the hosting environment was fully secured and cleansed of any malicious presence before bringing the news websites and supporting application backends online. The complete restoration of services likely involved meticulous work to verify the integrity of systems and data to prevent reinfection or further data compromise. The duration of the outage indicates that the process of investigating, containing, and recovering from the attack on the provider's infrastructure was a protracted one.