Cyber Incident Victim: Wisag
Date:
Jan 2022
Location:
Germany
Summary
A ground handling service provider experienced a cyberattack, prompting an immediate shutdown of all systems and activation of contingency plans to transition operations to backup infrastructure without significant operational disruptions. The company refused ransom negotiations and involved law enforcement, publicly stating it does not pay criminals. Core functions were subsequently restored while remediation efforts continued, though investigations into potential data exfiltration from servers and the attack's origins remained ongoing. Authorities are examining the incident's scope and impact details.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 27, 2022, German ground handling service provider WISAG publicly disclosed it had been targeted in a cyberattack. The company detected the intrusion on the preceding Thursday, though the exact discovery date remains unspecified in available reporting. Upon identifying the breach, WISAG immediately took all corporate systems offline as a containment measure. Emergency protocols were activated, enabling operations to transition to backup systems without significant service interruptions. A company spokesperson confirmed no major disruptions occurred in ground handling workflows during this period. WISAG’s executive board, led by Michael Wisser, explicitly refused negotiations with the attackers and declined any ransom payment, asserting the company’s policy against capitulating to criminal demands. Law enforcement agencies were notified to initiate formal investigations into the incident.
WISAG restored core operational functions following the initial containment phase, though full system recovery remained ongoing at the time of reporting. Technical teams prioritized resolving residual disruptions while forensic analysis continued to determine the attack’s origin and methodology. The company acknowledged an ongoing assessment to establish whether threat actors exfiltrated data from its servers, though no conclusive findings regarding compromised information had been released publicly. Internal investigations proceeded concurrently with law enforcement activities, limiting WISAG’s ability to disclose additional details about the incident’s causes or broader impacts. Operational continuity was maintained throughout the response via redundant systems implemented under the organization’s emergency planning framework.