Cyber Incident Victim: Ista International
Date:
Aug 2022
Location:
Germany
Summary
ista International suffered a ransomware attack by the Daixin Team, prompting the company to take all potentially affected IT systems offline, causing service disruptions for customers. The attackers claimed to have encrypted thousands of servers and petabytes of data, including backups, after exploiting an unprivileged user account to gain full administrative control across multiple international domains, disabling security features and blocking administrator accounts during the encryption process. Negotiations between the parties failed, leading Daixin to begin leaking stolen data on their dark web site, while the company engaged internal and external experts to investigate and remediate the incident, notifying relevant authorities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
ista International GmbH experienced a significant ransomware attack in early August 2022, with the Daixin Team claiming responsibility. The attackers first compromised the company's systems through an unprivileged user account, then rapidly escalated privileges across multiple critical domains including ROOT, DS, IT, and several country-specific domains (PL, AT, ES, NL, BE, DE). According to Daixin's communications, they exploited one of ista's 400,000 IoT gateways that connect over 25 million devices, gaining full control of the infrastructure within two days. The attackers encrypted petabytes of data across what they estimated to be more than 3,000 servers, including production systems and backups, while deliberately disabling security features and blocking administrator accounts to prevent mitigation. The encryption process reportedly continued even after Daixin disconnected from the network, causing substantial operational disruption that forced ista to take all potentially affected systems offline as a containment measure.
ista responded by immediately notifying the State Data Protection Authority and law enforcement while assembling a specialist team of internal and external experts to investigate the incident. The company publicly acknowledged the cyberattack through a website notice dated August 10, warning customers about temporary limitations or complete unavailability of certain services due to the systems being offline. Daixin Team began leaking stolen data on their dark web site on August 9 after negotiations collapsed the previous day, with chat records indicating ista had made an unsuccessful ransom offer that the threat actors deemed unacceptable. The prolonged system outages impacted ista's ability to deliver building management services through their digital infrastructure, which normally facilitates IoT communication across millions of connected devices for climate control and safety functions. Customer-facing disruptions persisted as the company worked to restore operations, with no immediate resolution timeline provided in their public communications.