Cyber Incident Victim: State of Berlin

On or around April 4, 2023, a significant cyber incident targeted the online services of multiple German states, with the Berlin city portal, berlin.de, being a primary focus. The attack commenced on Wednesday morning shortly after 8:00 AM. Unidentified actors executed a distributed denial-of-service (DDoS) attack against the portal, deliberately flooding its servers with a massive volume of requests. The objective of this action was to overwhelm the infrastructure, causing a severe degradation in service performance. The immediate consequence was a noticeable and substantial slowdown of the berlin.de website, a critical platform through which Berlin's public authorities disseminate information and citizens access digital public services. By Thursday, April 5th, the Betreiber, or operator, of the city portal reported that the malicious activity had ceased and was no longer detectable, with services largely returning to normal operation. However, the interior administration cautioned that isolated undesirable side effects stemming from the implemented countermeasures could not be entirely ruled out as the systems stabilized.

The scale of this event was formally characterized by Berlin’s State Secretary for Digitalization, Ralf Kleindiek, as the largest cyber attack to date targeting the websites of the Berlin state administration. He further contextualized the incident, stating it was not an isolated event but rather a component of a broader, coordinated attack campaign occurring across the entire nation of Germany. This nationwide scope was corroborated by reports from other federal states. The online presence of the Brandenburg police force was severely impacted, with all of its online services rendered inoperable since Tuesday morning, preventing citizens from filing criminal complaints online or inquiring about fine procedures. The state portal of Schleswig-Holstein was also unreachable on Wednesday, and similar disruptions were reported within the state of Saarland. These widespread issues followed a series of hacker attacks on websites belonging to ministries and police forces in Mecklenburg-Western Pomerania, Saxony-Anhalt, and Lower Saxony that had become known the previous day, Tuesday.

An official assessment from the Berlin interior administration and the state's IT-Dienstleistungszentrum (IT Service Center) provided crucial details regarding the impact and containment of the attack. They confirmed that the attack was successfully contained at the web layer; the core internal state network, known as the Landesnetz, was not breached or otherwise affected by the incident. This isolation prevented any form of data exfiltration or theft. Officials explicitly stated that no data was siphoned off or stolen during the attack and that there were no successful infiltrations into deeper systems. The protective security measures in place were described as having functioned as intended, successfully blunting the DDoS assault without a compromise of data integrity or confidentiality. The primary consequence for Berlin was therefore limited to a temporary loss of availability and performance for its public-facing web services.

In parallel, the Brandenburg police provided insight into their response and the ongoing investigation. A spokesperson indicated that technical adjustments were being implemented on their systems as a direct result of the cyber attack. These modifications, designed to prevent a recurrence of such an incident, were themselves the cause of the prolonged service disruptions and the website remaining offline through Thursday. The spokesperson reiterated that their systems were not hacked and that no data had flowed out, echoing the findings from Berlin. The State Criminal Police Office (Landeskriminalamt) initiated an investigation based on the suspicion of computer sabotage.

While the attribution of the attacks remained officially unconfirmed and under investigation by authorities, some initial hints emerged. A spokesperson for the Brandenburg police presidency noted that there were indications an alleged Russian hacker group had claimed responsibility for the attack on social media channels. However, it was strongly emphasized that this claim did not necessarily mean the group was truly behind the activity, and official investigations would need to determine the actual responsible party. An unnamed investigative authority in Lower Saxony was also reported to have stated there were hints of a pro-Russian background to the attacks. External expert analysis provided by Professor Christian Dörr of the Hasso-Plattner-Institut in Potsdam placed the event in a broader geopolitical context, noting a significant increase in activity originating from Russia since the beginning of the war in Ukraine. He observed that such attacks often accompany announcements of new aid packages or statements from Western nations, though he also cautioned that the possibility of a lone actor simply causing mischief could not be discounted.

The incident's impact was multifaceted, affecting both governmental operational capabilities and public access to essential services. For the Berlin police, the attack prevented the online publication of press releases and public safety announcements on Wednesday, disrupting a key channel for citizen communication. In Brandenburg, the complete takedown of police online services represented a more severe and prolonged operational hindrance, directly impeding the public's ability to interact with law enforcement for multiple days. The broader pattern of disruptions across Germany pointed to a coordinated effort to disrupt the digital infrastructure of numerous state-level governments, marking a significant event in the landscape of German public sector cybersecurity. The incident concluded with services being restored but with an acknowledgment from officials of its unprecedented scale and the confirmation that while availability was temporarily compromised, defensive measures ultimately prevented a more severe breach of data or systems.