Cyber Incident Victim: Verbandsgemeinde Wörrstadt

During the week leading up to August 1, 2023, anomalies were detected on the Citrix-Netscaler system operated by the Verbandsgemeinde Wörrstadt (VG Wörrstadt) administration. These irregularities were identified as potentially being connected to a cyber attack, prompting an immediate and comprehensive response from the municipal IT staff. The incident was publicly disclosed on August 1, 2023, with the administration providing details through official channels. The discovery of these system irregularities marked the beginning of a significant disruption to the normal operations of the local government body, which serves as an administrative district in the Alzey-Worms region of Germany. The timing of this incident followed closely on the heels of a similar cyber attack targeting the city administration of Alzey, which had occurred on the preceding Wednesday and Thursday, suggesting a potential pattern of targeting within the region though no direct link was confirmed in the initial announcements.

Upon discovery of the potential security breach, the IT team for the Verbandsgemeinde Wörrstadt enacted all available security precautions without delay. A critical and precautionary measure taken was the immediate disconnection of the communal Rhineland-Palatinate (RLP) network from the internal network of the Verbandsgemeinde Wörrstadt. This decisive action was intended to isolate the potentially compromised systems, prevent any further unauthorized access, and contain the threat to the greatest extent possible. The isolation of the network, while a necessary security step, had an immediate and profound impact on the functionality of the administration's various specialized software applications and IT systems, rendering many of them inoperable.

The widespread IT outage caused by the protective disconnection severely hampered the daily functions of multiple key administrative departments. The citizen's office (Bürgerbüro), which handles resident registration and citizen services, was among the affected units. The registry office (Standesamt), responsible for vital records like births, marriages, and deaths, also lost its operational capabilities. Furthermore, the fine collection office (Bußgeldstelle) and the human resources department (Personalabteilung) were incapacitated. The failure of these critical systems meant that the administration could not process its normal workload or provide its standard suite of services to the public. This operational standstill necessitated the cancellation of all previously scheduled appointments across these departments.

The administration formally announced that all appointments were canceled initially through Monday, September 4, 2023, indicating an expectation of a prolonged recovery period exceeding one month. This extensive cancellation highlights the severity of the disruption and the anticipated complexity of the restoration and forensic investigation processes. Citizens were informed of these widespread service interruptions and advised that their scheduled engagements with the affected departments would need to be rescheduled for a later date once systems were restored and operations normalized.

Since the moment the incident was identified, the information technology employees of the Verbandsgemeinde Wörrstadt have been engaged in intensive communication and collaboration with various external expert bodies and law enforcement agencies. This coordination effort was established to manage the incident response, conduct a thorough forensic examination, and guide the recovery process. The IT staff worked closely with the appropriate authorities, including IT forensic specialists, to analyze the scope and nature of the attack. A key partner in this investigation is the Central Contact Point for Cybercrime (Zentrale Anlaufstelle für Cyberkriminalität, or ZAC) of the State Office of Criminal Investigation (Landeskriminalamt, or LKA).

A preliminary and crucial finding from the ongoing investigation, as communicated by the administration's spokesperson Ina Köhler, is that there is no evidence to suggest that any internal data belonging to the administration was exfiltrated or transferred to external parties. This assurance was provided to alleviate public concerns regarding the potential leakage of sensitive personal or governmental information. Despite this positive initial assessment, the comprehensive forensic investigation continued to verify the integrity and confidentiality of all stored data. The administration remained accessible to the public through alternative means despite the IT shutdown, maintaining communication via its main telephone number, 06732 601-0, and through email channels, ensuring that basic inquiries could still be addressed even as core digital services remained offline.

The incident at VG Wörrstadt represents a serious cyber attack targeting critical public infrastructure, leveraging a vulnerability within a specific technology stack, namely the Citrix-Netscaler system. The use of this particular vector suggests a degree of sophistication, as such systems are common entry points for attackers seeking to gain a foothold in organizational networks. The proactive network segmentation undertaken by the IT team was a textbook incident response procedure designed to limit lateral movement and mitigate potential damage. The extended timeline for recovery, spanning several weeks, points to the meticulous care required to thoroughly eradicate the threat, patch vulnerabilities, restore systems from clean backups, and ensure the environment is fully secure before bringing services back online.

The broader context of this attack, occurring in the same week and in the same region as the attack on the city of Alzey, raises questions about whether these were coordinated actions by a single threat actor or a series of unrelated incidents. However, the provided information does not confirm any definitive connection between the two events beyond their temporal and geographical proximity. The public communications from VG Wörrstadt focused solely on their own situation and did not elaborate on potential links to other municipalities. The primary focus remained on managing the internal crisis, supporting the forensic investigation, and keeping the citizenry informed of the status of public services while expressing regret for the inconvenience caused. The administration committed to working diligently to restore full functionality and return to normal operations as soon as possible, acknowledging the significant impact on the community it serves.