Cyber Incident Victim: Stadtgemeinde Tulln
Date:
Feb 2025
Location:
Austria
Summary
A cyberattack encrypted data across the municipal server infrastructure and approximately 200 individual workstations, disrupting digital services. Critical public infrastructure operations remained unaffected, while core citizen services like registrations and certifications were restored through temporary solutions. Functions requiring access to stored data, such as electronic document processing, remained impaired. Most encrypted files are expected to be recovered from validated backups, though one day of recent operational data was irretrievable. Restoration efforts prioritized gradual system reactivation under close monitoring for suspicious activity. Investigations into potential data exfiltration continue in coordination with law enforcement, with no response received from the perpetrators following initial contact.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 10, 2025, Stadtgemeinde Tulln experienced a cyberattack that encrypted data across its entire server infrastructure, disrupting municipal operations. The attack compromised approximately 200 individual workstations in addition to central servers, forcing immediate isolation of affected systems. Initial service disruptions impacted core citizen services including electronic document processing, permit issuance, and digital record access. Critical infrastructure systems such as water supply and sewage management remained operational without interruption. By February 12, municipal staff had established temporary workarounds to restore basic services like resident registrations, address changes, and certifications through manual processes. Construction permit approvals continued within legal timeframes despite processing delays, while recreational facilities maintained accessibility despite temporary suspension of cashless payment systems at venues like the municipal swimming pool.
Recovery efforts progressed through coordinated actions between internal IT teams, external cybersecurity experts, and law enforcement agencies. By February 17, near-full restoration of citizen services was achieved through systematic validation and redeployment of secured server backups, with only work records from the attack date (February 10) remaining irrecoverable. Accounting functions including invoice payments resumed normal operations, while technicians continued working to reactivate electronic payment systems. Forensic monitoring during system restoration detected no additional malicious activity, though comprehensive analysis to determine potential data exfiltration remained ongoing. Municipal authorities confirmed attempted communication with the attackers had yielded no response as of the latest update. The phased recovery timeline projected full restoration of all IT systems by the end of that week, contingent upon continued verification of backup integrity and system security during reintegration.