Cyber Incident Victim: Stadtwerke Neumünster

On or around August 24, 2023, the municipal utility company Stadtwerke Neumünster (SWN) became the victim of a cyber espionage attack. The company's IT department detected this espionage attempt, prompting an immediate and precautionary response. To prevent further damage and to protect both the organization and its customers, SWN made the decisive decision to take all of its systems offline. This action was taken on a Thursday, and the company expressed relief that their IT team identified the threat quickly, allowing them to initiate protective measures before more severe consequences could materialize. The primary operational infrastructure responsible for critical public services remained functional despite the widespread IT shutdown. The mechanical-biological waste treatment plant (MBA) located in Wittorferfeld and the combined heat and power plant on Bismarckstraße continued to operate normally, ensuring that the core utility services and supply to customers were maintained and remained secure throughout the incident.

The widespread consequences of the system shutdown significantly impacted the internal operations and employee capabilities at SWN. Staff were forced to work under severe restrictions, as the outage rendered most of their daily tools and communication channels inaccessible. Employees could not send or receive emails, and the ability to make telephone calls was also disabled. All essential programs and operational systems that the workforce relied upon for their tasks became completely unavailable. This comprehensive loss of IT functionality extended to the company's customer service and support channels. While the hotlines for reporting telecommunications outages remained technically reachable by the public, the SWN employees answering these calls could not access the underlying systems to diagnose the cause of any reported issues or disruptions. For larger-scale outages, the company had to rely on dispatching technicians physically to investigate and resolve problems, as remote diagnostic capabilities were entirely non-functional.

Customer-facing operations were similarly disrupted by the necessary security measures. The SWN customer center located at Kuhberg remained open to the public, with staff present to provide advisory support and assistance with problems. However, these employees were also completely locked out of the customer databases and systems. This meant that while they could offer general advice, they were unable to access any specific customer account information, process contract changes, or perform any data-related tasks. The company implemented recorded messages on its affected hotlines to inform callers of the ongoing circumstances and the limitations in service. The incident also had a minor impact on some public services offered by the utility. The Bad am Stadtwald swimming facility remained open; however, a restriction was placed on payments, with card transactions being impossible. Conversely, the SWN recycling center in Wittorferfeld was closed to private customers, who were directed to use alternative disposal sites during the outage. The public transportation services operated by SWN, including regular buses and the "Hin&Wech" shuttle service, continued to run without any restrictions or interruptions.

According to the company's press spokesperson, Saskia Ullrich, this cyber espionage attack marked the first time that Stadtwerke Neumünster had been targeted by hackers in such a manner. She noted, however, that similar espionage attempts had previously occurred at other municipal utility companies across the region. In response to the incident, SWN followed standard protocol by alerting all necessary authorities to investigate the criminal activity. This included notifying the police and relevant data protection associations. The State Office of Criminal Investigation (Landeskriminalamt or LKA) subsequently took over the lead on the investigation, a fact confirmed by their press spokesman, Uwe Keller. The process of restoring services was described as meticulous and time-consuming. The recovery strategy involved bringing each system back online individually in a protected and secure manner. Each system underwent a thorough examination and scanning process before being reactivated to ensure it was clean and to prevent any remnants of the attack from causing further harm.

The total duration of the operational restrictions and the timeline for a full return to normal business operations remained highly uncertain immediately following the attack. The company stated that it was nearly impossible to provide an accurate estimate for how long the complete analysis and restoration process would take. SWN officials publicly acknowledged that the period of disruption could last for several days, but also warned that it might extend for two or three weeks. This uncertainty underscored the complexity of the incident response, as the priority was placed on a secure and methodical recovery over a swift return to full functionality. The deliberate process of securing, scanning, and restarting each system one by one was necessary to guarantee that the espionage attempt was fully contained and eradicated, thereby ensuring the long-term security of the utility's infrastructure and the data of its customers. The focus remained on a thorough investigation and a secure restoration process, with the understanding that the extensive downtime was a necessary measure to mitigate the potential for far greater damage resulting from the initial espionage attack.