Cyber Incident Victim: Mecklenburg–Western Pomerania

On the morning of April 4, 2023, various websites belonging to the government portal of Mecklenburg–Western Pomerania, Germany, became unreachable. The incident affected a significant portion of the state's public-facing online services. The impacted systems included websites of various state ministries, the official public homepage of the state police (Landespolizei), and the MV-Serviceportal. These internet services are all provided and technically maintained by the state's central IT service provider, the Datenverarbeitungszentrum (DVZ) M-V, which is based in Schwerin.

IT specialists at the DVZ and the state's Computer Emergency Response Team, CERT M-V, registered a severely increased volume of requests targeting their web servers early that morning. The initial analysis of this anomalous traffic quickly determined that the event was a deliberate cyber attack. The nature of the attack was an attempt to overload the servers with a massive quantity of requests, a technique consistent with a Distributed Denial-of-Service (DDoS) attack designed to render the services unavailable to legitimate users.

Upon confirming the malicious nature of the incident, a Task Force was immediately established to coordinate the response effort. The situation was deemed serious enough to warrant notification of the national cybersecurity authority, the Bundesamt für Sicherheit in der Informationstechnik (BSI), or Federal Office for Information Security. The state's Digitalization Minister, Christian Pegel, publicly confirmed these initial steps in a statement issued from Schwerin on the same day. The response teams worked at high pressure to investigate the events and to implement measures to prevent further waves of attacks.

The technical response involved identifying the sources of the malicious traffic. The specialists successfully identified some of the attackers early in the incident and proceeded to block them. Additional technical countermeasures were implemented to help repel subsequent attacks and strengthen the infrastructure's resilience against the ongoing assault. The investigation into the attack's origins led to a claim of responsibility. According to the current information available to the CERT M-V on April 4th, a Russian cyber group had publicly claimed credit for the attack on social media channels.

The impact of the DDoS attack was confined to the public internet presence of the state government and police. A critical distinction was made regarding the police's internal network. The Interior Ministry confirmed that the police intranet, which handles all internal police processes and operations, was completely unaffected by the attacks. This separation ensured that the core operational capabilities of the Landespolizei remained fully intact. The police force was not impaired in its work and remained available to the public in all its local police stations and via telephone.

However, the public did experience a disruption in specific online services. The most notable public-facing service impact was the temporary unavailability of the Onlinewache, or online police station. This platform, hosted on the affected public website, is used by citizens to file reports and complaints electronically. For the duration of the incident, this method of filing reports was not functional. The police emphasized that emergency services were entirely unaffected, instructing the public to continue dialing the standard emergency number 110 for any urgent assistance required. The incident thus resulted in a temporary degradation of certain non-emergency digital public services while leaving critical and emergency response systems fully operational. The focus of the response remained on analyzing the attack vectors, mitigating the ongoing disruption, and securing the systems against further incursions.