Cyber Incident Victim: Wirtschaftsförderung Bremen
Date:
Feb 2025
Location:
Germany
Summary
A pro-Russian hacker group known as NoName057(16) conducted multiple cyberattacks targeting Bremen authorities, including Wirtschaftsförderung Bremen, using distributed denial-of-service (DDoS) techniques to overwhelm websites with excessive traffic. While initial attempts on health and economic promotion sites failed, a subsequent attack successfully disrupted police servers via a contact form, causing temporary inaccessibility across Bremen's administrative websites. The group, linked to disruptive actions against Ukraine supporters and Russian propaganda dissemination, claimed responsibility during the incident. Although no data theft occurred, separate unrelated breaches included phishing compromising school administration email accounts and botnet-driven spam through manipulated contact forms. Authorities implemented automated throttling measures to mitigate future DDoS attempts while denying any targeted motive behind the attacks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Between January and February 2025, multiple cyber incidents targeted Bremen's administrative infrastructure, with five documented attacks occurring within four months. The earliest confirmed attacks involved unsuccessful Distributed Denial-of-Service (DDoS) attempts against the websites of Bremen's Health Senator and Wirtschaftsförderung Bremen (WFB) in January 2025. These incidents involved bombarding servers with high-volume simultaneous requests to overwhelm systems, though neither resulted in service disruption. The first successful breach occurred on February 12, 2025, when attackers directed approximately 18,000 requests per minute at the Bremen Police website's contact form and local search function. This sustained DDoS attack caused partial inaccessibility across Bremen's entire administrative web infrastructure from approximately 7:00 AM to 8:30 AM, with residual effects persisting until evening. IT service provider Dataport identified and disabled the compromised contact form and search features within two hours, containing the operational impact. The pro-Russian hacker group NoName057(16) claimed responsibility during the attack, coinciding with a formal warning issued by Germany's Federal Office for Information Security (BSI) at 9:00 AM that same morning. This group, active since Russia's invasion of Ukraine, historically targets government entities, media organizations, and private companies supporting Ukraine.
Additional cybersecurity events affected Bremen's infrastructure during this period, though authorities confirmed no operational or tactical links between incidents. In late February 2025, a phishing attack compromised two email accounts within Bremen's School Administration, enabling spam distribution from official @schulverwaltung.bremen.de addresses. A separate December 2024 incident involved botnet-driven spam distribution through manipulated contact forms on unspecified Bremen websites. The Senate explicitly denied any data exfiltration or permanent system damage across all attacks, including the February 12 DDoS event. In response to the successful DDoS breach, Dataport deployed a software update in late February implementing automated request throttling and function deactivation during abnormal traffic spikes. Authorities emphasized that attack frequency aligned with national trends, rejecting notions of Bremen being specifically targeted. The Federal Criminal Police Office (BKA) assumed investigative leadership regarding NoName057(16)'s activities, while Bremen's Senate maintained that the attacks primarily aimed to generate public uncertainty rather than cause substantive infrastructure damage.