Cyber Incident Victim: Hochschule Kaiserslautern

On or around June 9, 2023, the Kaiserslautern University of Applied Sciences (HS Kaiserslautern) publicly confirmed it was the victim of a significant cyberattack. The institution announced the incident via an emergency website established to communicate with students and staff after its primary online presence was compromised. The university’s official statement characterized the event as a ransomware attack that had forced the complete shutdown of its entire IT infrastructure. This drastic containment measure was implemented in direct response to the detected threat, indicating the severity of the incident. The attack rendered the university's central email accounts and its entire telephone system inoperable, severing critical lines of communication for the entire institution.

The impact of the attack was extensive and immediate, affecting nearly every facility and service relied upon by the university's population of more than 6,200 students. The university explicitly stated that computer pools, which are essential for coursework and research, would remain closed until further notice. Furthermore, the institution's library was also forced to close its doors due to the IT outage, halting access to both physical and digital resources. The widespread disruption effectively brought academic and administrative operations to a standstill. The university administration issued a specific warning to its employees, instructing them not to switch on their work computers. This directive was based on the confirmed nature of the attack, which was identified as an encryption attack, meaning the workstations at employees' workplaces were likely compromised and could be rendered inoperable if powered on.

The public confirmation of the attack placed HS Kaiserslautern within a concerning trend of cyberattacks targeting higher education institutions in German-speaking countries throughout 2023. In the months preceding this incident, at least half a dozen similar universities, particularly those focused on applied sciences, had been impacted. This pattern suggested a deliberate targeting campaign by cybercriminals against this specific sector of the education system. Just a few months prior, in March, the Vice Society ransomware group had claimed responsibility for an attack on the Hamburg University of Applied Sciences (HAW Hamburg), adding the institution to its data leak site following an attack that had occurred late the previous year.

The series of attacks continued into the spring. In February, the University of Zurich, Switzerland’s largest university, announced it was the target of what it described as a “serious cyberattack.” A spokesperson for that university explicitly noted the incident was “part of a current accumulation of attacks on educational and health institutions,” highlighting the broader targeting strategy employed by threat actors. The week before the University of Zurich's announcement, three other German institutions—the Harz University of Applied Sciences in Saxony-Anhalt, Ruhr West University, and the EU/FH European University of Applied Sciences—had all publicly announced they were impacted by cyberattacks. Further back, in January, the Vice Society group had also claimed responsibility for an November 2022 attack against the University of Duisburg-Essen in Germany. This context positioned the attack on HS Kaiserslautern not as an isolated event, but as the latest in a sustained wave of incidents against similar targets.

At the time of its public announcement, key details regarding the attack on HS Kaiserslautern remained undetermined. The identity of the perpetrators responsible for the ransomware attack was not publicly disclosed by the university or identified by external analysts in the immediate aftermath. It was also not clear whether the attack involved a multifaceted extortion strategy, a common tactic where data is exfiltrated before encryption to pressure victims into paying a ransom by threatening to release the stolen information. The university’s initial communications did not confirm if any data was stolen from its systems prior to the encryption process being initiated.

The university's response was focused entirely on containment and mitigation through isolation. The decision to take the entire IT infrastructure offline was a definitive containment action aimed at preventing the further spread of the ransomware and isolating infected systems. This action, while necessary from a cybersecurity perspective, had the direct and immediate consequence of halting all university operations that depended on network connectivity. The establishment of an emergency website was the primary crisis communication response, serving as the sole authoritative source for updates and instructions for students and staff who were otherwise cut off from official communication channels like email. The prolonged closure of core facilities like computer pools and the library indicated an expectation of a significant recovery period, suggesting the encryption and system damage were severe.

The incident at HS Kaiserslautern also reflected the wider cybersecurity challenges facing Germany beyond the education sector. In the same general timeframe, ransomware attacks had impacted critical private industries. In May, the major arms company Rheinmetall publicly attributed a disruptive attack to the Black Basta ransomware group. Furthermore, during the spring, Bitmarck, one of the largest IT service providers operating within Germany’s statutory health insurance system, was hit by a cyberattack. The drug development giant Evotec was also reported to have suffered an attack during this period. This pattern of attacks across diverse sectors, including education, defense, healthcare IT, and pharmaceuticals, illustrated the pervasive threat ransomware groups posed to German infrastructure and institutions throughout 2023. The attack on HS Kaiserslautern was a single incident within this much larger and ongoing disruptive campaign.