Avoidable worst case? First cyber disaster in Germany due to attack on KRITIS
by Svenja Koch
The Anhalt-Bitterfeld district reported the first cyber disaster in Germany. A cyber attack paralyzed the entire IT infrastructure. For experts in the field of IT security, the report from the Anhalt-Bitterfeld district comes as no surprise. The district's network was the target of a large-scale cyber attack. Security experts have been warning of such a cyber disaster in Germany for some time.
The immediate impact of the cyber attack on the Anhalt-Bitterfeld district.
On Friday, July 9, 2021, the Anhalt-Bitterfeld district made public a cyberattack on its own infrastructure. The administration simultaneously declared the first cyber disaster in Germany. The attack began on Tuesday, July 6, according to the district administration. Public administration for the approximately 157,000 residents of the Anhalt-Bitterfeld district has been interrupted in parts. Officials say it will take at least two weeks before all services are operational again. Since that time, numerous services provided by the district have been unavailable. For example, the payment of social and youth welfare benefits has been interrupted. The same applies to the vehicle registration office, so the district is currently not processing new registrations. The district has also not answered e-mail inquiries since the cyberattack began.
The attackers have since sent a ransom note to the administration. In return for payment of an unknown sum, the criminals promise to release the data again. This approach is common in cyberattacks with ransomware.
This is what is known about the methods of the cyberattack
Due to the current situation and ongoing investigations, there is little reliable information about the extent of the cyberattack. What is certain is that the attackers used ransomware. This malware compromised the district's network and encrypted data on an unknown scale. Several servers of the administration are affected. The way the attackers encrypted the systems is also not yet clear. It is suspected that the criminals exploited a Windows security vulnerability. This has been known since the beginning of July and has since been closed by Microsoft with a patch. It is also not yet known who is behind the attack.
The county's direct response to the cyberattack
After the district declared a cyber disaster for Germany, those responsible disconnected all systems from the network. In this way, IT Security attempts to prevent the spread of malware in the internal network as well as to interrupt the attackers' access to data.
Those responsible in the Anhalt-Bitterfeld district also informed the Federal Office for Information Security (BSI). The BSI is actively involved in the investigation of the cyber attack and has IT security experts on site. The experts are primarily involved in the investigation of the cyber attack. This involves searching for the source of the infection and analyzing the attack. For the BSI, the cyber disaster in Germany is also new territory, although the federal agency has already been involved in similar cyber attacks on CRITIS.
District Administrator Andy Grabner of the CDU told the media that a team of about 50 to 100 people is working to provide new computer systems for the administration. The IT staff is making makeshift preparations for these systems so that the administration can resume work as soon as possible. The county is working in parallel to restore the data. Obviously, there are no backups available, or at least some of them were compromised in the cyber attack, because the district is dependent on the help of other offices. The registration office, for example, obtains data from the Federal Motor Transport Authority. In addition, the administration resorts to paper files to recover information.
Reasons for gaps in IT security at local authorities
Experts in the field of IT security have been pointing out for some time that local authorities in particular have a huge backlog of IT infrastructure problems. While large corporations and the federal government have invested in IT security, local governments often lack the financial resources to do so. This opens the door to cyber threats, which then lead to incidents like the one that has now occurred in the Anhalt-Bitterfeld district.
The serious differences can be seen in practical examples and the legal requirements. The BSI has its own cyber defense center. This specializes in defending against cyber threats and continuously monitors the systems of the federal administration. For companies and organizations that are assigned to the CRITIS sector, there are legal requirements such as the IT Security Act. This sets minimum standards for IT security and also requires companies to prove that they have implemented the requirements via audits and certifications.
Local authorities are responsible for their own IT. For this reason, there are no uniform standards and the IT department is often understaffed. The situation is similar in the SME sector. This leads to IT security weaknesses. Even temporary delays, such as the late application of a security update, then have serious consequences.
Cyber attacks on CRITIS increase dramatically
The cyber disaster in Germany is a reality for the first time with the attack on the systems of the Anhalt-Bitterfeld district, but this is not the first attack on the CRITIS sector.
For example, the cyberattack on Colonial Pipeline in May 2021, the operator of a U.S. pipeline along the East Coast, caused a stir. At first glance, this does not seem like a target that is vulnerable to a cyberattack. However, digitization ensures that a failure of the computer systems means that the pipeline is no longer usable. After several days of outage, the pressure on the operator increased as more and more gas stations on the U.S. East Coast were unable to meet the demand for gasoline and diesel. The impact of such cyberattacks on the CRITIS sector is well illustrated by the Colonial Pipeline example. The pipeline transports about 45 percent of the U.S. East Coast's fuel needs from south to north. About 50 million Americans depend on this pipeline. The U.S. military and airlines such as American Airlines were also affected. The company diverted some flights for refueling. At gas stations, prices for gasoline and diesel rose. Even the world market price for crude oil increased.
In the end, the operator had no choice and paid the demanded ransom amount to the cybercriminals. This was also an attack using the DarkSide ransomware, which encrypted the company's files. Colonial Pipeline paid around five million US dollars to make the criminals hand over the key for the data. This made it possible to make the services executable and get the pipeline back in operation.
Attacks on the CRITIS sector are also on the rise in Germany. In September 2020, the Düsseldorf University Hospital was attacked. Once again using ransomware, the attackers managed to compromise around 30 servers and encrypt the data. It took several weeks for the IT department to restore all systems.
The rapidly increasing danger from cyber threats is also linked to a change in cybercriminals' strategy. The "ransomware-as-a-service" model has now become established. This means that the developers of this complex malware are no longer active in specific attacks themselves, but rent out their software. This is similar to the principle of cloud services such as "software-as-a-service". Thus, even low-skilled cybercriminals have access to highly sophisticated ransomware and use it to gain financial benefits through extortion. In the near future, this means that cyber threats will be an everyday danger. The CRITIS sector is particularly affected. Firstly, due to the aforementioned weaknesses in IT security that exist in parts of organizations, and secondly, due to the enormous importance of critical infrastructure. Failures in the CRITIS sector quickly threaten the economy and public life. And it will only be a matter of time before the next cyber disaster is declared in Germany.
Consequences of successful cyberattacks for your own company
The consequences of successful cyberattacks are momentous. Especially in the case of targeted attacks with ransomware, the criminals make a point of compromising all data, servers and also the backup copies. This is why there is always a complete loss of the IT infrastructure, which entails weeks of work, during which work comes to a standstill and IT tries to rebuild a workable environment.
In addition, according to the IT Security Act 2.0 and the EU-DSGVO, cyber attacks are reportable events. Violations by CRITIS operators are punishable by the regulations with fines of up to 20 million euros or four percent of annual turnover. So in addition to serious IT outages and missing revenue due to lost work, there is also the threat of severe penalties.
How can such cyberattacks be prevented?
Cyber attacks like the one in the Anhalt-Bitterfeld district are successful primarily because IT security has gaps and operates according to outdated principles. Far too often, people rely on passive systems instead of actively looking for cyber threats in their own networks. Classic defense measures include antivirus scanners or a firewall, for example. However, if these fail, there is no protection against attackers. Antivirus programs in particular only detect known cyber threats. Sophisticated malware, for example, such as that used in targeted attacks on CRITIS facilities, is usually not detected. Then the attackers even have time to move around the network undetected and position the ransomware.
This is precisely where active technologies such as Active Cyber Defense come in. With this service, it is possible to detect activities of unauthorized persons in networks at an early stage. These are, for example, connections to a C&C server, which cybercriminals use to control their malware. In this way, the ACD service detects attacks in the first phase so that countermeasures can be taken before damage is done. Such an implementation is completed in a matter of days and requires no local installation. Companies assigned to the KRITIS sector must, by law, implement such a system for the active detection of cyberattacks by the beginning of May 2023 at the latest.
The case in the Anhalt-Bitterfeld district made headlines and dominated the media for a few days. In some cases, this will bring about changes in IT security and individual companies will temporarily shift their focus to cyber threats. Presumably, however, the topic will be forgotten again too quickly - until the next cyber disaster is triggered in Germany. Responsible parties and decision-makers in organizations should not underestimate the current situation of cyber threats - especially for the CRITIS. This makes it all the more important to take appropriate proactive defensive measures in IT security now. It is important to act quickly so that the next cyber disaster in Germany does not affect one's own company.