Serious hacker attack on South Westphalia IT paralyses more than 70 municipalities
by Tina Siering
The BSI warns: the risk of cyberattacks on local authorities will increase
The Akira cyberattack on the SIT was one of the most serious attacks on the public sector in Germany - but by no means an isolated incident. On the contrary: as Cologne public prosecutor Christoph Hebbecker, a member of the central cybercrime unit ZAC NRW, reported to the Rheinische Post, hardly a day goes by without ZAC NRW having to take up investigations into ransomware attacks. Not only companies from all sectors are under attack, but also universities, hospitals, educational institutions and law firms. The latest BSI situation report states that cyber criminals are following a trend - namely the path of least resistance. Preference is given to victims that are easy to attack. In other words, organisations that are unable to adequately secure their IT systems are targeted by hackers.
The damage caused by cyber attacks is immense. In the last 12 months, German companies alone have suffered losses totalling 148 billion euros. This does not include the damage caused to citizens by cyberattacks on public institutions. In the worst case scenario, a cyber attack can even pose a threat to life and limb if, for example, critical infrastructure such as hospitals or energy suppliers have to stop working. It cannot be assumed that the danger will decrease. On the contrary, security experts around the world expect the threat level to increase significantly in the near future.
Following a serious attack with ransomware on the municipal IT service provider Südwestfalen-IT, administrations in more than 70 cities, districts and municipalities in North Rhine-Westphalia are largely paralysed. Registering cars, applying for ID cards or a birth certificate - many everyday processes are currently not possible for the citizens of NRW. Payment of a ransom has been refused in consultation with the affected municipalities and investigations are ongoing.
At the end of October 2023, the new but all the more active hacker group "Akira" carried out a sensational cyberattack on the IT service provider Südwestfalen-IT (SIT). According to the German press agency DPA, a confidential report from the Ministry of the Interior to the state parliament revealed that the hackers succeeded in encrypting the servers of Südwestfalen-IT. The cyber attack with ransomware made a shutdown of the systems unavoidable. As SIT operates as a municipal IT service provider, this attack has not "only" affected one company - rather, a total of 74 municipalities in Germany's most populous federal state have been affected by considerable restrictions. The cyber attack has hit municipalities in southern and eastern North Rhine-Westphalia particularly hard. Particularly drastic restrictions were reported in the districts of Siegen-Wittgenstein and Olpe. Numerous citizens' offices had to cease operations and digital administrative processes were switched to paper in an "emergency workaround". Even a few weeks after the attack, many services can still only be offered to a limited extent, and the impact on the citizens of the state is immense.
What is known about the hacker collective "Akira"
The criminal cyber organisation "Akira" was first observed by security experts in March 2023 and is therefore considered a fairly new ransomware group. Akira relies on the ransomware-as-a-service model, i.e. it uses tools and services provided by other cybercriminals in return for monthly subscription fees. Akira specialises in infiltrating IT systems, exfiltrating data and encrypting applications. The group then demands a ransom, the amount of which is not yet known in the case of the attack on SIT. If the ransom is not paid, the data and the names of the companies are published on the darknet on the Akira leak page. According to the Akira site, the group has been able to compromise around 63 companies and organisations since March, the majority of which are small and medium-sized enterprises.
It is not only Akira's approach that is strongly reminiscent of the feared but now disbanded cybercrime group Conti. IT security experts have discovered that the ransomware used by Akira has similar functions to that of the Conti group. In addition, Akira, like Conti before it, relies on the so-called ChaCha algorithm to encrypt the data in the compromised systems. It stands to reason that some of the former Conti members have joined other RaaS groups - and possibly Akira as well.
No contact with the Akira hacker group
In an interview with the Rheinische Post, public prosecutor Hebbecker said that there is currently "no contact with the perpetrator group" and that there are also "no negotiations about a ransom". It is unlikely that the perpetrators behind the ransomware attack will be identified or even arrested. Law enforcement authorities rarely succeed in tracking down the cyber criminals.