Germany's first cyber disaster - Anhalt-Bitterfeld district

July 20, 2023

On 13 July, the second episode of the podcast series "You are fucked" entitled "The broken vase" was released. July, the second episode of the podcast series "You are fucked" entitled "The broken vase" was released. In it, suresecure GmbH is mentioned by name several times. Among other things, it also mentions that we did not wish to comment on this incident at the request of Mitteldeutscher Rundfunk.

This is absolutely correct and we will continue not to provide any details that could reveal conclusions about the IT infrastructure and thus potentially jeopardise the security of the district. We are contractually obliged to do so and consider this to be a matter of course when dealing with sensitive information. As a provider of incident management services, we take the security of our partners very seriously and protect information from these incidents with particular care: A change of times has taken place in IT. Even public institutions cannot ignore this. Now that attacks on private companies, critical infrastructures and federal political institutions have been public knowledge for years, it was foreseeable that local authorities and cities would also become the target of attacks.

This is why it is all the more important that initiatives such as BSI-Grundschutz, NIS2 and the IT Security Act 2.0 are in place. All administrations and institutions in the public sector should fulfil the minimum requirements in the area of IT security. This means, among other things, a minimum requirement in the area of emergency management. This includes not only technical aspects, such as the early detection of anomalies, but above all organisational aspects, such as the rapid formation of a crisis team and description of processes.

Counties and administrations are institutions that help to maintain public order, process and store sensitive and personal information and interact with the everyday lives of citizens, which requires a willingness to rethink and adapt in leadership. The changing times had evidently not fully arrived in the district of Anhalt-Bitterfeld. Organisationally, mentally and also technically.

The following conditions should be met in order to prepare for cyber-related crisis management:

Prepare a crisis management team with decision-makers and key personnel
Establish an emergency plan for security incidents, cyber crises and disasters caused by IT attacks
Conducting crisis drills
Contractually assuring external service providers of response times and daily rates
Setting up an IT infrastructure in accordance with current best practices
Conducting backups and backup strategies
Preparing an IT infrastructure in accordance with current best practices
Conducting backups and backup strategies
Protection of sensitive and personal information in separate network areas
As a minimum requirement: Introduction of basic protection according to BSI specifications
Distribution of administrative rights according to an administration concept
Centralised logging and logging rules
Use of a SIEM solution or security operation centre

We are aware of our task and our responsibility in incident management. Information security is not a game, but an important building block for securing companies, jobs and lives. For this reason, the IT manager also says "[...] they were good, that was military" (quote from Oliver Rumpf, IT manager for the district of Bitterfeld-Anhalt).

In our collaboration with the district of Anhalt-Bitterfeld, we therefore not only proactively reduced our regular hourly rate without prior contractual relationships, we also provided a total cost estimate for restoring the functionality of the infrastructure on the second day of our deployment.

These service providers, I have to take up the cudgels for them, of course they are expensive, but they also jump and you don't get that for free. They get qualified, they prove it and in that respect - sometimes you have to pay something for good service.

Head of the Operational Cyber Security Department at the BSI

July 20, 2023

The only thing missing was the order to put the district back into a productive state within 4-6 weeks. After this failed to materialise and we continued our work anyway, we were given an ultimatum, which we communicated to the crisis team. The district allowed this to pass without comment - there was only one text message, which gave us a hint: "Clear the field and hand over your work".

We shared all forensic findings with the district's crisis management team on a daily basis and also passed them on to the responsible state criminal investigation department and BSI in coordination. An initial forensic report was sent in writing after just three days. We support the fact that the BSI recognises the lack of preparation on the part of districts and municipalities and recommends developing solutions in advance instead of being forced to act by external influences.

If you have any questions in this context, please contact the press office (presse@suresecure.de)

Germany's first cyber disaster - District of Anhalt-Bitterfeld