Now it is definitely clear: The Akira group and its ransomware attacked South Westphalia IT in October, paralyzing 70 to 100 municipalities. The service provider is now working through the attack and reveals that it all started with a VPN attack.
The attack on Südwestfalen IT – SIT started on October 30, 2023 and has kept those responsible on their toes to date. According to SIT, they are still working through the action plan and want to be back to normal operations by the end of Q1 2024. Some municipalities are already reporting that they could work almost normally again.
Akira attack paralyzed the municipalities
The service provider SIT has now announced how the attack on the company took place. It all started with an attack via VPN. According to SIT, this is what happened: “South Westphalia IT noticed the first encrypted files on the night of Sunday, October 29, 2023 to Monday, October 30, 2023. The file extension .akira indicates the ransomware group “Akira”..
The attackers gained access to the internal network via a software-based VPN solution with a zero-day vulnerability that did not require multifactor authentication. How the required access data was accessed could not be conclusively clarified. According to the forensics report, a brute force attack may have taken place. Security holes in intra.lan allowed the attackers to increase the rights up to domain administration authorization. The attackers' activities focused on the Windows domain intra.lan, which manages central systems and important specialist processes for all Südwestfalen-IT customers. Other domains were not affected.”
Quick response prevented spread
According to its own information, Südwestfalen-IT contained the attack by immediately shutting down and isolating the affected systems. External, BSI-certified cyber security experts were directly commissioned to carry out the forensic investigation and rebuild the infrastructure. “The fact is that the data center was not able to fend off the attack,” said association director Theo Melcher. “The findings from the forensic report will now be used to further strengthen the security of IT systems in all network areas and domains. At the same time, the forensic report can help others learn from the incident at Südwestfalen-IT. The transparency we create by publishing the report benefits everyone.”
No evidence of data leakage
🔎 The Akira leak page currently does not list any data from the SIT page or from the network (Image: B2B-CS).
During the intensive forensic investigations carried out by the commissioned cyber security experts and the continuous monitoring of the dark web using special software, no evidence of data leakage or data publication could be found. The South Westphalia IT data backups are intact and will be gradually made available to the municipalities again.
The current case shows that VPN should be a thing of the past with such a large provider. Zero Trust Network Access (ZTNA) solves the problem. However, it must also be said that a 0-day vulnerability in VPN was responsible for Akira's intrusion.
Akira himself shows on his leak page no information on Südwestfalen IT – SIT – neither in the list of current attacks nor in the list of published data. SIT could therefore be right that no data was leaked.
Editor/sel