German Government Pushes More Offensive Cyber Response Amid Ongoing Public-Sector Disruptions
Germany’s federal government signaled a shift toward a more offensive posture in response to cyberattacks. Interior Minister Alexander Dobrindt said Germany intends to “strike back,” including actions abroad to disrupt attackers and destroy their infrastructure, with operations to be carried out jointly by intelligence services and the Bundeskriminalamt (BKA). The Interior Ministry also plans a new defense center for hybrid threats, prepared by the domestic intelligence service, to improve coordination across government levels; Dobrindt framed the move as a response to persistent attacks on institutions, critical infrastructure, and companies, often attributed to groups linked to state services (including Russia).
Separately, the Staatliche Kunstsammlungen Dresden (a network of 15 museums) reported continued operational impacts from a cyberattack, with museums remaining open but key services still impaired, including online ticketing, card payments on-site, the online shop, and visitor services. Police and the state criminal office initiated investigations, and the Dresden public prosecutor indicated the case may be handled by Saxony’s specialized cybercrime unit (ZCS). The UK government’s discussion of building a digital ID system in-house is policy/technology governance reporting and does not describe a specific cyber incident or vulnerability tied to the German developments.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
German interior minister announces more offensive cyber response plans
Interior Minister Alexander Dobrindt said Germany intends to respond more aggressively to cyberattacks, including disrupting attackers and destroying their infrastructure abroad. He also said a new defense center against hybrid threats is being prepared by the BfV and is expected to begin work later in 2026.
Cyberattack continues to disrupt Dresden State Art Collections
The Staatliche Kunstsammlungen Dresden reported ongoing operational restrictions from a cyberattack affecting the museum institution. The incident was publicly reported as still limiting operations by January 23, 2026.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Cyberattacks Disrupt German Public and Cultural Services
Germany’s Dresden State Art Collections (**SKD**) reported a targeted cyberattack that disrupted large parts of its digital infrastructure, leaving online ticketing, visitor services, and the museum shop unavailable and forcing on-site payments to cash-only. The museums remained open, and Saxony’s culture ministry said security systems protecting the collections were not affected; the attacker, motive, and whether a ransom demand was involved were not disclosed, and full restoration timelines were unclear. Separately, multiple German organizations reported **ransomware** incidents causing service outages. The Verkehrsgesellschaft Main-Tauber (**VGMT**) said attackers encrypted its servers and data, forcing closure of its office and mobility center and cutting phone/email availability; it remains unclear whether data was stolen. Regensburg-based IT service provider **Conceptnet** said threat actors gained access around 13 January 2026 and encrypted core systems including web and email servers, disrupting websites for customers (including REWAG, Stadtwerk Regensburg, and SSV Jahn Regensburg) while external forensics and recovery efforts continue and temporary websites have been stood up to maintain limited customer presence online.
Mar 21, 2026
German and Ukrainian actions expand cyber operations: BND surveillance powers and a ransomware disruption
German lawmakers are advancing draft legislation to significantly expand the Bundesnachrichtendienst’s (**BND**) hacking and surveillance authorities, including intercepting full internet communications (not just metadata), retaining collected data for up to six months, and extending the agency’s offensive mandate to hack foreign internet service providers to obtain target information when companies do not cooperate. Reporting indicates the proposal is partly aimed at reducing reliance on the US **NSA** for threat intelligence and bringing Germany’s capabilities in line with other European services; it would also broaden who can be surveilled, including foreigners inside Germany and certain journalists tied to foreign state-run media, and would enable intrusive operations such as deploying a “federal trojan.” Separately, Ukrainian and German law enforcement reported disrupting a Russian-affiliated ransomware operation, identifying and searching two suspects in Ukraine alleged to have served as “hash cracker” specialists who extracted/cracked password hashes, used stolen credentials for lateral movement and privilege escalation, and supported ransomware deployment and data exfiltration for extortion. Authorities seized digital devices and cryptocurrency assets and said an alleged Russian organizer has been identified, with foreign partners suggesting possible links to the **Conti** ransomware ecosystem. A third item—a *Citizen Lab* job posting—does not report a specific incident and is primarily recruitment content, despite referencing prior research on targeted phishing and spyware threats.
Mar 21, 2026
German Government Accuses Russia of Cyberattack and Election Disinformation
Germany publicly accused Russia of orchestrating a cyberattack against Deutsche Flugsicherung, the state-owned air traffic control authority, and conducting a coordinated disinformation campaign aimed at influencing the upcoming federal election. The German Foreign Ministry stated it had clear evidence linking the August 2024 cyberattack to APT28 (Fancy Bear), a group associated with Russia’s GRU military intelligence, and attributed the election interference to the Storm 1516 threat actor. In response, Germany summoned the Russian ambassador, announced plans for countermeasures in coordination with EU partners, and supported new sanctions targeting those involved in hybrid attacks. The Russian embassy has denied the allegations, while European officials have warned of a broader campaign of Russian cyber operations targeting critical infrastructure and political processes across the continent. These developments come amid heightened concern over nation-state cyber threats in Europe, with both France and Germany reporting recent attacks attributed to foreign actors. The French Ministry of Interior is investigating a suspected nation-state breach of its email servers, though details remain limited. European authorities have documented a surge in nation-state-backed cyberattacks, with the EU Agency for Cybersecurity reporting 46 such incidents between July 2024 and July 2025. Officials across Europe have condemned Russia’s use of hybrid tactics, including cyberattacks and disinformation, as part of a broader strategy to destabilize Western democracies.
Mar 21, 2026