At the end of October 2024, Scheidt GmbH & Co. KG fell victim to a hacker attack and had to rebuild its entire systems. The SySS GmbH has supported Scheidt from the outset, first with incident response and then with advice on reconstruction. Finally, SySS Scheidt was able to confirm a good level of security in a major pentest in February 2025.
What had happened? And what steps had to be taken along the way? In this interview, Thomas Markloff (IT Forensic Consultant, SySS) and Julian Gruber-Roët (Senior IT Security Consultant, from SySS) look back on the exciting weeks and busy months together with Alejandro von Fersen and Harald Schweitzer from Scheidt IT - and give other companies tips on how they can prevent the worst from happening in an emergency.
Julian Gruber-Roët (Senior IT Security Consultant, SySS)
Alejandro von Fersen (IT, Scheidt)
Harald Schweitzer (IT, Scheidt)
Beginning of November 2024: „There are certain things you never forget.“
On the Saturday of a long weekend, the Scheidt IT team led by Alejandro von Fersen and Harald Schweitzer are working on their systems with an external partner to get another system up and running. Suddenly, the remote technician asks: „Why did you shut down the server?“ When the answer is „I didn't.“ it quickly becomes clear that there is another party in the network. This can also be seen from the fact that files are apparently being renamed - unwanted and unauthorised. Alejandro von Fersen immediately travelled to the company and disconnected the Internet connection. „That was peace and quiet for the time being.“ However, the entire company was now offline, with all online activities taking place via a mobile phone hotspot.
On the same day, he informs Scheidt's management that „we are the victim of a hacker attack“. Managing Director Georgine Scheidt acted quickly and organised IT forensic experts. She came across SySS through recommendations. Contacting SySS was straightforward and IT forensic consultant Thomas Markloff made an initial appointment possible directly on Sunday.
Early to mid-November 2024: the incident response or: What is a „car wash“ doing here?
There are many questions at the beginning. Those affected are interested: What is broken? What is available? What is not available? „It was all written in the stars,“ Alejandro and Harald remember.
The first thing an incident responder wants to know is what happened: What happened? When did it happen? How did it happen? Who and what is affected? What has been done so far? Thomas uses these questions to gain an initial overview and derive the necessary initial measures. A list of priorities and to-dos is quickly drawn up. Among other things, it includes
- Check which backups are available
- Set up the car wash
- Rotate passwords
- Create images
- Determine how emergency operation is to be set up
At the top is also: „Back up what data is still there and available on data storage media.“
The encryption process had already started and one system was already fully encrypted. However, the databases containing the company's important information were not encrypted. In retrospect, the work at the weekend was the great fortune of Scheidt GmbH & Co. KG. „We were fortunate that we were able to access it at all, because we realised it in time. If the attackers had finished, we would never have reached the systems and data,“ says Alejandro. And Harald is certain: „If we had arrived at the company on Monday, it would have been too late.“ From his experience as a responder, Thomas can clearly confirm that attackers look very closely at the business hours of their victims. They initially carry out sightings during business hours, and malware is then often rolled out at the weekend. „The initial attack usually comes on a weekend. Public holidays or holiday periods are very, very popular.“
The second day of the incident response is then another working day. Together, Alejandro and Thomas take care of Scheidt's reporting obligations, the notification, the data protection report and provide the relevant information for stakeholder communication.
We also buy lots of hard drives. And then comes the car wash. „Under the guidance of Thomas and his colleagues, we set up a so-called ‚car wash‘ in which the data that we backed up was scanned once to see if anything was compromised or contained macros or other malicious code.“ As soon as this has been ruled out, the data can be released and used for recovery.
Everything goes very quickly. The car wash is up and running after just one week and is busy scanning. Meanwhile, Scheidt decides to completely rebuild its network. Thomas draws up a specification sheet for a new Active Directory. He is convinced: „An incident is always an opportunity.“ And this is where the next lucky coincidence comes after the weekend work: Scheidt was in the process of reorganising some of the network infrastructure anyway. The attackers were faster, but Scheidt was able to draw on the full resources. „We had new servers, we had new switches - we had everything we needed. We were able to get started immediately.“ By the second week after the security incident, the first servers were up and running in a new, „sanitised“ network.
All of this is planned, supported and reviewed by the SySS responders - initially in daily meetings, then in exchange meetings twice a week and finally in weekly meetings. In the first few weeks, Thomas is available around the clock by phone for Alejandro and his team.
The incident response takes about three weeks. When is an incident response actually considered complete? „When the customer is back on their own two feet, can complete tasks themselves and no longer requires permanent availability,“ explains Thomas.
In Scheidt's case, this means that the company is back up and running within four weeks. „We were able to produce, deliver, send out quotations and order confirmations, write invoices, etc.,‚ says Mr Scheidt. This was very well received by the customers. The public perception was ‘We're back“ after a very short time!"
End of December 2024 and February 2025: the „emergency pentest“ and the „big pentest“ or: „Stay awake, boys! Stay awake!“
Once this point has been reached and the new network has been set up, SySS proposes a kind of „emergency pentest“. The aim is to check whether the newly established network meets current security standards. After all, it should be possible to put it into operation safely. The test will be carried out by SySS consultant Julian Gruber-Roët, who is not yet familiar with the case. Such an emergency pentest is less extensive than a normal test of an internal network. Above all, Julian checks for „the big errors, i.e. the low-hanging fruits for attackers. These are usually major vulnerabilities with major consequences that are caused by small configuration errors.“ In fact, Julian finds just such a vulnerability: an error in the standard configuration of a certification authority that could potentially allow attackers to take over the entire network. For Alejandro, Harald and the others, adjusting the configuration is a small matter - but the security gain and the learning effect are huge.
Julian's task is also to evaluate the concept so that Alejandro and his team can make adjustments before everything goes into implementation. Despite the consultation and interim pentest, IT manager Alejandro is still nervous about the subsequent „big pentest“. „The biggest enemy is time pressure,“ he says. „It can happen that you do something in a hurry that you couldn't foresee the consequences of.“ Just like with the certificates. He is certain that an external perspective provides a perspective that is often lacking internally and shows consequences that you don't see yourself. „When you are shown what attackers can do, it can be frightening, but it also opens your eyes to say: ‚Stay awake, guys! Stay awake!‘ Scheidt, summarises Alejandro, “was definitely able to benefit from the pentest, especially because you can still change something. I can't change anything in a real attack. Then it's too late.„
A year later: „Once you've had a fall, you realise the advantages of a helmet.“
During our conversation a year later, we realise that a lot has happened in terms of IT security awareness, especially among employees. Thomas is enthusiastic about the high level of acceptance for strong passwords at Scheidt - he's seen it differently. Harald reports that he still regularly receives enquiries about opening emails and the like. „Colleagues are highly sensitive,“ he observes.
A year later, Scheidt is in a better position than before the incident, both technically and organisationally. When asked what part SySS played in this, Alejandro replies: „Without the help of SySS, it would certainly have taken us longer. Just the conceptual work, the security considerations and best practices: That would have taken ages. SySS's collaboration was worth its weight in gold.“
