Following the criminal cyberattack on February 14, 2024, PSI's IT systems and network infrastructure were extensively checked, specifically modernized and equipped with additional security features to ensure a secure and rapid restart. All clients, servers and virtual systems were initially checked and then examined for malware in an additional, multi-stage and highly sensitive process. PSI was supported in this process by a certified external service provider recommended by the German Federal Office for Information Security (BSI), which has extensive experience in the field of incident response and IT forensics.
The central basic services were successfully restored and put back into operation in the new infrastructure, which has been tested and classified as secure. We are currently working in all business units to integrate the servers and clients that have been tested, approved and equipped with additional security features into the new PSI network.
Some of our business units are now in a position to offer our customers a restart of operations and are already in contact with them. As part of these restart activities, our employees will now get access to the usual mail system again. Nevertheless, you will still be able to reach us via the interim mail system.
Following initial checks of all laptops, these and all PSI computers have been scanned for malware in a further, multi-stage and highly sensitive process since Friday, February 23, 2024. We continue to be supported in this by a certified service provider recommended by the German Federal Office for Information Security (BSI). The scan of the laptops and PC clients is now largely complete, so we will now concentrate on examining all other computers. The laptops and computers classified as secure will gradually regain access to the restored parts of the basic infrastructure following the introduction of an extended security solution.
We are currently working at full speed to have parts of the PSI infrastructure that were not directly affected by the malware due to special security measures checked by our IT forensics service provider and to make them available again for customer support as soon as possible. Your account manager will keep you actively informed of further progress. In other areas, we are working on the secure commissioning of the infrastructure so that our employees will soon have access to the most important basic services again. Limited operations have already been resumed in the first areas and will be expanded step by step. Our aim is to provide you, our customers, with the usual services again as quickly as possible. In the meantime, you can still reach us via the interim mail system.
The forensic investigation is still ongoing due to the size of the IT environment and the number of systems to be investigated. The focus is currently on the investigation and subsequent release of the IT systems so that they can be used again as quickly as possible. At the same time, information regarding the initial attack vector and the compromise is being collected and evaluated. We will inform you here as soon as we have new information about the incident.
The restart of the internal IT systems is continuing. In the meantime, our internal IT department has been able to restore parts of the basic infrastructure together with our external IT security service provider. As soon as the remaining core systems have also been restarted, the IT systems will be restored based on previously defined prioritization.
In addition, all systems that are not obviously affected by the malware are promptly checked for compromise by our IT forensics service provider. If no compromise by the attackers is detected, these systems will be released by our IT department and put back into operation. We are therefore confident that we will soon be able to provide the systems that are particularly relevant for our customers.
In addition to the restart of our own IT systems, an interim e-mail system is now available. All PSI employees are currently being given a new e-mail account and can then be contacted again in writing by our customers.
In the course of this, we would like to draw your attention once again to the potential threat of phishing emails following a cyber attack. This also applies if they are based on previous e-mail correspondence.
Since Friday, 23rd 2024, all PSI laptops and computers have been examined for malware in a structured process. As soon as the investigations have been completed, it will be ensured that file attachments in our employees' emails no longer pose an increased risk and that they are as secure as they were before the incident.
We will keep you informed here about further progress in rebuilding the IT systems.
PSI Software SE has become the target of a ransomware attack. Ransomware attacks are cyberattacks in which attackers gain unauthorized access to the IT infrastructure and then encrypt parts of the IT systems and data using special software. At this stage, our internal IT systems are affected by the attack. Our IT department became aware of the incident during the night of February 14, 2024 to February 15, 2024 due to unusual activity in our network. In response to the attack, all external connections were disconnected during the night and the IT systems were shut down.
The attack was detected in the night from February 14, 2024 to February 15, 2024. PSI Software SE made the following measures after the discovery:
Due to the size of the IT environment, the forensic investigation requires major efforts. First insights into the timeline are available. According to the current status of the forensic investigation, traces of the attackers can be traced back to February 9, 2024. The malware itself was not executed at this time. The execution of the malware itself took place on February 14, 2024 starting 11:16 pm CET. After this was detected by employees in the IT department, the systems were immediately shut down during the night. Access to customer systems still has not been detected.
So far, it is not known how the attackers were able to gain access to our IT systems. A certified service provider recommended by the German Federal Office for Information Security (BSI) was engaged to carry out a forensic investigation of the attack in order to determine, among other things, the attackers' intrusion vector.
Due to the size of the IT environment and the number of systems to be investigated, the forensic investigation is very time-consuming. We therefore ask for your understanding that it will take some time before reliable results are available, in particular regarding the attack vector and the initial compromise.
So far, it can neither be confirmed nor ruled out that data was leaked during the attack. However, we are currently reviewing the effects of a data leak for our customers.
We are currently in the process of restoring the basic systems. As soon as the basic infrastructure has been set up, the most important IT systems will gradually be restarted. At the same time, we are working with our IT security service provider to set up interim solutions for certain systems, such as the email system, in order to get back up and running as quickly as possible. The aim is to be able to carry out our core services such as maintenance work again as soon as possible in order to keep the restrictions for our customers to a minimum. However, experience from similar incidents at other companies has shown that it could take several weeks or months before regular operations can be resumed.
PSI has been affected by a ransomware attack that affects the company's internal IT infrastructure. We detected unusual activity in our network during the night of February 15, 2024. As a result, all external connections and systems were successively shut down still in the night. We also shut down PSI's mail system in the night, so that no mails have been sent from PSI systems since then. We are currently analyzing the exact vector of the attack.
There are at present no indications that PSI systems at customer sites have been compromised. According to current knowledge, there was no access to remote connections for the maintenance of customer systems.
We have been in contact with the responsible authorities and selected experts recommended by the Federal Office for Information Security since February 16, 2024. Our internal experts are working at full speed to minimize the scope and impact of the incident. PSI Software SE is doing everything in its power to make the affected systems available again as quickly as possible.
PSI Software SE discovered on February 15, 2024 that there had been a cyberattack on PSI's IT systems. In response, the company has proactively disconnected the systems from the Internet to prevent data breaches and data corruption. The IT systems and the extent of the impact are currently being reviewed. The utmost care is being taken to ensure data integrity. PSI Software SE is making every effort to ensure that the affected systems are available again as quickly as possible.