Q1 2026: The Five Most Dangerous Cyber Incidents in Germany and What They Have in Common
6 min Reading Time
A DDoS attack on Deutsche Bahn. An arson attack on Berlin’s power grid. Russian state hackers infiltrating the Signal contacts of a former BND (Federal Intelligence Service) vice president. And a vulnerability scanner that itself becomes a weapon. The first quarter of 2026 has shown: Threats are not only becoming more technically sophisticated – they are increasingly merging with geopolitical conflicts and physical sabotage.
This review contextualizes the five most severe incidents, identifies the patterns behind them, and highlights what IT security teams should keep on their radar for Q2.
TL;DR
- Deutsche Bahn DDoS (February 17): Pro-Russian hacktivists paralyzed booking systems, the app, and departure boards for hours. BSI (Federal Office for Information Security) President Claudia Plattner reported billions of requests per minute.
- Berlin Blackout (January 3): Arson attack on high-voltage cables – 45,000 households without power, the longest outage since 1945. The Federal Prosecutor General is investigating on suspicion of terrorism.
- Signal Phishing Against BND Vice President (February/March): Russian state hackers hijacked the Signal account of Arndt Freytag von Loringhoven and distributed malware to his contacts. The BSI and BfV (Federal Office for the Protection of the Constitution) issued a joint warning.
- Trivy Supply Chain Attack (March 19): 75 out of 76 version tags of the vulnerability scanner were compromised, CI/CD secrets stolen.
- NIS2 Enters into Force (December 6, 2025): 30,000 companies now regulated, registration deadline expired, personal liability for managing directors applies.
1. Deutsche Bahn: DDoS as a Geopolitical Weapon
On February 17, 2026, a multi-wave DDoS attack crippled Deutsche Bahn’s digital infrastructure. The website, DB Navigator app, and departure boards at train stations were down for hours. Train control and signaling systems remained unaffected – the attack targeted customer-facing systems.
Attribution was swift: IT security experts linked the attack to the pro-Russian hacktivist group NoName057(16), which deployed the “DDoSia” tool. The campaign ran in parallel against targets in multiple NATO countries. BSI President Claudia Plattner commented directly on the scale of the attack.
For German operators of critical infrastructure (KRITIS), the incident demonstrates: DDoS is no longer a nuisance – it is a strategic instrument in geopolitical conflicts. Any critical infrastructure operator without carrier-level DDoS protection is operating with an exposed flank.
Operation Alice provided a counterpoint: Between March 9 and 19, German authorities, Europol, and 23 countries conducted a coordinated dark web raid. Over 373,000 fraudulent websites were shut down, and 105 servers seized. The success shows that European law enforcement works – but also that threat actors on the other side operate industrially.
2. Berlin Blackout: When Physical and Digital Converge
On January 3, 2026, unknown perpetrators set fire to several high-voltage cables on a bridge over the Teltow Canal in Berlin-Lichterfelde. The result: 45,000 households and over 2,200 businesses without power – the longest Berlin blackout since 1945. The Federal Prosecutor General took over the investigation on January 6. The German government offered a one-million-euro reward.
For IT security, the incident is a wake-up call: The line between cyber and physical attacks is blurring. The KRITIS umbrella law, in force since March 2026, addresses precisely this convergence. IT security teams that model only digital attack vectors underestimate the real threat landscape. Physical resilience must be part of every security concept for critical infrastructure.
The industrial sector was also hit: On January 7, the ransomware group Akira claimed an attack on the Buhlmann Group, a Hamburg-based steel distributor (2,000 employees, 428 million euros in revenue). 55 GB of data were exfiltrated – construction plans, personnel files, financial data. The company emphasized that only a U.S. subsidiary was affected. But the case fits Akira’s typical profile: mid-sized manufacturing and industrial companies large enough to pay ransom but small enough to have weaker security.
According to the BSI’s 2025 situation report, 80 percent of ransomware victims in the reporting period were SMEs. 119 new vulnerabilities per day – 24 percent more than the previous year. 950 reported ransomware attacks. The situation remains what the BSI has described for years: tense. But Q1 2026 added a new dimension: Attacks are becoming more political, targets more physical, and the tools of defense themselves are becoming attack vectors.
3. Signal Phishing: State Hackers in the Messenger
Between February and March 2026, Russian state hackers conducted a targeted phishing campaign via Signal against high-ranking German and European targets. Confirmed victim: Arndt Freytag von Loringhoven, former vice president of the BND. He was contacted by fake Signal support, his PIN code phished, and his account hijacked. The attackers then distributed malware links to his contacts.
The BfV and BSI classified the incident as a security threat and issued a joint warning. The Dutch AIVD publicly attributed the attacks to Russian state hackers. Correctiv confirmed digital evidence pointing to Russia on March 24, 2026. Twenty-nine additional phishing domains were identified, some targeting entities in Ukraine and Moldova.
The lesson: Even end-to-end encrypted messengers do not protect against social engineering at the account level. Anyone using Signal for sensitive communication – and many security agencies and companies do – must activate the Registration Lock PIN and deploy phishing-resistant second factors.
4. Trivy: The Security Scanner as an Attack Vector
On March 19, the group TeamPCP compromised the open-source vulnerability scanner Trivy from Aqua Security. 75 out of 76 version tags in the GitHub repository were force-pushed to redirect to malicious code. The tampered binary stole SSH keys, cloud credentials, and Kubernetes secrets from CI/CD pipelines and exfiltrated them to a typosquatting domain.
The Trivy case fits a pattern seen across the industry: The XZ-Utils backdoor (CVSS 10.0, March 2024) took three years to prepare. The 3CX attack (March 2023) was the first documented double supply chain compromise. And Sonatype reported a 156 percent increase in malicious open-source packages year-over-year. SHA-based dependency pinning would have completely prevented the Trivy attack.
CERT-EU confirmed in its quarterly reports that Russian intelligence services continue to conduct operational cyber and hybrid operations against European governments and critical infrastructure. The UK sanctioned the GRU and eleven officers explicitly for hybrid warfare in Europe. For German companies with international supply chains or customers in Eastern Europe, this is not an abstract risk – it is an operational factor that belongs in risk analysis.
5. NIS2 and the Regulatory Earthquake
The NIS2 Implementation Act entered into force on December 6, 2025 – without a transition period. The number of regulated entities rose from 4,500 to around 30,000. Since January 6, the BSI registration portal has been active. The registration deadline has expired, and personal liability for managing directors applies.
In parallel: The EU Cyber Resilience Act sets reporting obligations for manufacturers in the event of actively exploited vulnerabilities starting September 11, 2026 – 24 hours for an early warning, 72 hours for a full report. In June 2025, the Federal Constitutional Court ruled parts of source telecommunications surveillance unconstitutional – a decision that redefines the limits of state surveillance.
The Pattern: What Connects Q1 2026
Three trends run through all five incidents.
First: The convergence of cyber and physical. The Berlin blackout was a physical attack with digital precursors. The Deutsche Bahn DDoS targeted physical infrastructure via digital channels. The separation between IT security and physical security is dissolving – anyone who still organizes them separately has gaps.
Second: Geopolitics as a motive for attacks. The Signal campaign, the Bahn DDoS, CERT-EU reports on Russian hybrid operations – cyberattacks are no longer an abstract risk. They are an instrument of state power projection that directly impacts German companies and authorities.
Third: The supply chain as the primary attack surface. Trivy, the 704,000 malicious packages since 2019, the slopsquatting phenomenon – anyone who protects only their own application but blindly trusts tools and dependencies has left the biggest flank exposed.
What Should Be on the Radar for Q2
April 3, 2026: The ePrivacy exemption for voluntary chat scanning expires. Without extension, the legal basis for platforms currently scanning voluntarily disappears.
May 4, 2026: Third trilogue on EU chat control. This will determine whether detection orders may become mandatory in a later phase.
June 30, 2026: Deadline for first NIS2 audit evidence. Companies that cannot present a documented risk analysis and action plan by then risk sanctions.
September 11, 2026: CRA reporting obligations take effect. Manufacturers must report actively exploited vulnerabilities to ENISA within 24 hours.
Q1 2026 was not a quiet quarter. Attacks became more physical, more political, and more sophisticated. Regulation became stricter. And the attack surface grows with every dependency, every cloud service, and every AI assistant that gains access to corporate data. Companies that do not now invest in systematic security architecture will feel the consequences in Q2.
The most important insight from Q1 2026: Security is not a state but a process – and this process must become faster than the attackers. Deutsche Bahn survived the DDoS, but the hours without functioning booking systems were a reputational damage. The Berlin blackout lasted a day, but the loss of trust in the infrastructure lingers. And the Trivy hack shows that even the tools meant to guarantee security offer attack surfaces. Those who understand this build their defenses not on trust – but on verification, redundancy, and the ability to respond faster than the attacker escalates.
For IT security budgets, Q1 2026 sends a clear message: Investment in prevention is cheaper than the consequences of an incident. IBM estimates the average cost of a data breach at $4.88 million. The Buhlmann Group will not publicly quantify the costs of the Akira attack, but the reputational damage with customers and partners will have long-term effects. And the personal liability for managing directors under NIS2 turns cybersecurity failures into an individual financial risk. The question is no longer whether to invest – but whether to invest quickly enough.
Frequently Asked Questions
What was the biggest cyberattack in Germany in Q1 2026?
The DDoS attack on Deutsche Bahn on February 17, 2026, was the most publicly visible incident. The Berlin blackout on January 3 – a physical sabotage attack affecting 45,000 households – had the greatest impact on the population.
Which ransomware groups were active in Germany?
The Akira group attacked the Buhlmann Group in January (a Hamburg-based steel distributor, 55 GB of data exfiltrated). According to the BSI, 80 percent of ransomware victims in the reporting period were SMEs. The most active groups in Europe were Qilin, Akira, and Sinobi.
What does NIS2 mean concretely for my company?
Companies with 50 or more employees or 10 million euros in revenue in regulated sectors must register with the BSI, conduct a risk analysis, and demonstrate security measures. Managing directors are personally liable. The first audit deadline is June 30, 2026.
How can I protect myself against supply chain attacks?
Use SHA-based dependency pinning, create and maintain an SBOM, integrate dependency scanning into the CI/CD pipeline, implement code signing with Sigstore, and conduct regular vendor risk assessments. The Trivy attack could have been completely prevented with SHA pinning.
What regulatory deadlines are coming up in Q2 2026?
April 3: ePrivacy exemption for chat scanning expires.
May 4: Third trilogue on chat control.
June 30: NIS2 audit deadline.
September 11: CRA reporting obligations take effect.
All four directly affect German companies.
Editor’s Reading Recommendations
More from the MBF Media Network
Header Image Source: Pexels / Tima Miroshnichenko (px:5380608)
