Cyber attacks on Bundeswehr suppliers: what is now coming to companies with access to VS-NfD information (hereinafter: VS-NfD suppliers).

Introduction

The security situation in the digital space has worsened drastically.Recent research by NDR and WDR shows:Russian hackers are specifically targeting the Bundeswehr and its suppliers. Companies with access to information classified as “classified - for official use only” (VS-NfD) are particularly affected. This development marks a turning point in the threat situation for security-relevant companies in Germany.

Targeted cyber attacks on VS-NfD suppliers

The attacks are carried out in a highly professional manner, often by groups like"APT28"(aka Fancy Bear)or"Sandworm", which numerous Western security services attribute to the Russian military intelligence service GRU. The attackers exploit vulnerabilities in IT systems, inadequately secured communication channels or human errors to obtain sensitive information. The focus is not only on military systems, but also specificallyService providers and supplierswith access to security-critical data.

What does this mean for VS-NfD suppliers?

The consequences of this development are far-reaching. Companies that work with VS-NfD data or have access to systems with this classification must dramatically increase their security standards. The most important requirements at a glance:

1. Security audits & penetration tests

Companies are required to have their entire IT infrastructure regularly audited externally. Penetration tests and vulnerability analyzes help to identify security gaps at an early stage.

2. Higher compliance requirements

Compliance with safety-related requirements becomes mandatory. This includes, among other things, the secure processing of VS-NfD data, clear role and rights models and the use of approved communication platforms.

3. Advanced employee verification

People with access to sensitive data must undergo more intensive background checks. The allocation of rights is handled more restrictively.

4. Mandatory cooperation with security authorities

In the case of security-relevant cyber incidents, there is aObligation to report to the BSI.Companies related to VS-NfD should also define coordinated processes for communication with authorities - especially if security-relevant government bodies (e.g. Bundeswehr, authorities) are involved. In cases of suspected espionage or targeted investigation, the BfV can also be contacted - however, this is not a mandatory report, but is done in coordination with the BSI or via the National Cyber Defense Center.

5. Contractual and liability risks

Mistakes in handling VS-NfD data or security incidents can have serious legal and financial consequences. Depending on the contractual situation and award criteria, violations can lead to exclusion from safety-relevant projects or have liability consequences.

6. Obligation to self-accreditation by September 1st, 2025

According to the newClassified Information Instructions (VSA), which came into force at the beginning of 2024, all companies that handle VS-NfD data must comply by no later thanSeptember 1, 2025accredit yourself. This self-accreditation includes, among other things, the implementation of minimum technical and organizational measures, the establishment of a security concept and confirmation of compliance by a responsible person in the company. The specific structure of self-accreditation is regulated in the accompanying administrative regulations and implementation guidelines. Without this accreditation, there is a risk of losing orders or access rights to security-relevant information.

The security policy classification: How serious is the situation?

The Federal Office for the Protection of the Constitution and NATO speak of an ongoinghybrid conflict, in which cyberattacks have become a central element of Russian influence. Germany is not only a political but also a technological target. Sabotaging infrastructure, spying on military communications and reading development data are real dangers.

Recommendations for affected companies

In view of the escalating situation, quick action is required. Companies with a VS-NfD connection should take the following steps immediately:

• Carrying out external IT security audits
• Implementation of an ISMS according to BSI standards (e.g.IT basic protection,ISO 27001)
• Training of all employeesto cybersecurity standards
• Establishment of emergency plans and response mechanisms
• Close coordination with responsible security authorities
• Planning and implementation of theSelf-accreditationaccording to VSA by September 1, 2025 at the latest

Numerous resources, background information and guidance on self-accreditation can be found at, among others vs-nfd.advisori.de, our privately operated information platform about the implementation of the new VSA requirements.

An additional note from our practice:

Many companies underestimate the effort required to fully implement self-accreditation - especially the documentation and technical security in accordance with the VSA specifications. Early support from experienced information security consultants can help to avoid unnecessary frictional losses. A common stumbling block, for example, is the correct zoning of IT systems in the context of VS-NfD. Anyone who separates clearly and verifiably can prove to authorities and clients that there are no mixed data streams - an often underestimated compliance advantage.

Conclusion

The days when cybersecurity was a purely technical issue are over. VS-NfD suppliers are at the center of a geopolitical dispute that affects digital, economic and military levels equally. Only those who act now can sustainably protect their systems and their role in the security-relevant supply chain.

The clock is ticking.

Note: This article is based on journalistic research by NDR/WDR as well as current security analyzes by German and European security authorities.

Original report at:tagesschau.de/cyberattacks-bundeswehr-russland-100.html

Next step: Free initial consultation

Would you like to address these issues strategically? Our experts will be happy to advise you - without obligation and in a practical manner.Arrange an initial consultation now →

Next step: Free initial consultation

Would you like to address these issues strategically? Our experts will be happy to advise you - without obligation and in a practical manner.Arrange an initial consultation now →

Next step: Free initial consultation

📖 Also read:Cyber Resilience 2026: The IMF Blueprint for Strategic Risk Management

Would you like to address these issues strategically? Our experts will be happy to advise you - without obligation and in a practical manner.Arrange an initial consultation now →