A German federal agency has acknowledged in a report Wednesday that a cyberattack caused physical damage to an iron plant in the country. It was a rare admission by a government tying a cyber action to actual physical destruction.

The attackers gained access to an unnamed plant’s office network through a targeted malicious email and were ultimately able to cross over into the production network. The plant’s control systems were breached which “resulted in an incident where a furnace could not be shut down in the regular way and the furnace was in an undefined condition which resulted in massive damage to the whole system,” according to the report, called the IT Security Situation in Germany in 2014.

The report is created annually by Germany’s Federal Office for Information Security. The agency, known as Bundesamt für Sicherheit in der Informationstechnik or BSI, is in charge of managing computer and communication security for the German government including critical infrastructure. The agency did not respond to a request for additional information about the company’s name or the extent of the damage.

It’s rare that a government officially acknowledges a cyberattack that has resulted in physical damage. In November 2010, Iranian President Mahmoud Ahmadinejad said that cyberattackers had affected Iran’s centrifuges used in uranium enrichment, according to The Guardian. President Ahmadinejad is believed to have been speaking about the Stuxnet computer worm that attacked the industrial control systems of Iran’s Natanz nuclear facility and destroyed a number of centrifuges. Former U.S. officials have said that Stuxnet was created by the U.S. and Israel to attack Iran’s nuclear program.

When governments talk about the potential for cyberattacks on the electric grid or other attacks that could do widespread damage, they’re talking about this type of industrial control systems attack, Robert M. Lee, a co-founder at industrial control systems security firm Dragos Security LLC and an active-duty U.S. Air Force cyberspace operations officer told CIO Journal. Mr. Lee wrote about the German report, Wednesday, in a blog post.

3.3.1 APT-Attack on industrial sites in Germany Fact: Targeted attack on an iron plant in Germany Method: Through Spear-Fishing and ingenious Social Engineering, attackers got initial access to the office network of the iron plant. From there, they successively worked their way in to the production networks. Harmful effect: There was an accumulation of breakdowns of individual components of the control system or of entire facilities. The system breakdowns resulted in an incident where a furnace could not be shut down in the regular way and the furnace was in an undefined condition which resulted in massive damage to the whole system. Target groups: Operators of industrial plants. Technical skills: The technical skills of the attackers can be described as very advanced. A variety of different internal systems were compromised and industrial components. The attackers had advanced know-how of not only conventional IT-security, but also detailed technical knowledge of the industrial control systems and production processes that were used in the plant.

“I know of seven other incidents that have claimed to have had a cyber-to-physical or significant process effect and a few near misses that were caught in time,” said Michael Assante industrial control systems lead for SANS Institute, a cybersecurity research and education organization, in an email.

“The industrial control systems community is very secretive for legal and compliance reasons,” Mr. Lee told CIO Journal. However, he sees Germany’s acknowledgement of the attack on the plant as a sign that things are starting to change. “We’re absolutely reaching a point where it’s becoming more normal and expected to talk about these things rather than run from them,” he said.

Write to rachael.king@wsj.com