The e-mail appeared to come from NATO headquarters in Brussels, offering information about the earthquake in Italy. But anyone clicking on the link wasn’t directed to the western military alliance, but to a server that installed spyware on the recipient’s computer.
The so-called spear phishing attack hit German parliamentarians’ inboxes in August, according to an investigative report by the Süddeutsche Zeitung newspaper and public broadcasters NDR and WDR. Recipients included members of the Social Democratic Party, Left Party and Christian Democratic Union.
In 2015, the intranet of the Bundestag, Germany’s lower legislative chamber, was the target of a similar e-mail attack. At the time, federal security officials called it a “grave and far-reaching attack” and a “not insignificant data leak.” They traced the cyber attack to Russia
“Against the background of events in America, it was important to me that the parties protect themselves from espionage.”
The Bundestag needed some time to plug the data leak. Government IT technicians had to shut down the parliament’s intranet for several days and partially revamped.
But IT security measures proved far better in the August attack.
“The Bundestag was protected and not affected,” a spokesman from the parliamentary administration said. “It was simply another of many attempts to spread malware.”
Bernhard Kaster, leader of the CDU parliamentary group, agreed. “The e-mails were unable to damage the network of the Bundestag,” he said. “The servers linked to the e-mails were known long before the attempted attack in August and were accordingly kept out.”
To make doubly sure, affected parliamentarians were instructed to delete the e-mail and not to open it via their private computers. This warning, however, arrived two weeks after the phishing e-mail.
At first glance, the August incident could be almost dismissed as routine. Defending phishing attacks is an everyday task for the IT departments of German companies and governmental agencies. But the Federal Office for Information Security, the BSI, said the August attack was different because of the circle of addressees.
“The focus was apparently not only on officeholders and functionaries, but also on their surroundings, for example, regional associations, youth organizations and staff offices of the parties,” a BSI spokesman said, adding that the agency suspects Russian hackers to behind the August attacks as well.
BSI head Arne Schönbohm drew a parallel with recent events in the United States, where the Democratic Party’s national committee was the victim of a hacker attack.
Two groups of hackers remained undiscovered – for months in some cases – as they spied on communications between leading U.S. Democrats. Shortly before Hillary Clinton as nominated as the Democratic presidential candidate, e-mails from the party were made public on Wikileaks. The website’s founder, Julian Assange, had once hosted a talk show for Russian state broadcaster Russia Today.
The leaked e-mails revealed that some of the party leadership had voiced early opposition to Ms. Clinton’s rival Bernie Sanders. The Democratic Party’s chairwoman had to resign.
There are many indications that the attack in the United States lead back to Russia, experts say. One of the participating hacker groups is said to be linked to Russian internal security service, the FSB, and another to its military intelligence service.
The latter group, internally known as APT 28, is thought to have used a server for its attack on the Democratic Party, the same one that was also used in the Bundestag attack in 2015. Whoever spied on the Democrats was also interested in German parliamentarians’ communications and data.
“The technical parameters and mode of operation known to the BSI in the current case correspond with those of the APT-28 group,” the BSI said in a statement.
German security services are concerned that foreign intelligence agencies are looking for material on politicians and parties to exert influence on Germany’s 2017 parliamentary elections.
“Against the background of events in America, it was important to me that the parties protect themselves from espionage,” Mr. Schönbohm told Süddeutsche Zeitung.
Until the 2015 cyber attack in 2015, most parliamentarians paid little attention to data security. And even today, few probably use encryption.
Claudia von Salzen is an editor with Der Tagesspiegel. To contact the author: email@example.com