German Parliament Sustains Another AttackMembers Reportedly Targeted by Spear Phishing
Several members of the German Parliament, the Bundestag, and political activists in the country were targeted by a spear-phishing campaign, German newsmagazine Der Spiegel reported Friday, quoting unnamed government officials. Parliament previously sustained a cyberattack in 2015.
The campaign targeted seven members of the German federal Parliament and 31 members of the state parliaments, the majority of whom are members of the ruling Christian Democratic Union of Germany, the Christian Social Union and the Social Democratic Party, according to the Der Spiegel report. The politicians received phishing messages that appeared to come from "trustworthy" sources, the news report says.
A report by another German publication, WDR, says the phishing emails contained a link to a website that hosted malware, and the campaign compromised emails of some of the targets.
The WDR report did not identify the malware or the threat group associated with the campaign. Citing unidentified security experts, Spiegel reported that the attacks are tied to an advanced persistent group called Ghostwriter.
BSI, the German federal cybersecurity authority, did not immediately respond to a request for comment.
This attack is similar to an earlier incident in which hackers successfully targeted German Parliament members. In 2015, the Bundestag was compromised after hackers implanted a Trojan to gain administrative-level access to the Parliament's network. The incident resulted in the Bundestag replacing 20,000 PCs, as well as an undisclosed number of servers, to mitigate the threat (see: German Parliament Battles Active Hack).
In May 2020, German prosecutors revealed that an alleged Russian hacker and suspected member of the Russian military’s Main Intelligence Directorate, also known as the GRU, was behind the 2015 hack (see: SolarWinds Attack Illustrates Evolving Russian Cyber Tactics).
It's now believed that Russian hackers sent a phishing email to several members of the German Parliament with a malicious link portrayed as leading to a United Nations website, according to a Süddeutsche Zeitung news report. The report says attackers further impersonated the U.N. by using the domain "@un.org" to send the emails, which included subject lines such as: "Ukraine conflict with Russia leaves economy in ruins."
When a target of the phishing campaign clicked on the link, it installed malware on their device, enabling hackers to gain a foothold within the IT network of the German Parliament, according to Süddeutsche Zeitung. It also reports that the attackers used the penetration testing tool Mimikatz, which is also used by attackers to steal passwords.
In October 2020, the European Union sanctioned two Russian nationals for their alleged role in the 2015 hack (see: EU Sanctions 2 Russians for German Parliament Hack).
In a July 2020 report, security firm FireEye said Ghostwriter is a threat group that is focused on influence campaigns in Lithuania, Latvia and Poland. The report did not link the group to Russia’s GRU but noted it is aligned with Russian security interests.
The report noted the group is primarily engaged in disinformation campaigns and has been active since 2017, using messages critical of the North Atlantic Treaty Organization’s presence in Eastern Europe. According to FireEye, the group mainly uses compromised websites and spoofed emails to push content produced by fake personas posing as locals, journalists and analysts within those countries.
Attackers have targeted the parliaments of several other countries for espionage and other malicious activities.
In December 2020, Finnish police and parliament officials launched an investigation into a security incident in which attackers gained access to internal IT networks and appear to have compromised lawmakers' email accounts (see: Finnish Officials Investigate Hack of Lawmakers' Email).
Earlier, Norwegian officials announced that they believed the Russian-linked hacking group known as APT28, or Fancy Bear, was responsible for a campaign discovered in August, in which the email accounts of some elected officials and government employees were compromised (see: Norway Says Russia-Linked APT28 Hacked Parliament).
In 2019, hackers breached the Australian Parliament's network, although investigators found no evidence that attackers stole any data (see: Hack Attack Breaches Australian Parliament Network).
And this weekend, the Australian Parliament email system was shut down by an intruder.