Cybercrime , Cyberwarfare / Nation-State Attacks , Data Loss Prevention (DLP)
Hackers Leak Hundreds of German Politicians' Personal Data
Chancellor Angela Merkel Among the Victims of Massive Hack Attack and Data LeakHundreds of members of the German parliament, Chancellor Angela Merkel as well as numerous local celebrities have had their personal details and other sensitive information leaked online.
See Also: Real-World Strategies for Securing Remote Workforces and Data
The information, including financial details, contact information, memos and private chats, was leaked in December but only recently spotted.
The leak includes details for German celebrities as well as members of six of the seven main political parties in the Bundestag lower house, including the ruling center-right and center-left parties, as well as The Greens, left-wing party Die Linke and the Free Democratic Party, the BBC reported.
But there's a notable exception: No members of the far-right Alternative for Germany - AfD - saw their personal details get spilled, according to German media reports. It's not clear, however, if that's a clue to the perpetrator's identity or a false flag.
"Whoever is behind this wants to damage faith in our democracy and its institutions," says Justice Minister Katarina Barley in a statement.
It's also not clear if all of the leaked data is authentic or unaltered.
'Immense' Leak
The leaked information was made available online via tweets from a Twitter account, which has now been suspended, that linked to a platform that appeared to be based in the German city of Hamburg.
"The amount of data published is immense," says Hamburg's Data Protection Commissioner, who has been responding to the data leak by cataloging tweets that contain links to the stolen data. The commissioner has been communicating to Twitter as part of its legal request that all such information be removed.
"Even if no information relevant to public safety is concerned, the damage that may be caused by the publication of personal information to the individual concerned is nonetheless significant," the commissioner says.
BSI Investigates
Germany's Federal Office for Information Security, or BSI, is investigating the leak.
"Hacker attack on politicians: The BSI is currently intensively examining the case in close cooperation with other federal authorities," the BSI tweeted on Friday. "The National Cyber Defense Center has taken over the central coordination. According to our current information, government networks have not been targeted."
The data dump included Merkel's email address and fax number, as well as letters she wrote or which were written to her, German news agency DPA reported. One reporter who reviewed the data dump said it also appears to contain numerous private details, including sensitive information about individuals' private lives.
Officials say the data may have been obtained by hackers using stolen passwords to log into email accounts, social networks and cloud-based services (see: Credential Stuffing Attacks: How to Combat Reused Passwords).
"After an initial analysis, much evidence points toward the data being obtained through the improper use of login details to cloud services, email accounts or social networks," Minister of the Interior Horst Seehofer said in a statement on Friday, the Guardian reported. "Currently, nothing points towards the system of the parliament or government having been compromised."
Dump is Massively Mirrored
The information security researcher known as the Grugq says that whoever stole and packaged up the information appears to have done so over a significant period of time. They also went to great lengths to make it difficult to eradicate online copies of the information by mirroring the data in numerous places online, and then creating mirrors of the mirrors, according to the Grugg.
This data leak has so much data squirrelled away to avoid take downs. It must have required many man hours of uploading.
— the grugq (@thegrugq) January 4, 2019
- 70 mirrors of the download links
- 40 d/l links, each with 3-5 mirrors
- 161 mirrors of data files
Plus the tweets, blog posts, mirrors of mirror links.
"If I had to guess, I'd say that the leak files were not produced at the same time," the Grugq says via Twitter. "The changes in layout and naming suggest that it wasn't one person in one marathon session creating these. There is variation in the archive passwords too: 123, abbreviations, variations."
At least one German media outlet published links to the stolen information, drawing a rebuke from information security experts.
"Today's German data leak presents a particularly sharp dilemma: It is highly unethical to further publicize access to all the private data of so many prominent, high-interest individuals - but the leak's rollout design is also highly resilient to takedowns," says German political scientist Thomas Rid, a professor of strategic studies at Johns Hopkins University's School of Advanced International Studies.
Let's spell this out more clearly:
— Thomas Rid (@RidT) January 4, 2019
1-Twitter accounts spreads URLs to bad leak
2-Twitter suspends account
3-Journalist posts screenshot of suspended account with live links
4-Press stories simply mention suspended Twitter handle
5-Hello archives
3 = just stupid
4 = please stop
Follows Alleged APT28 Attack
This isn't the first major information security mishap to occur on the BSI's watch. In 2015, the BSI shut down the parliamentary intranet after discovering it had been infected with spyware.
In February 2018, it admitted that in December 2017, it discovered that for up to a year, hackers had infiltrated the sensitive "Informationsverbund Berlin-Bonn" - IVBB - network used by Germany's Foreign Ministry and Defense Ministry, and planted malware, German public broadcaster Deutsche Welle reported.
The Russian government hacking group APT28 is suspected as being responsible for that attack. The group is also known as BlackEnergy Actors, Cyber Berkut, CyberCaliphate, Fancy Bear, Pawnstorm, Sandworm, Sednit, Sofacy, Strontium, Tsar Team and Voodoo Bear (see: Dutch and British Governments Slam Russia for Cyberattacks).
Reuters, meanwhile, reported that the BSI only learned of the new, massive data dump on Friday, shortly before it was reported by German news media.
Advent Calendar of Leaks
Some information security experts say that the dump of German politicians' personal details, memos and other potentially sensitive data has none of the hallmarks of a typical Russian information operations campaign.
For starters, the dump appeared to be designed to be an "Advent calendar" of big and little leaks, with new data being dumped every day in December up until Christmas via a Twitter account - reportedly followed by up to 18,000 people - before it was suspended.
Initially, at the beginning of December 2018, the account began leaking data for celebrities before switching to politicians on Dec. 20.
"Someone put a lot of effort into this. It doesn't make sense for a Russian op, the timing is way off," the Grugq tweets. "And they'd have been pissed that they got ignored for all of December as they were leaking. It is unusual to do an IO and just wait around until it is found."
Privacy Commissioner Seeks Link Removal
The Hamburg Commissioner for Data Protection says it's been working throughout Friday to legally compel Twitter to excise all links to the stolen data from any tweets. To do so, the commissioner is working with Ireland's Data Protection Commission because Twitter's European operations are based in Ireland (see: GDPR: EU Sees More Data Breach Reports, Privacy Complaints).
But it's not clear yet if any of the links specified by Hamburg's data protection commissioner have yet been removed by Twitter or if the social networking firm will honor those requests.
"We are continuing to investigate this issue and our teams will take action where appropriate," a Twitter spokeswoman tells Information Security Media Group.
"Posting a person's private information without their permission or authorization is a direct and serious violation of the Twitter Rules," she says. "We also recently updated our rules to prohibit the distribution of any hacked material that contains private information, trade secrets or could put people in harm's way."