Members of Parliament Targeted by Spear Phishing, German Media Reports
Several members of the German parliament, The Bundestag, and political activists in the country were targeted by a spear-phishing campaign, German news magazine Glass reported Friday, citing unnamed German government officials. This is the second incident, after the 2015 hack of parliament.
The campaign targets seven members of Germany’s federal parliament and 31 state lawmakers, most of whom are members of the German Christian Democratic Union, the Christian Social Union and the ruling Social Democratic Party, Der Spiegel reported.
The Der Spiegel report further noted that politicians received phishing messages in their official emails that appeared to come from “trustworthy” sources. He added that apart from politicians, the campaign also targeted political activists in Germany.
A report by another German publication, WDR, said the phishing email contained links to websites hosting malware, and added that the campaign broke into emails from multiple targets.
The WDR report does not identify the malware or threat groups associated with the campaign. However, citing an unidentified security expert, Spiegel reported that the attack was linked to a determined group called the Ghost Writers.
BSI, Germany’s federal cybersecurity authority, did not immediately respond to a request for comment seeking information on the perpetrator of the threat.
This second attack is similar to an earlier incident in which hackers successfully targeted members of the German parliament. In 2015, the Bundestag was infiltrated after hackers planted a Trojan to gain administrative-level access to the parliamentary network. The incident resulted in The Bundestag replacing 20,000 PCs, as well as a number of undisclosed servers to reduce the threat (see: German Parliament Fights Active Hack ).
In May 2020, German prosecutors revealed that suspected Russian hackers and suspected members of the Russian military’s Main Intelligence Directorate, also known as GRU, were behind the 2015 hack (see: SolarWinds Attack Describes the Evolution of Russian Cyber Tactics ).
It is now believed that Russian hackers sent phishing emails to several German lawmakers with malicious links described as pointing to a United Nations website, according to the Sueddeutsche Zeitung news report. The report said the attackers further mimicked the UN by using the “@ un.org” domain to send emails, which included subject lines such as: “Ukraine’s conflict with Russia left the economy in ruins.”
When the target of a phishing campaign clicks on the link, it installs malware on their devices, allowing hackers to gain a foothold in the German parliament’s IT network, according to Sueddeutsche Zeitung. It is also reported that the attacker used the “Mimikatz” pentest tool, which the attacker also used to steal the password.
In October 2020, the European Union sanctioned two Russian citizens for their alleged role in the 2015 hack (see: EU Sanctions 2 Russia for Hacking German Parliament ).
Ghost Author Relationship
In its July 2020 report, security company FireEye said Ghostwriter is a threat group that focuses on influence campaigns in Lithuania, Latvia and Poland. The report does not link the group to Russia’s GRU, but notes that it is in line with Russia’s security interests.
The report notes that the group is primarily involved in a disinformation campaign and has been active since 2017, using messages criticizing the North Atlantic Treaty Organization’s presence in Eastern Europe. According to FireEye, the group primarily uses compromised websites and fake emails to encourage content produced by fake personas posing as locals, journalists and analysts in those countries.
Sophisticated threat actors have targeted parliaments of several other countries for espionage and other malicious activities.
In December 2020, Finnish police and parliamentary officials launched an investigation into a security incident in which attackers gained access to an internal IT network and appeared to have compromised the email accounts of lawmakers (see: Finnish Official Investigates Member of Parliament Email Hacking )
Previously, Norwegian officials announced that they believed a Russian-linked hacking group known as APT28, or Fancy Bear, was responsible for a campaign discovered in August in which the email accounts of several elected officials and government employees were compromised (see: Norway Says Parliament Link APT28 Hacking With Russia ).
In 2019, hackers broke into the Australian Parliament network, although investigators found no evidence that the attackers stole any data (see: Hack Attack Breaches Australian Parliament Network).