The Federal Government’s national procedure for publicly identifying the source of cyber attacks in January 2023 on the SPD party headquarters and other targets including defence, IT and aerospace companies, has traced the attacks to Russian military intelligence. The threat group APT 28, which has ties to the Russian military intelligence agency GRU, was found to have exploited a previously undetected critical security gap in Microsoft Outlook over a long period of time in order to hack into email accounts. The Federal Government regards the cyber attack on the SPD party headquarters as serious interference with democratic structures.
“Russian cyber attacks are a threat to our democracy, and we are taking resolute action to oppose them. We are working closely within the EU and NATO and with our international partners,” Federal Minister Faeser said. Like the EU and NATO, the Federal Government strongly condemns these attacks.

Measures to protect against hybrid threats in the context of the European parliamentary elections reinforced

The security authorities have ramped up all measures to protect against hybrid threats. Federal Minister Faeser said that the cyber attacks were able to be traced thanks to the excellent international cooperation among the security authorities. “With the European parliamentary elections and other upcoming elections this year, we must be especially prepared to defend ourselves against hacker attacks, manipulation and disinformation. Such attacks not only target individual parties or particular political figures; they are also intended to undermine our trust in our democracy.” An increase in foreign disinformation and foreign manipulation and influence campaigns in the information space along with cyber attacks can be expected in connection with the European parliamentary elections. Phishing attempts targeting German political parties have recently been detected. In recent years, a wide range of cyber attacks has been observed ahead of elections around the world. These include hack-and-leak campaigns against political parties, in which emails and documents have been stolen and released into the public domain, in some cases with manipulated content. Attacks were also attempted on websites and servers hosting voter information or providing information about the election. Hacktivism for political motives has also increased in Germany since the start of Russia’s war of aggression against Ukraine, and can go hand in hand with denial-of-service attacks on political party websites or events. Federal Minister Faeser said: “It is all the more important that we have reinforced our protection measures so strongly and that we take action together.” To deal with the wide variety of threats, the Federal Ministry of the Interior and Community coordinates the measures taken by all the federal ministries to protect the European elections.

What is APT 28?

APT 28, also known as Sofacy, Fancy Bear, Pawn Storm and Sednit, is a cyber espionage group with ties to the Russian military intelligence agency GRU. APT 28 has been active globally since at least 2004. Its activities include cyber spying as well as disinformation and propaganda campaigns in cyberspace. APT 28 remains one of the most active and most dangerous global cyber threats. It was also responsible for the cyber attack on the German Bundestag in 2015.

How did the APT 28 cyber attacks unfold?

Starting in late December 2022, APT 28 mounted a cyber attack on the headquarters of Germany’s Social Democratic Party (SPD). The attack was part of a larger campaign that had been under way since at least March 2022, exploiting a vulnerability in Microsoft Outlook. The vulnerability allowed the hackers to steal data from users without their knowledge. Depending on how the compromised network was configured, hackers were then able to use this data to gain access to email accounts. They were also able to guess user passwords that were not sufficiently complex.

In its attacks, APT 28 used a network made up of hundreds of compromised small office and home office routers, known as a botnet, to disguise its involvement. In a globally coordinated operation led by the FBI, this cyber espionage network was neutralised in late January 2024. Germany’s domestic intelligence agency, the Federal Office for the Protection of the Constitution (BfV), was involved in this operation from the start.

The attacks were able to be attributed to APT 28 as the result of extensive cooperation between German authorities and their partners abroad. It was extremely important that attack victims were willing to cooperate with the authorities, which made it possible for the BfV to identify other, previously undetected targets of the campaign. The BfV worked with other authorities, in particular the Federal Office for Information Security, to warn these targets and help them deal with the attacks.

The BfV is responsible for gathering intelligence on cyber attacks, espionage and sabotage by foreign intelligence services, and it acts as a confidential point of contact.

What were the targets of the cyber attacks?

This campaign of cyber attacks was aimed at the SPD headquarters; at German companies in the logistics, defence, aerospace and IT services industries; and at foundations and associations. Foreign companies in these industries were attacked as well. The attacks outside Germany also targeted government institutions and critical infrastructure, particularly energy supply infrastructure. The attacks focused on targets related to Russia’s war of aggression against Ukraine.

What is the current threat environment in Germany?

The cyber security threat level was already high before Russia attacked Ukraine in violation of international law, and it has worsened further since then. Russia views cyber espionage and cyber sabotage as options for action and is not concerned about causing collateral damage and spillover effects as a result. As human intelligence operations become more difficult for them, the Russian intelligence services increasingly rely on cyber operations.