While the outage was brief, it was enough to rattle nerves — especially among those who had heard a rumor that, two weeks earlier, hackers had gained entry to the computer system by sending an email seemingly from the United Nations. Once a recipient clicked on a link in the email, however, it opened the door for malware to enter the parliament’s computer system.
A Bundestag committee on the hack was later informed that the intruders — possibly a team of Russian hackers, known variously as APT28, Sofacy and Fancy Bear, with suspected links to the Kremlin — had roamed around freely in the system for three weeks, spying on communication between lawmakers and their staff, and eventually absconding with a large trove of information.
In the aftermath, the parliament held several emergency meetings and brought in government cyber specialists to analyze the attack. Eventually, the network and its security system were rebuilt from scratch, according to Klaus Vitt, Germany’s highest ranking government official in charge of information technology.
But by then, the proverbial horse had bolted.
To this day, it is not clear what the hackers stole, though it is likely to include confidential emails and documents regarding the day-to-day business of parliament as well as more mundane exchanges between the more than 5,000 people who work in the Bundestag and across the country in various constituencies.
While the hack could be a case of old-fashioned espionage conducted with modern means — in part because of its similarity to the hacking of the Democratic National Committee in the United States, which the same Russian group reportedly pulled off a few months later — some German officials believe that the stolen information is more likely to be used as a weapon, making it a ticking bomb under the German elections in September.
“The danger is real,” said Vitt, who reports directly to Interior Minister Thomas de Maizière.
Array of risks — and fears
As Germany prepares for the fall elections, much attention has been given to so-called fake news — disinformation campaigns, some of it reportedly backed by the Kremlin in an effort to thwart Chancellor Angela Merkel’s chances of reelection. Indeed, German legislators last week proposed a law to impose penalties on social networks that fail to delete fake news, and Facebook recently announced that by the end of this year it will hire more than 700 people in Berlin to review news content.
But in almost a dozen conversations with POLITICO, lawmakers, government officials and cybersecurity experts expressed concern about hacking — and the possible political use of information from attacks that have already taken place.
The interviews, many of which were conducted on condition of anonymity, also revealed how Germany was vulnerable to such attacks due to cultural attitudes, poor security systems as well as a lack of understanding of the threat itself. While the network has been rebuilt and security has improved, weak spots remain — some of them inevitable, as adapting to the ever-changing threat of cyber attacks invariably resembles a cat-and-mouse game.
One of the greatest frustrations for German security officials has been that, despite repeated warnings, many lawmakers remain unwilling to take the most basic precautions against attacks such as creating more secure passwords or installing anti-virus programs on their private devices.
“I couldn’t give a shit,” said one member of parliament when asked about whether he or his staffers had been paying closer attention to cybersecurity since the 2015 attack.
Historic fear of surveillance
Paradoxically, it was a concern over privacy that partly opened the door to the spying. Fear of surveillance is pronounced in Germany, where memories of spying by the Stasi, the East German secret police, still casts a long shadow.
The fact that Germany’s domestic secret service kept dozens of MPs from the opposition party Die Linke on a watchlist hasn’t helped quell such fears, and lawmakers have been concerned that if the government ran the Bundestag’s computer systems then intelligence services would have a backdoor to obtain information.
“If the parliament’s infrastructure was connected to Germany’s government network, this would essentially mean that it was in fact overseen by the interior ministry which would also grant Germany’s domestic intelligence service access to it,” said Konstantin von Notz, deputy chairman of the Green Party in the Bundestag and their spokesman on digital policy.
This, he said, could undermine the democratic separation of powers. “Just ask yourself the question: ‘Would you be willing to hand over [those powers] … to the secret service and the executive side?'”
As a result, the Bundestag’s network was serviced for years by a patchwork of more insecure servers. After the attack, privacy concerns threw up another hurdle: Since by law data could only be stored for seven days on the servers, government experts struggled to reconstruct what had been stolen as some of the data from the time of the intrusion had already been deleted. Following the attack, the policy was changed and data is now stored for three months.
But while the network is more secure today than it was in 2015, “room for improvement remains,” said Von Notz, though he declined to be more specific because of security concerns.
According to experts, one of the main vulnerabilities is the “human factor.” While human folly is not just a German problem, the greatest challenge remains the possibility that one negligent individual can open the door for intruders to infiltrate the entire network.
The typical modus operandi in so-called phishing attacks is for the hacker to send what appears to be an email from a legitimate source but which in fact aims to trick the user into revealing his or her password, as was the case after the DNC hack in March last year when intruders gained access to Hillary Clinton’s campaign manager John Podesta’s 60,000 emails via a message that looked like it came from Google. A typo by an aide reportedly led to the debacle.
With such human frailty in mind, a “central technical premise” in the rebuilding of the Bundestag network, according to a government report, “was — and remains — that one single compromised work computer must not lead to an entire network being compromised.”
Wave of attacks
The Bundestag hack in May 2015 wasn’t an isolated incident. In the past few years there have been several attacks on critical computer infrastructure connected to German institutions, including one earlier in 2015 when a pro-Russian group brought down parliament websites during a visit by Ukraine’s then-Prime Minister Arseniy Yatsenyuk.
In the spring of 2016, Merkel’s Christian Democratic Union (CDU) was attacked, with intruders trying to get access to account names and passwords of party members, apparently without success. Later in 2016, another attack on the Bundestag was fended off before intruders could access the servers.
With high-stakes elections approaching, officials and cybersecurity experts fear a wave of attacks between now and September.
“We expect [attacks] to increase during the next months,” said Sebastian Neef and Tim Philipp Schäfers, two white-hat hackers and the founders of Internetwache.org. “Particularly phishing attacks against single individuals … to gain first access to networks and organizations.”
Officials are reluctant to talk publicly about the threat or what’s being done to counter it.
The Bundestag administration denied requests for interviews, explaining in a written statement that “it makes sense not to give any public statements, to prevent giving tips to potential assailants.”
Representatives of both the CDU and Martin Schulz’s Social Democrats (SPD) denied requests for interviews.
A CDU spokesperson confirmed in an email that they have suffered repeated attacks, adding that the party constantly updates its IT protocols and cooperates “with external security experts who advise us early and comprehensively.”
“Of course, we take cyber attacks seriously,” wrote an SPD spokesperson. “However, we ask for your understanding that we don’t give out any information about how we deal with them.”
Some things about the government’s efforts are known. Cyber response units are being embedded in all German security agencies, ready to strike back in case of an attack. Berlin is also centralizing the government servers, currently spread across separate locations. And the National Cyber Defense Center will act as a central hub for security agencies — including Germany’s armed forces, who run their own cybersecurity unit, and the country’s foreign intelligence agency — to exchange information about attacks and suspects.
One challenge that remains is the lack of cyber specialists in the public sector. Even Germany’s national cybersecurity authority overseen by the interior ministry, known as the Federal Office for Information Security, or BSI, suffers from a lack of expertise. In the aftermath of the 2015 attack, of the almost 600 people at the agency, only about 15 understood what had happened, according to an assessment made by the BSI director at the time.
Since 2015, however, the BSI has staffed up, with plans to fill another 180 positions by the end of this year, bringing the total number of full-time positions to more than 800, according to the ministry. And “the BSI is only one unit in our National Cyber Defense Agency,” said Vitt. “We have more experts in the federal police, in the armed forces and in both our domestic and the foreign intelligence agencies.”
Still, the government has a hard time competing for the sharpest cyber talents who can take home bigger paychecks in private employ.
“It wasn’t easy to fill those positions,” Vitt said, in reference to the BSI hires. “Placing an ad in some newspaper wouldn’t be enough.”
‘Under a microscope, everyone looks crappy’
When the computers in the German parliament shut down in May 2015, it wasn’t actually another attack. Rather, it was a defensive move: the network’s connection to the internet was cut in an effort to boot out the intruders. But the hole wasn’t entirely plugged: it took IT experts another week until they could stop the hackers from extracting data.
Almost two years later, two central questions remain unanswered: Were the Russians really behind this and, if so, what did they want?
Attributing cyber attacks is highly complicated and computer experts agree that, in many cases, it’s impossible to say with certainty where an attack came from.
“We’re dealing with very professional assailants, that’s why only in rare cases you can identify them beyond doubt,” Vitt said. He denied to comment specifically on the Bundestag intrusion but said his agency had strong indications that the majority of attacks in Germany originate in Russia and China.
An independent analysis of the attack by a security researcher concluded in 2015 that “the attack was perpetrated by a state-sponsored group known as Sofacy (or APT28)” — the group also fingered in the DNC hack.
However, some caution that foreign intelligence services can disguise cyber attacks to appear as if they originate from another country.
In January 2016, the federal prosecutor launched an investigation into possible activity by foreign agents, based on findings by the German domestic intelligence agency, the prosecutor’s office confirmed to POLITICO. The investigation is still ongoing.
But an initial government analysis suggested that the intruders, among other things, targeted “select email inboxes from the political sector.” The intruders also recorded keyboard writing in real-time and took screenshots of what was on people’s desktops, the analysis found.
Did the intruders collect material for an information bomb to detonate closer to the election, much in the way of the Wikileaks release of the DNC emails just a few months before the U.S. elections?
Bundestag officials say it is a distinct possibility. And while it is unlikely that highly confidential material was among the files obtained, even minor things could create major headaches — if, for example, lawmakers were caught making fun of colleagues or party leaders, googling images of their interns, or ordering overpriced office supplies.
As one MP put it: “Under a microscope, everyone looks crappy.”
Author: Janosch Delcker