German Parliament Bundestag targeted again by Russia-linked hackers

Several members of the German Parliament (Bundestag) and other members of the state parliament were hit by a targeted attack allegedly launched by Russia-linked hackers.

German newspaper Der Spiegel revealed that email accounts of multiple members of the German Parliament (Bundestag) were targeted with a spearphishing attack.

The messages were sent by threat actors to the private emails of the German politicians. The attackers are suspected to be hackers of the tracked as Ghostwriter group that works under the control of the Russian military secret service GRU.

“The Bundestag has again become the target of alleged Russian hackers. According to SPIEGEL information, the computers of at least seven members of the Bundestag were attacked.” states the report published by Der Spiegel. “The attack by the group called “ghostwriters” is said to have been carried out via so-called phishing emails to the private email addresses of politicians, ie messages from supposedly trustworthy senders whose aim is to hijack the entire account.”

At this time is not clear if the attackers were able to steal sensitive data during the intrusion.

Seven members of the German federal parliament (Bundestag) and 31 members of German regional parliaments were hit by the attack, most of them are part of the CDU/CSU and SPD parties.

Frank Bergmann, a spokesman for the Bundestag, told The Record that the attack did not impact the infrastructure of the German Bundestag. Once the attack was uncovered, the German authorities notified the impacted politicians.

Der Spiegel also reported that the threat actors, according to government circles, also targeted political activists in Hamburg and Bremen.

In August, researchers from FireEye reported that GhostWriter group was behind a disinformation campaign that started at least in March 2017 and is aligned with Russian security interests.

Unlike other disinformation campaigns, GhostWriter doesn’t spread through social networks, instead, threat actors behind this campaign abused compromised content management systems (CMS) of news websites or spoofed email accounts to disseminate fake news.

The attackers used to replace existing legitimate articles on the sites with the fake content, instead of creating new posts.

The attackers were spreading fabricated content, including falsified news articles, quotes, correspondence, and other documents designed to appear as coming from military officials and political figures in the target countries.

According to the experts, the campaign primarily targeted audiences in specific states members of the alliance, including Lithuania, Latvia, and Poland.

Ghostwriter operators focused on spreading fabricated quotes, such as a quote falsely attributed to the commander of the NATO eFP Battle Group that was used to push a narrative that 21 Canadian soldiers stationed in Latvia had been infected with COVID-19.

In October 2020, the Council of the European Union announced sanctions imposed on Russian military intelligence officers, belonging to the 85th Main Centre for Special Services (GTsSS), for their role in the 2015 attack on the German Federal Parliament (Deutscher Bundestag). The 85th Main Centre for Special Services (GTsSS) is the military unit of the Russian government also tracked as APT28  (aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, and STRONTIUM).

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, German Parliament)

[adrotate banner=”5″]

[adrotate banner=”13″]