Massive data breach in Germany the work of a Russian hacker group
7 January 2019
Security researchers have revealed that there are indications that the recent data breach in Germany, which involved the compromise of personal information of hundreds of German politicians and public figures, could be the work of a Russian hacker group known as Turla.
Late last week, the German media reported that personal information of hundreds of German politicians as well as public figures including Chancellor Angela Merkel was leaked on Twitter by unknown hackers. The said information included personal phone numbers, identity cards, letters sent and received by politicians and celebrities, and credit card numbers.
The massive data leak compromised the privacy of politicians associated with almost all major political parties except for politicians affiliated with Alternative for Germany (AfD), a surging right-wing party with strong views on immigration.
After the news became public, the Ministry of Interior said in a statement that hackers had gained access to such data through “wrongful use of log-in information for cloud services, email accounts or social networks” and that computer systems of neither the government nor the lower house of parliament had been breached.
A local newspaper report also revealed that the massive information leak affected 410 members of the ruling Christian Democratic Union of Germany, 230 members of the Social Democratic Party, 106 members of the Green Party, and 91 members of The Left Die Linke.
Russian hacker group behind the data leak
While Germany’s cyber defence agency is presently investigating the information leak and trying to gauge how hackers got their hands on such private details of politicians and celebrities, security researchers at Proofpoint have revealed that the leak could have been carried out by a Russian hacker group known as Turla.
“While actor attribution is notoriously difficult, early indications suggest that the Russian APT group Turla (a.k.a. Snake, Venomous Bear, Waterbug, and Uroboros) is behind the German data breaches reported earlier today,” said Chris Dawson, Threat Intelligence Lead at Proofpoint.
“Proofpoint researchers have seen Turla targeting German interests before, particularly leveraging a G20 summit on the Digital Economy that took place in Hamburg in October 2017; other activity associated with this group has been well-documented and stretch back to at least 2008.
“Even as additional details about the German cyber-attacks continue to emerge, organizations and agencies worldwide should look at their defenses against a variety of attacks, whether state-sponsored or financially motivated.
“Layered defenses at the network edge and email gateway can prevent exposure to a range of threats or alert administrators to exfiltration of data while up-to-date endpoint protection and rigorous patching regimens can help prevent exploitation of device vulnerabilities. Finally, user education is critical to enabling users to be last lines of defense, spotting potential attacks via email, the web, and other vectors,” he added.
In March last year, it was alleged that hackers affiliated with Turla had managed to compromise Informationsverbund Berlin-Bonn, a server that served as a communication exchange platform for several government ministries, the parliament, the Federal Audit Office, the Chancellery, and other government departments in Germany.
According to German daily Süddeutsche Zeitung, Turla hackers hackers weaponised emails with malicious code before sending them to Outlook inboxes of German officials. Once opened automatically by Outlook, these attachments activated previously-injected malware in systems owned by the German Foreign Office, which then proceeded to send data stored in such computers to a remote server.
“So the Turla hackers send an e-mail to a computer that they have already infected with malware. Because after the infection, the attackers have to somehow get the data interesting for them from the completed networks. Hacker groups typically try to establish encrypted connections to a server over the Internet and send the data from the protected area directly to them.
“They use this infrastructure to communicate from the outside with their malicious software. In the networks of the Foreign Office, however, according to SZ information such connections are blocked. The only way out leads therefore via Mails. So also the control of the malicious software should have gone over mail,” read a translated version of the report.