On September 6, Germany officially warned Russia about alleged cyberattacks against German politicians ahead of the country’s upcoming parliamentary elections.
The warning came after German authorities in March said Russia-linked hackers had committed cyberattacks against seven members of the Bundestag and 31 members of state parliaments across Germany, according to Deutsche Welle (DW), Germany’s public state-owned international broadcaster.
Regarding the most recent attacks, DW quoted German Foreign Ministry spokesperson Andrea Sasse, who said hackers had tried to obtain the personal login details of politicians from Germany’s Christian Democratic Union, outgoing Chancellor Angela Merkel’s party, as well as the Social Democratic Party.
“The German government has reliable information on the basis of which Ghostwriter activities can be attributed to cyber actors of the Russian state and, specifically, Russia's GRU military intelligence service,” Sasse said.
As usual when addressing hacking accusations, the Kremlin said Russia wasn’t involved.
“Russia has repeatedly denied the accusations of complicity in hacker attacks in Germany,” the state-run TASS news agency wrote in a piece posted on September 6.
“No German agency or organization concerned has provided any evidence that might prove the charges the hackers might be connected with Moscow.”
That is misleading.
The key is the hacker group associated with the name "Ghostwriter."
In March, Germany alleged that Ghostwriter spread disinformation that aligned with Russian foreign policy interests, most of it anti-NATO messaging that targeted audiences in Poland, Lithuania, Latvia and Ukraine.
Besides German authorities, other governments and private companies have traced Ghostwriter to Russia. For example, the DW article cited the private U.S. firm Mandiant Threat Intelligence, which reported in 2020 that Ghostwriter’s disinformation campaign stretched back to 2017.
German authorities haven’t publicly provided evidence pointing to Russia in the hacking of politicians. In 2020, however, Merkel claimed that authorities had “hard evidence” of Russian involvement in a 2015 attack on the Bundestag. German authorities issued an arrest warrant for Dmitry Badin, a Russian national accused of working for the GRU (Russia’s military intelligence agency).
The private cyber intelligence firm Pervalion has dubbed the Ghostwriter hackers “UNC1151.”
“UNC1151 is likely a state-backed threat actor waging an ongoing and far-reaching influence campaign that has targeted numerous countries across Europe,” a Pervalion bulletin reads.
“Their operations typically display messaging in general alignment with the security interests of the Russian Federation; their hallmarks include anti-NATO messaging, intimate knowledge of regional culture and politics, and strategic influence operations (such as hack-and-leak operations used in conjunction with fabricated messaging and/or forged documents).”
Many of the methods used by the Ghostwriter hacker collective are identical to those attributed to Fancy Bear and Cozy Bear, hacker groups reportedly connected to Russia's intelligence services. The United States indicted multiple Russian operatives for the hack-and-leak operation in the 2016 U.S. presidential election.
Hackers commonly use a method known as spear phishing to gain access to sensitive information. It involves targeting key computer users with phony emails containing links or files which, when opened, ask for the user’s access credentials. If the user falls for the message, hackers gain access via that user’s account.
German parliamentary elections are scheduled for September 26, and Russian meddling in the country's politics hasn’t been limited to cyberspace. On September 1, a trial began for an ex-security company employee accused of spying on Germany’s parliament for Russia.
Authorities say that, in 2017, the man passed floor plans of the Bundestag and other government buildings to Russia’s military attache in Berlin.
On September 3, Politico reported on Russian disinformation in social media campaigns targeting German audiences via the German-language service of RT (Russia Today).
According to the magazine, these campaigns commonly promote skepticism about COVID-19 vaccines and other anti-pandemic measures.
Monitors have noted that Russia supports German political parties like the far-right AfD (Alternative fur Deutschland) but has aimed negative information at Germany’s Green party, which opposed Russia’s Nord Stream II, the natural gas pipeline that runs under the Baltic Sea to provide Russian gas directly to Germany.