Breach Notification , Governance & Risk Management , Incident & Breach Response

German Parliament Battles Active Hack

Trojan Infections Persist, Despite Ongoing Cleanup
German Parliament Battles Active Hack

In the wake of a May malware attack against PCs and servers used by Germany's lower house of parliament, or Bundestag, the government's IT experts have so far been unable to eradicate all instances of the infections. As a result, some or all of the Bundestag's 20,000 PCs, as well as an undisclosed number of servers, may need to be replaced.

See Also: Hunt Cloud Threats or Be Hunted | CISO Guide to Cloud Compromise Assessments

In a notice posted June 11 to the Bundestag's website, its president, Norbert Lammert, reported that the intrusion and related Trojan infections had yet to be "completely repelled and stopped."

Multiple German news outlets, quoting unnamed government sources, have since suggested that the hack attack was the work of Russians. But Peter Sommer, professor of cybersecurity and digital evidence at Britain's de Montfort and the Open Universities, cautions against reading too much into such blame games. "The Bundestag hack, and before that the vast attack on the U.S. OPM [Office of Personnel Management], tell us that sometimes too much emphasis is placed on alleged perpetrators at the expense of identifying and punishing poor basic security management," he tells Information Security Media Group. "All too often, the accusations about possible hackers are partly designed to distract attention from guilty system owners and managers."

Compounding the problem, Sommer adds, is the inherent difficulty of managing large government systems, and the challenges stemming from chronic under-spending on IT maintenance and upgrades. "Large legacy systems owned by governments are particularly vulnerable as they would have been expensive to set up, hold valuable information and are not updated to withstand today's threats," he says. "Corrective measures, too, are likely to be very expensive - and not welcome in times of austerity."

Admin-Level Access

The Bundestag malware attack appears to have been quite successful. Indeed, the attackers appear to have gained administrative-level rights for the entire infrastructure, Michael Hange, president of the Federal Office for Information Security, told a May 21 Bundestag Committee for Information and Communication Technologies meeting, according to minutes of the meeting cited by German newsmagazine der Spiegel. Officials have yet to disclose exactly what types of data attackers might have stolen; they may not yet know because related investigations reportedly still are continuing.

"We haven't seen this kind of attack before," said lawmaker Thomas Jarzombek from Chancellor Angela Merkel's Christian Democratic Union, who sits on the parliament's IT committee, The Wall Street Journal reported.

The malware attack campaign was first confirmed May 15 by parliamentary spokeswoman Eva Haacke, who said it appeared to have begun the same month. "There was an attack on the Bundestag's IT system," she said. "Experts from the Bundestag and the BSI are working on it." Haacke declined to offer any additional information about the breach.

According to multiple news outlets, the Bundestag had temporarily taken numerous PCs offline, including computers that were being used by a committee investigating claims that the U.S. National Security Agency had spied on Chancellor Merkel, as well as questions of collusion between the NSA and the Bundesnachrichtendienst German intelligence service, dating from 2002.

Earlier this month, Bundestag President Norbert Lammert said that internal IT teams had managed to stop all data exfiltration related to the hack attack by the end of May. But he said that the results of a digital forensic investigation suggested that "at least in parts," the Bundestag's infrastructure might need to be replaced.

Malware Still Active

"The Trojans are still active," an unnamed Bundestag source told der Spiegel. Quoting unnamed government sources, earlier this month, that publication also reported that government investigators had managed to unravel the malware, and found that it resembled malicious code seen in a 2014 attack against an unnamed German service provider, with that attack having been tied to Russia.

The German government has yet to publicly accuse any specific group or nation-state of having sponsored or launched the attack. "There's quite some evidence that we're talking about an attack by a foreign intelligence service," Interior Minister Thomas de Maiziere said in a June 12 speech to the Bundestag. But he declined to name which foreign intelligence service he suspected.

Brian Honan, a Dublin-based information security consultant and Europol cybersecurity advisor, says that such discussions are a distraction, especially when it comes to learning from the attack. "Speculating on unsubstantiated reports, or anonymous 'sources close to the incident,' does not help in dealing with the problem," Honan said. "Until hard evidence is presented as to who was behind the attack, we are better served by focusing on how the breach happened and what lessons we can learn from this incident to ensure our own organizations can survive a similar attack."

The Bundestag includes about 600 lawmakers, as well as numerous staff members and administrative employees. German newspaper Süddeutsche Zeitung has reported that all of the Bundestag's 20,000 PCs may need to be replaced, at a cost of millions of euros and several more weeks of downtime.

"This event highlights the ongoing risk to European government systems," as well as the potential costs related to having to clean up successful intrusions, threat-intelligence firm iSight Partners says in a research note.

Committee Was Probing NSA Surveillance

A Bundestag committee - that used the compromised PCs - in June 2014 began probing the National Security Agency's alleged surveillance of Chancellor Merkel. The investigation launched after der Spiegel, citing documents leaked by former National Security Agency contractor Edward Snowden, in October 2013 reported that the NSA had been monitoring a phone that Merkel used for party business, as part of its "Mystic" program.

But Germany suspended that probe June 12, with chief prosecutor Harald Range reporting that the committee had been unable to ascertain whether Merkel's phone had been bugged since 2002. "The documents published in the media so far that come from Edward Snowden also contain no evidence of surveillance of the cell phone used by the chancellor solid enough for a court," Range's office said in a statement. It added that unless "promising new investigative leads" were found, the investigation would not resume.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.