An “intolerable” cyberattack: this is how Berlin described, on Friday May 3, an attack against members of the German Social Democratic Party (SPD), which it attributes to Russian hackers, the “APT28” group, which would be behind several attacks against political institutions in Germany and on European soil in recent years.
“Today we can say unambiguously that we can attribute this cyberattack to a group called APT28, which is led by the intelligence services of Russia,” the German Minister of Foreign Affairs said at a press conference in Australia. Foreign Affairs, Annalena Baerbock. The federal investigation into this attack, which targeted the party in January 2023, has just been completed, the minister said, without giving further details. “This was a Russian-backed cyberattack against Germany and it is absolutely intolerable and unacceptable,” she added.
The German government said on Friday that it had summoned the charge d’affaires of the Russian embassy. “It is a clear diplomatic signal to summon the current charge d’affaires to make it clear to the Russian government that we do not accept these actions,” a spokesperson for the Ministry of Foreign Affairs told the press.
The Czech Foreign Ministry said on Friday that Prague had repeatedly been the target of cyberattacks orchestrated by a group with links to Russian military intelligence. “Some Czech institutions have been the target of cyberattacks exploiting a previously unknown vulnerability in Microsoft Outlook from 2023,” the ministry said in a statement.
Phishing attempts
The group “APT28”, also known as “Fancy Bear”, is accused of being responsible for dozens of cyberattacks around the world, including against political parties. In France, this cell has increased attacks against government entities, businesses, universities and research institutes in 2023, according to a report published on October 26, 2023 by the National Agency for Information Systems Security (Anssi).
Since 2021, Anssi has counted nearly fifteen reports of attacks carried out using APT28’s modus operandi, some targeting several dozen entities at the same time. The group particularly attacks employees’ personal email boxes in order to recover data, emails or access other machines in a system, sometimes with administrator rights. In particular, the group used for more than a year, from March 2022 to June 2023, a security vulnerability in Microsoft’s Outlook email that allowed entry into a system without any user interaction.
Hackers also use social engineering, which consists of collecting data on their target to mislead them with credible messages, such as phishing emails. Once its targets click on a malicious link, the group uses tools to extract passwords stored on the computer or manages to obtain passwords to log into administrator accounts. Faced with this threat, the Agency recommends a series of usual precautions for organizations to take, such as the use of strong passwords.
Political interference
Before the German SPD, the APT28 group – a name designating the technical name of the GRU, Russian military intelligence and used here by experts to talk about this cell of hackers – had already attacked European political parties. According to The worldAPT28 and the Sandworm group, both close to the GRU, are at the origin of “MacronLeaks”, namely the hacking and dissemination of thousands of internal documents to the entourage of future President Emmanuel Macron during his 2017 campaign .
In March of that year, before the first round of the French presidential election, a group of hackers sent emails intended to trick their targets into stealing their usernames and passwords. Then at the end of April, another Japanese company, which knows these hackers very well, revealed the creation of websites reminiscent of those of Emmanuel Macron’s party. This group was also accused by American intelligence of having interfered in the 2016 presidential election in order to favor Donald Trump over his rival Hillary Clinton.
This is also not the first time that Germany has been targeted by the “Fancy Bear”: in 2018, German services revealed that Russian hackers had already infiltrated the computer network of the federal administration, with the aim of copying data, a few months before the legislative elections of September 24, 2017, said The world at the material time.
More recently, an SPD official has also already been the target of an attack in 2023, according to the European Union’s IT security agency, based on information from the German press. These sources reported “concrete signs” of a Russian origin, according to the agency. Germany declared on Friday May 3 that these attacks would not remain without consequences.