Cyber-Espionage Hits Berlin The Breach from the East

German intelligence officials issued warnings back in 2016 of a cyber-espionage group known as Snake. But the apparently Russian hackers behind the group were able to breach the German government nonetheless. By DER SPIEGEL Staff
Inside the Federal Office for Information Security

Inside the Federal Office for Information Security

Foto: Oliver Berg/ Picture Alliance

They are said to be an elite group among the Russian hackers -- a bit cleverer than the others, more cautious, more patient, but highly dangerous, not unlike a venomous snake. German intelligence agencies cannot yet say when the group known as "Snake" managed to penetrate the Federal Academy of Public Administration in the town of Brühl, just south of Cologne. It must have happened by late 2016 at the latest. That, after all, is how far back the digital tracks can be followed.

It is also unclear how the hackers, who are thought to be connected to Russia's domestic intelligence agency (FSB), breached the system. They could have snuck in through a link in an enticing email that was clicked on by an unsuspecting user, or via visits to fake websites that triggered the malware.

What is clear, though, is that after they first infiltrated the system in Brühl, the hackers were able to comb through the German Federal Administration Information Network, or IVBB, which is used by key legislative and government bodies. Eventually they reached their objective: Department 2 of the Foreign Office, the section that is responsible for German foreign policy within the European Union and for Germany's relations with the countries of Europe, North America and Central Asia -- including Russia.

The damage caused by the latest hack against the German government appears to be limited. A total of 17 computers were affected in the Foreign Office, and it is estimated that only three documents were siphoned off, with a data volume of 240 kilobytes. But that's just an initial assessment.

The German government and the intelligence watchdogs on the parliamentary control committee are alarmed -- not just because the hackers used the Academy of Public Administration as a gateway, an institution run by a former head of Germany's domestic intelligence agency. They are also concerned because, by infiltrating the IVBB, they have penetrated a network that was thought to be highly secure.

Embarrassing Questions

The IVBB is a vital channel for German officialdom. It links major organs of government, including the Chancellery, ministries, the two houses of the German parliament as well as German diplomatic missions abroad and all federal intelligence agencies. Emails, phone calls and video calls are routed through the network along with documents with security ratings up to "classified -- for official use only." Documents with higher security ratings are sent via other channels.

After the hack of the Bundestag , Germany's parliament, in 2015 -- in which alleged Russian hackers from the APT28 group stole 16 gigabytes of data -- the Federal Office for Information Security (BSI) criticized the susceptibility of the parliament's system while at the same time praising the ostensibly secure IVBB.

Now the BSI and other intelligence agencies have to answer embarrassing questions about why they are incapable of protecting the communication networks of the German government. When a country is vulnerable in such a sensitive area, the entire system becomes unstable.

Aside from the obvious tasks of rendering its IT infrastructure more secure as quickly as possible and determining which technical and human resources urgently require investments, the German government has to decide how to react to this apparently state-sponsored attack from Russia.

The Federal Prosecutor's Office has launched a preliminary investigation into suspected espionage. That's the legal response. But what about the political reaction? And how is Germany arming itself against the digital army from the East that is operating with increasing strategic and technological proficiency?

The hackers at Snake have proven beyond doubt that they are formidable foes. They are thought to have penetrated embassies, international organizations, defense contractors, governments and intelligence agencies around the globe. The group has even attacked U.S. Central Command.

'On an International Scale'

Security experts say that the programming code is significantly more advanced than other alleged Russian cyber campaigns like APT28 and APT29, better known as "Fancy Bear" and "Cozy Bear."

Estonian intelligence officials claim to have found connections between Snake and Russia's FSB, and experts from the cyber community concur. Likewise, the group could be affiliated with a massive, worldwide hacking campaign -- dubbed "Red October" -- against diplomats, military officials and nuclear researchers.

Germany's domestic intelligence agency, the Federal Office for the Protection of the Constitution (BfV), warned German defense companies back in May 2016 that they could be targeted by the Russian cyber attack campaign launched by Snake. The BfV indicated it was a "cyber espionage operation of exceptional scope and quality, systematically executed over a long period of time on an international scale."

Even then, German intelligence officials suspected that it was a "state-coordinated attack." The malware used was "highly advanced and complex." As evidence that the hackers came from Russia, the BfV pointed to the language setting "code 1251," which enables the display Cyrillic characters. In addition, there was a noticeable spike in activity during normal office hours in Moscow and St. Petersburg.

A German parliamentarian heading to a meeting to discuss the 2015 hacker attack on the Bundestag.

A German parliamentarian heading to a meeting to discuss the 2015 hacker attack on the Bundestag.


German IT security experts dubbed the cyber-attack campaign "Uroburos," after the old Greek symbol for a snake that is eating its own tail. This was because the malware source code contained the string UrObUr()s.

A foreign partner agency brought the IVBB attack to the Germans' attention on December 19 last year. On January 5, the BSI discovered the breach at the Academy in Brühl. Since then, the security agency has surreptitiously allowed the attacks to continue in a bid to identify the perpetrators and learn about their methods. To do so, BSI experts isolated, mirrored and simulated the communication of the compromised computers so the attackers would have the impression that everything was still proceeding according to plan. They couldn't cause any more damage anyway.

In cyberspace it is virtually impossible to find incontrovertible evidence for who is behind an attack. The planted programming code can carry a certain signature, like a timestamp that indicates office hours, or certain spellings and typos.

Of Russian Origin

Other clues include the servers that receive the stolen data. These servers frequently belong to institutions like universities that were likewise hacked without their knowledge. Sometimes hackers use these servers repeatedly, which creates a recognizable infrastructure. Cyber investigators can then compile an attack profile. Who could benefit from the attack? Is it possible that a state is behind it?

The culprits rarely directly reveal their identities, but this is precisely what happened with APT28. IT experts were able to watch as filched files were inadvertently sent to a server in a Moscow office complex that houses the foreign military intelligence agency, GRU.

But traces in the code can also be manipulated. Typos can be introduced on purpose and software components can be deliberately compiled at certain times of the day to give the erroneous impression that the perpetrators are located in a certain country. Such deceptive maneuvers are referred to as "false flag" operations.

In recent months, though, there have been increasing signs that many of the hacker attacks on Western companies and government authorities are of Russian origin. Russia has emerged as an aggressive digital power that is pulling out all the stops to wage cyber warfare.

The German Foreign Ministry in Berlin

The German Foreign Ministry in Berlin

Foto: Kay Nietfeld/ dpa

Twitter, for example, recently issued warnings to over 1.4 million of its users who were following a newly identified Russian troll account and, in some cases, retweeting its posts. Likewise, the social networking platform gave the U.S. Congress a list of more than 3,800 user accounts that, according to internal investigations, were associated with the notorious Russian Internet Research Agency (IRA) and have now been suspended -- along with over 200,000 deleted propaganda tweets.

The indictment issued by US special counsel Robert Mueller, who is investigating Russian meddling into the 2016 presidential election, cites the IRA as the main Russian organization responsible for the cyber campaign and has charged 13 Russian operatives in absentia with interfering in the elections. "The United States is under attack," Director of National Intelligence Dan Coats told the Senate Intelligence Committee, adding that "there should be no doubt that Russia perceives its past efforts as successful and views the 2018 U.S. midterm elections as a potential target."

At least as alarming are the activities that do not target public opinion, but instead seek to harm companies, supply chains and infrastructure. Although largely unnoticed by the general public, Western intelligence agencies have recently branded Russia as the architect of one of the most destructive cyber attacks ever.

Pure Destruction

In June of last year, a crippling malware attack erupted in Ukraine and spread with explosive speed, encrypting computers and rendering them unusable. In contrast to many similar ransomware attacks, the computers could not be operated normally again even after payments were made in the cryptocurrency Bitcoin. The perpetrators were obviously seeking to wreak pure destruction.

The attack, referred to as NotPetya, hit large companies like shipping behemoth Maersk, logistics giant TNT, pharmaceuticals company Merck, German Nivea manufacturer Beiersdorf and food corporation Mondelez (which manufactures "Milka" chocolate). Maersk alone estimates that it has suffered damages of several hundred million euros; Beiersdorf says that it has incurred losses thus far of 35 million euros.

In mid-February, the British government issued an unusually blistering public statement denouncing the Russian military for the "destructive NotPetya cyber attack." Earlier, the CIA had concluded with "high confidence" that the Russian foreign military intelligence service GRU had developed the malware.

Western governments are pointing the finger clearly at Moscow in large part because their intelligence agencies have succeeded in gathering precise information on Russian hacker groups.

A particularly spectacular coup has been attributed to the Dutch intelligence agency AIVD. In 2014, its elite hackers reportedly penetrated dubious computer systems in Moscow that were located inside a university building near Red Square, according to an article published by the Dutch newspaper de Volkskrant in late January. The Dutch had apparently successfully hacked into a unit known as Cozy Bear, or APT29. The unit has been active for many years and is known to have been behind several high-profile hacking operations.

The agents were reportedly even able to infiltrate the surveillance cameras, allowing them to compare the faces of the hackers with previously identified Russian intelligence operatives. They were also able to determine that the team worked in shifts of roughly 10 people. The Dutch were apparently even able to observe as the Russians geared up for the U.S. election campaign by hacking the email server of the Democratic National Committee.

American intelligence agencies had revealed back in 2014 that a "Western ally" had helped to avert a large-scale cyber attack on the U.S. Department of State. The reference was likely to the AIVD, with its comparatively modest human and financial resources. The head of the Dutch agency, Rob Bertholee, told Dutch television that he had no doubt that the Kremlin had orchestrated the cyber attack.

'Conventional Espionage'

Germany, so it seemed, has been spared such attacks in recent months. Contrary to expectations, the documents stolen from the Bundestag in 2015 did not appear on any whistleblowing platforms. During the German general election campaign, no manipulation was apparent, although all government agencies had issued warnings prior to the vote.

Still, German authorities would be best advised not to let down their guard, as the Snake case shows. This appears to be a case of "conventional espionage," though, at least according to Russian intelligence expert Andrei Soldatov: "It's one thing when information is gathered in the background, and another when this information is made public, for example, via WikiLeaks."

But the APT28 hacker group has also repeatedly attacked targets in Germany over the past few months. According to intelligence sources, for instance, the computer system of the Bonn-based International Paralympic Committee was hacked. The culprits had no problem gaining access: They loaded the malware onto the Android smartphone of one of the committee's delegates while he was staying at a Moscow hotel. The hackers used the hotel's WiFi. Operatives from a Russian intelligence service are believed to have been staying in the hotel at the same time, possibly yet another indication of Russian state involvement in targeted hacker attacks.

One can only speculate on why the Russians might be interested in the Paralympics. It is possible that they were looking for access to the servers of the International Olympic Committee, an organization that has been closely involved in leveling doping allegations against Russian athletes.

Officials also discovered an attack in Berlin that began way back in December 2016, when hackers apparently sought to infiltrate the German Institute for International and Security Affairs. The think tank is one of the most influential German research institutions for foreign and security policy issues, and it advises both the Bundestag and the German government. The institute claims the phishing attempt was unsuccessful and had been in touch with security officials regarding the incident. According to intelligence circles, APT28 was presumably behind the attempted attack.

Intelligence agency representatives and politicians have been demanding for quite some time that attacks be retaliated against with decisive countermeasures, known as hack-backs. Armin Schuster, the man responsible for domestic policy in parliament for Chancellor Merkel's Christian Democrats, would like to see Germany take a more proactive approach to cyber defense. "We can't just build fences," he says, "we also need the ability to penetrate the networks of the attackers, erase stolen documents and, in extreme cases, even take over servers or cripple them." But Sven Herpig from the Stiftung Neue Verantwortung, an independent think tank in Berlin, warns that this could trigger a spiral of escalation.

Antagonizing the Germans

Internet experts like Anke Domscheit-Berg, a member of parliament for the far-left Left Party, even go so far as to say that German agencies like the new Central Office for Information Technology in the Security Sector (ZITiS) may be partly to blame for the latest uptick in cyber attacks. ZITiS is tasked with making it possible for intelligence agencies to decipher encrypted communications. To do so, it must identify software vulnerabilities on its own or buy such information from elsewhere. But Domscheit-Berg sees it as the government's duty to close these security gaps as quickly as possible. Likewise, the domestic policy spokesman for the parliamentary group of the center-left Social Democrats (SPD), Burkhard Lischka, says that the German government should first focus on making its own network more secure. He says that there are clearly vulnerabilities in the system that security agencies like the BSI have failed to recognize.

On the political front, the hacker attacks reveal the extent to which German-Russian relations have suffered in recent years. Both sides eye each other with suspicion and distrust and Russian President Vladimir Putin appears to no longer have any qualms about antagonizing the Germans.

One silver lining is that Moscow and Berlin are at least still on speaking terms. Last year, Merkel reportedly warned Putin that there would be consequences if Russia interfered with the German general election. Afterward there were evidently no attempts at manipulation, but the hacker attacks continued quietly in the background.

So far, the German government has failed to take tougher measures. No ambassadors have been summoned; no sanctions against Russia have been imposed for engaging in cyber attacks.

That restraint, however, could simply be a reflection of the fact that espionage is simply part of day-to-day reality, even for democratic countries like Germany. Germany's foreign intelligence agency (BND), after all, also has Russian targets in its sights.

Translated from the German by Paul Cohen