Germany’s Cyber Showdown: Russian State-Backed Cyber Operations Unveiled in Germany

Johannes Titus Jansen | 4 June 2024

Summary

• German Foreign Minister Annalena Baerbock announced Russia will face “consequences” for a cyber campaign by APT28. Since Germany increased support for Ukraine in late 2022, the campaign targeted Chancellor Olaf Scholz’s SPD party and German industries, prompting Germany to summon Russia’s top envoy and seek sanctions with European partners. APT28 also targeted Czech and Polish institutions and was involved in the 2016 U.S. elections interference and “hack-and-leak” campaigns against WADA.

• The cyber-attacks exploited Outlook email vulnerabilities and are part of Russia’s “hybrid warfare” strategy. This campaign highlights critical infrastructure vulnerabilities in Germany, necessitating improved national cyber defences through the Bundeswehr’s “Cyber and Information Domain Service (CIR).” Germany’s call for sanctions against APT28 will likely lead to coordinated efforts among EU and NATO members on cyber defence and intelligence sharing, emphasising the growing threat of state-sponsored cyber-attacks.

• In the short-term, Germany and EU states will prioritise immediate cybersecurity enhancements and monitoring, especially with the European Parliament elections in June 2024 where state-backed hacker groups are likely to attempt interference. In the medium-term, Germany and its EU partners will likely continue enforcing sanctions against APT28 individuals. In the long-term, due to the ongoing war in Ukraine, Russian state-backed hacking groups will likely continue targeting EU governments and the private sector as part of Russia’s “hybrid warfare” strategy. Efforts to develop international norms and regulations governing state behaviour in cyberspace will likely gain traction.

On 3rd May 2024, German Foreign Minister Annalena Baerbock announced that Russia will face “consequences” for a long-term cyber campaign, allegedly orchestrated by hacking group APT28, also known as Fancy Bear, linked to Russia’s military intelligence agency (GRU). She emphasised that these attacks, which Germany attributed to APT28, are regarded as an attack on Germany in cyberspace.

Since Germany’s increased military and economic support for Ukraine in late 2022, email accounts and exchanges of Chancellor Olaf Scholz’s SPD party were compromised, alongside intrusions into the systems of companies in Germany’s logistics, IT, defence, and aerospace industries. In response, Russia’s top envoy was summoned to the German foreign ministry. The ministry stated it will work with European partners to sanction individuals working for APT28. In addition to targeting Germany’s political landscape, APT28 also targeted Czech and Polish government institutions. Multiple EU member states, as well as NATO, joined Germany in publicly condemning the attacks. APT28 has also been linked to interfering in the 2016 U.S. presidential elections and “hack-and-leak” campaigns against the World Anti-Doping Agency (WADA).

German officials reported that vulnerabilities in Outlook email accounts were exploited. A bug, known as CVE-2023-23397, allowed malicious actors to send internal reminder emails with a URL linked to a remote server. APT28 is a highly skilled hacker group frequently targeting Western governments, political parties, journalists, media, and tech companies since the early 2010s. The campaign started during Germany’s debate on sending Leopard 2 tanks to Ukraine. Cyber campaigns like these are part of Russia’s “hybrid” war against Ukraine and its EU and NATO allies. Besides network intrusions, they include mass disinformation campaigns across the Western world.

The recent APT28 campaign has significant implications for Germany, the EU, and the broader cybersecurity landscape. It highlights vulnerabilities in Germany’s critical infrastructure and the need to improve cyber hygiene. It has also disrupted political stability and public trust in the government, especially in the SPD party. These incidents underscore the urgent need to bolster national cyber defences, which the newly established branch of the Bundeswehr, the “Cyber and Information Domain Service (CIR),” aims to improve. For the EU, Germany's call for sanctions against APT28 members will likely lead to coordinated efforts to impose restrictive measures and increased collaboration among EU and NATO member states on cyber defence and intelligence sharing. For the broader cybersecurity landscape, the incident underscores the growing threat of state-sponsored cyber-attacks in the EU and the necessity for the private sector, particularly critical sectors, to adopt more robust cybersecurity measures.

Forecast

• Short-term

  • It is highly likely that Germany and other EU member states will prioritise immediate enhancements to their cybersecurity infrastructure, including patching known vulnerabilities and increasing system monitoring within the next few months. Furthermore, the upcoming European Parliament elections in June 2024 will certainly be a critical focus, with heightened vigilance and enhanced cybersecurity measures to protect the electoral process. It is likely that state-backed hacker groups, such as APT28, will attempt to interfere in the election using a range of sophisticated cyber intrusion methods.

• Medium-term

  • Germany and its EU partners will highly likely continue to enforce sanctions against APT28 individuals and entities.

• Long-term

  • With the ongoing war in Ukraine, and EU-Russia relations at an all-time low, state-backed hacking groups will likely continue to target EU governments and the private sector as part of Russia’s “hybrid warfare” strategy. Furthermore, efforts to develop international norms and regulations governing state behaviour in cyberspace will likely gain traction.