Amid bucolic lakes on the edge of Potsdam, the Prussian garrison city of Frederick the Great, sits the Hasso Plattner Institute, an IT research center named after the founder of the German software company SAP. Here Germany’s leading cyber warriors, industrialists, and intelligence officials gather once a year to talk about the digital threat landscape. Despite the splashy topic, discussions are not prone to sensationalism, focusing on relatively mundane areas such as breach notification requirements, technical norms and standards, and critical infrastructure classifications.
This year was different. Germany’s most senior federal intelligence officials presented a united front about the potential threat of Russian cyber-influence in their country’s September elections. Hans-Georg Maassen, the head of the Federal Office for the Protection of the Constitution (BfV)—Germany’s domestic intelligence service—did not mince words: “We expect further attacks,” he said, adding that they recognized the threat as “a campaign being directed from Russia.” Maassen was referring to the Russia-attributed 2015 hack that hoovered up massive amounts of e-mails, correspondence, and sensitive information from well-placed members of the German Bundestag. The decision of whether to release the tranches of data “will be made in the Kremlin,” Maassen said, implicating President Vladimir Putin personally in any decision to use doxxed material, disinformation, or other cyber-actions to disrupt the integrity of the German elections. In turn, Bruno Kahl, the head of Germany’s international intelligence arm, the Federal Intelligence Service (BND), called for more money to boost cyber offensive and defensive capabilities.
The two were expressing concern that recent cyberattacks against Germany match the pattern of earlier attacks elsewhere in the West—first against Hillary Clinton’s presidential campaign, in the United States, and more recently against then presidential candidate Emmanuel Macron, in France. The pattern is simple: a series of hacks and information exfiltration, followed by leaks strategically timed to impact the election’s outcome. In the case of the United States, the leak phase of the DNC operation began on July 22, 2016, three days ahead of the party’s convention in Philadelphia; in France, it was on May 5, 2017, just prior to the 44-hour blackout period before the second-round vote. Both incidents have been linked primarily to APT28, or Fancy Bear, a cyber-espionage group associated with the GRU, Russia’s military intelligence service.
THE TIMELINE OF ATTACKS
Germany’s cyber-awakening traces back to May 1, 2015, when an apparently innocuous e-mail was sent to offices in the Bundestag, including Chancellor Angela Merkel’s personal office and those of two Social Democrats who sit on an exclusive nine-person committee responsible for the top-secret budget and overseeing German intelligence. The e-mail was in fact a phishing attempt that provided remote access to snake through key servers in Germany’s powerful parliament.
There is compelling forensic evidence linking the Bundestag exfiltration to Fancy Bear. The program used in the attack, XTunnel, and the server administrator associated with the incident, located in Kakra Town, Pakistan, have also been linked to the Democratic National Committee hack, attacks on the World Anti-Doping Agency, and probes of the Christian Democratic Union (CDU) party headquarters in spring 2016. In addition, metadata from the Macron hacks left traces of names associated with the GRU, and digital bread crumbs from a previous known Fancy Bear attack led back to the Aquarium, the nickname for the GRU headquarters at Khodynka Airfield just outside of Moscow.
The hackers who attacked the Bundestag benefited from a host of human errors. They were able to exploit times when German cyberdefenses were lowered—the attack came one day after Germany’s Labor Day, and the Bundestag’s IT department was already closed. The intra-institutional independence and protecting the separation of powers between executive and legislative branches of government also hampered the Bundestag’s response. They were hesitant to accept assistance from the Federal Office for Information Security, the Interior Ministry’s cybersecurity arm, also left it vulnerable to attack. Shortly before the Bundestag hack, the German administration had already patched the vulnerabilities that left the Bundestag exposed. Altogether the Fancy Bear attackers had approximately three weeks to ferret through the servers and steal documents before they were effectively shut out.
Since the initial attacks, German authorities have reported over 70 suspected Fancy Bear cyber-incidents, including exfiltration operations—or attempts to vacuum up data off of private servers—carried out against the local CDU in the city of Saar, the CDU’s youth auxiliary, and Marieluise Beck, a Green Bundestag member and strident opponent of the Kremlin. Attempts to break into Bundestag servers have continued in the wake of these attacks, including known incidents with CDU accounts in April-May 2016 and probes for vulnerabilities at government-adjacent institutions such as political parties, think tanks, powerful business associations like the German Federal Association for German Industry (BDI), and unions like Ver.di and IG Metall.
The security software company Trend Micro identified phishing expeditions between March and April, 2017 attempting to install malware on well-placed servers within Germany’s two largest political foundations, the CDU-affiliated Konrad-Adenauer-Stiftung (KAS) and the SPD-affiliated Friedrich-Ebert-Stiftung (FES). The attack involved spoofing servers designed to appear as though they were affiliated with the foundations—for KAS, they originated from a German-based server account, and for FES, from an account located in Ukraine. Both think tanks operate as de facto arms of the parties to which they are linked. In addition, both are intimately involved in organizing confidential workshops and crafting strategic policy planning, and have long been a safe space for the parties to thresh out new ideas.
Thus far, these operations have been in a gathering phase; none of the information vacuumed up has been released. But German authorities and media are already planning for potential leaks from the hacks to begin as the election campaign heats up at the end of August. Die Zeit discovered that potential domain through which Bundestag leaks could be released that was anonymously registered in January and continues to sit unused. In the United States, stolen information was disseminated through WikiLeaks and DCLeaks; in Macron’s case, it was done through the site EMLeaks, which was named for his fledgling political party En Marche.
A BASTION OF STABILITY
Recent Russian meddling relies on a cyber-ecosystem composed of bloggers, fringe political parties, GRU-supported hackers, Russian-backed news outlets, and troll farms that push out pilfered information and fake news to affect the outcome of elections or undermine electoral confidence.
The 2016 U.S. election was a wakeup call for Europe’s most consolidated democracies, revealing that they too were exposed to Russian interference. But Germany is substantially less vulnerable than most. For one, there is little risk of cyber–ballot manipulation, since the German Supreme Court ended the use of e-voting in 2009 after it was ruled insufficiently transparent. Second, compared to the precipice elections in the United States, France, and Italy, Germany’s election is shaping up to be a bit of a non-event. Merkel seems to be consolidating her position as an anchor of stability for the German electorate, which enjoys full employment, low inflation, and healthy economic growth. Anti-establishment populism is a fringe movement, and confidence in institutions such as the government, the media, and the university system remains high.
Partially because of its stability, the pro-EU and internationalist consensus still holds in Germany. Unlike France or Italy, Germany is unlikely to change its position on the big issues that Russia cares about—including the EU, NATO, and the Ukraine crisis—regardless of the election’s outcome. Martin Schulz, the standard-bearer from the traditionally more Russophile SPD party and Merkel’s main opponent, is more hawkish toward Russia than his party predecessors. Schulz cut his political teeth in Brussels and recognizes the existential threat that Russian interference poses to the European project. In fact, Schulz himself has become the subject of Russia-propagated fake news claiming that his father was Karl Schulz, an SS officer who presided over the terror at the Mauthausen concentration camp. (Schulz’s actual father, Albert Schulz, was a police officer and SPD member who never worked in a concentration camp.)
But even if they do not change the outcome of the German elections or Berlin’s policy in the near term, Russian cyber-measures against Germany can still serve two purposes: acute short-term destabilization, as seen in the U.S. election; and erosion of public confidence of German institutions and support for anti-Russian policies. Such attacks are unlikely to bring about the former; the environment could be fertile for the latter.
As in other countries, Germany’s media consumption is polarized along political lines. Publications of Germany’s alt-right—conspiracy-infused, right-wing ethnonationalists—like Junge Freiheit, Epoch Times, and RT Deutsch and new social media networks like Bürger sagen Nein and Multikulti Nicht Mit Uns are actively amplifying Russian propaganda. And the far-right Alternative for Germany (AfD) party lurched further toward Russophilic ethnonationalism when the party chose Alexander Gauland to lead the AfD as one of two candidates in the upcoming elections. Gauland is one of Germany’s most unapologetic Putin enthusiasts who supports the Crimea annexation, opposes Western sanctions against Russia, and pines for a return to the Russo-German conservative alliance of the nineteenth century. Pro-Russian parties—the AfD and the Left—are expected to receive around 20 percent of the vote. A plurality of Germans, 42 percent, believe that there is “something to” the use of the term Lügenpresse (“lying press”) to describe the media. And although Germans trust press coverage of Donald Trump by a margin of 56 to 39 percent, only 33 percent believe that Vladimir Putin gets a fair shake in the German media.
Thus far, Merkel’s reaction to the threat of Russian cyber-meddling has been primarily rhetorical—including her personal warning to Putin during their May 2 meeting. But behind the scenes, Germany has been taking steps to prevent and deter potential interference. A debate is bubbling inside the German government as to what kind of countermeasures it should take if Fancy Bear hackers and other Russian cybercriminals move to impact the German election. The German government is examining the legal contours relevant to offensive cyber-action against these types of hackers such as deleting data from aggressor systems and the ability to destroy servers.
The government has also taken an aggressive approach to tamping down on the spread of fake news and incendiary speech online. It is debating a sweeping and controversial new law, proposed by Justice Minister Heiko Maas, that would hold social media platforms like Facebook, Twitter, and YouTube liable for hate speech and incendiary fake news. The draft law—which would impose crippling fines for failure to respond to notice-and-take-down requests—is meant to lessen the potential for a German version of Pizzagate, the 2016 election conspiracy theory that falsely saw in John Podesta’s leaked e-mails a secret code pointing to a Clinton-run child-trafficking ring run out of Comet Ping-Pong in Washington, D.C. Facebook and Google have already taken steps to crack down on blind advertising that incentivizes use of fake news to drive traffic. And Twitter is creating a mute function to limit the impact of trolls such as those at Russian troll farms in St. Petersburg.
The government has taken an aggressive approach to tamping down on the spread of fake news and incendiary speech online.
On April 1, the German military opened a cyber command in Bonn, which German Defense Minister Ursula von der Leyen hopes to staff with 13,500 cyber-warriors by July. But recruitment has been slow so far. Currently, the cyber command has just 260 commandos. Add to that the immense needs of the National Cyber Defense Centre, intelligence services, and critical infrastructure operators, and Germany is facing an acute shortage of cyber-manpower—a shortage that is increasingly recognized as a national security threat. According to Die Zeit, of the 660 BSI employees, just 15 are able to defend against cyberattacks like the one identified against the Bundestag. This small group is responsible for the protection of the entire network of German government IT systems.
Berlin, Cologne, and Germany’s other major cities are blanketed with recruitment ads from both military and civilian agencies. And the German military is trying to get creative in filling its cyber-ranks, targeting refugee and migrant communities for cyber-training and offering volunteer schemes—almost like cyber-militias—that allow civilians to be quickly activate in emergency operations.
THE FUTURE OF EUROPEAN CYBERWAR
Germany is well positioned to withstand an assault by outside influencers such as Russia. The party system is still cohesive. Faith in institutions and expertise is still strong. Leading politicians have formed an informal non-exploitation pact if information comes out, and discussions are already taking place about classifying parties as political infrastructure.
But the online threat landscape is evolving. As Maassen stated in Potsdam, protecting all systems is like “Sisyphus continually rolling a boulder to the mountaintop, only to be overtaken by his inevitable fate.” The Macron campaign’s decision to spike their internal accounts with false information helped to neutralize its potential damage and discredit the would-be leakers. But this tactic is a double-edged sword. Russian disinformation operatives can also taint tranches of hacked data with false information—augmenting the potential damage at the service of Russia’s strategic interests. In fact, Ukraine has been a laboratory for tainted leaks by Russian intel and disinformation operatives, with devastating efficacy. These tactics could also be employed in Germany and beyond.
Intelligence gathering is moving from government adjacent institutions to individuals adjacent to the political process, such as spouses and children of high-value political figures, who are also increasingly becoming targets of cyberattacks. The erosion of faith in institutions, agreed-upon facts, and perceived credibility of democratic processes will lead to more online exploitation that use the Web as both the source of stolen information and a means of dissemination for regimes that perceive openness as weakness. As Germany and the rest of the West is quickly learning, the price of connectivity is eternal vigilance.