THE GERMAN BUNDESTAG
On April 30, 2015, another Fancy Bear attack on the German Bundestag using spear phishing operation. After clicking on an email that ended with @un.org, a staffer in the German government office named Claudia Haydt compromised their system.[i] The link went to a website mocked up to appear as a legitimate United Nations site but instead the waterhole site was set up by the GRU with malware to compromise their system.
The first thing the GRU did was burrow through the network to find passwords, then they worked to establish their control of the system and blend in with the other network users. It is reported that they used a notorious password stealing program known as Mimikatz. Mimikatz is easily available on the web as are tutorials on how to use it.[ii]
Another malware tool used in the attack was XTunnel. This would be one of the tools used a year later against the DNC by the same threat actors, the GRU.[iii] Cyber security researcher and former hacker, Claudio Guarnieri determined that there was a server address used to hack the Parliament, 176.31.112.10. In addition, a domain name, bitcoin-dn.hosting was being used. This infrastructure would be reused in later attacks against the DNC and WADA.
The Bundestag network is comprised of over 5600 computers, 500 copiers, 130 printers and 12,000 registered users.[iv]
The attack was detected by an outside cyber security firm that had been surveilling a command and control server being used by the GRU hackers. Even the BSI had seen the C2 server and protected the German executive offices from the server, but the Bundestag’s system was not coordinated with them.
After the attack was discovered, the entire system was shut down as the German Federal Office for Information Security (BSI) began to kick the intruders out of the system.[v] The BSI team leader Dirk Häger went through all the logs and found the infiltrations.
In looking at the targets, Martin Rabanus, a German parliament members for a couple of years at that point, had taken a trip to Moscow and Kiev to discuss the Russian aggression against Ukraine. It is likely he was targeted to know his deliberations after he left the country. Another targets in the attack were Bettina Hagedorn and Joahnnes Singhammer. It is possible that Hagedorn was targeted because of her position on a confidential committee in the Parliament. However, the sensitive documents she reads or holds in possession were not on the system and were secured in a safe.
Later investigation into the hacking pointed to the GRU and an ally they have named Georgy Petrovitch Roshka of the Eureka CJSC firm in Russia.
The Russian’s were not successfully purged from the Bundestag network until May 20, 2015, nearly 3 weeks since they breached.
Nearly 5 years to the day since the hack, German authorities charged one of the GRU hackers in the breach. The GRU unit 26165 member Dmitri Badin, who was also implicated in the DNC hacking, was charged.
[i] Beuth, Von Patrick, Biermann, Kai, Klingst, Marting, Stark, Holger, Zeit, “Merkel and the Fancy Bear”, May 12, 2017, https://www.zeit.de/digital/2017-05/cyberattack-bundestag-angela-merkel-fancy-bear-hacker-russia
[ii] Beuth, Von Patrick, Biermann, Kai, Klingst, Marting, Stark, Holger, Zeit, “Merkel and the Fancy Bear”, May 12, 2017, https://www.zeit.de/digital/2017-05/cyberattack-bundestag-angela-merkel-fancy-bear-hacker-russia
[iii] Beuth, Von Patrick, Biermann, Kai, Klingst, Marting, Stark, Holger, Zeit, “Merkel and the Fancy Bear”, May 12, 2017, https://www.zeit.de/digital/2017-05/cyberattack-bundestag-angela-merkel-fancy-bear-hacker-russia
[iv] Beuth, Von Patrick, Biermann, Kai, Klingst, Marting, Stark, Holger, Zeit, “Merkel and the Fancy Bear”, May 12, 2017, https://www.zeit.de/digital/2017-05/cyberattack-bundestag-angela-merkel-fancy-bear-hacker-russia
[v] Beuth, Von Patrick, Biermann, Kai, Klingst, Marting, Stark, Holger, Zeit, “Merkel and the Fancy Bear”, May 12, 2017, https://www.zeit.de/digital/2017-05/cyberattack-bundestag-angela-merkel-fancy-bear-hacker-russia