Dangerous email attachment: Kremlin hackers attack German parties

Enlarge image

Red Square in Moscow

Photo: Natalia Kolesnikova / AFP

The Kremlin-controlled hacker group “Cozy Bear” has attempted to attack several German parties with malware. This emerges from an analysis available to SPIEGEL from the renowned IT security company Mandiant, which belongs to Google. German security authorities have also already sent warnings about the incident. According to SPIEGEL information, the attackers apparently targeted members of the CDU, among others, and warnings were sent to other German parties.

According to the warnings, the attackers have been sending emails with malicious attachments since February 26th. The messages were sent in the name of the CDU and were disguised as an invitation to a party dinner that was supposed to take place on March 1st at 7 p.m. The attackers also included the current CDU logo in the email.

“To take part in the event, please fill out a questionnaire and send it by email in the next few days,” said the German-language message. Even the appropriate outfit was specified: “Dress code: business smart.”

However, anyone who clicked on one of the links in the email would have infected their computer with malware.

However, anyone who read the email carefully could be suspicious as it sometimes contained awkward wording. “We are pleased to invite you to a dinner at the regional representative office of the part,” it said cryptically.

The CDU confirmed to SPIEGEL that they had already received information about the incident. The reason mentioned in the email did not exist: "There was no official CDU dinner on March 1st, the event was fictitious."

The Office for the Protection of the Constitution warns of an attack

According to SPIEGEL information, both the Federal Office for the Protection of the Constitution (BfV) and the Federal Office for Information Security (BSI) are already dealing with the attack. Together they sent out a warning message in the form of a so-called “awareness letter.” It says that “the campaign aims to establish long-term access to the targets’ networks.” It's about stealing data.

Particularly in view of the upcoming European elections, “it can be assumed that foreign powers will have an increased interest in reconnaissance, which can also and especially be reflected in cyber attacks against the political space.”

The BSI had already warned in a separate letter on Thursday about “possible hack-and-leak operations” in the 2024 election year. These represented “a serious threat to democratic elections,” it said. This refers to hacking attacks in which data is stolen and then specifically published on the Internet. This was recently the case with the recording of a conversation about Taurus deliveries, which was published on Telegram via Russian propaganda channels.

It was initially not known whether the recipients of the current fake emails with the CDU logo clicked on the malicious link. IT security researcher John Hultquist, chief analyst at Mandiant, told SPIEGEL that he expects further similar attacks from Russia in the future: "This is not the problem of a single party," said Hultquist, who analyzed the campaign. The election season in Europe has only just begun.

Hackers changing strategy?

In their investigation into the incident, the IT experts at Mandiant also spoke of a noticeable change in strategy at “Cozy Bear”. So far, the hackers have primarily attacked government offices and international embassies. An operation against political parties is being observed for the first time, according to the Mandiant report.

In the past, “Cozy Bear” had, among other things, specifically spied on research institutions that were developing corona vaccines. Experts also blame the group, also known as APT29, for attacks on the Democratic Party's servers before the 2016 US election as well as on Western ministries and embassies in various countries. They most recently caused an international stir in January when it became known that they had managed to break into the email accounts of important Microsoft employees.

Particularly acute need for information

According to consistent expert assessments, the group is controlled by the Russian foreign intelligence service SWR. “Cozy Bear” is also supported by hacking service providers in Russia. An employee of the espionage supplier “NTC Vulkan” helped the force steal secret information from foreign government networks and hack at least three Western government officials. SPIEGEL revealed this in the course of its “Vulkan Files” research into the Russian espionage industry.

“The SWR has always had the task of helping Russia understand and predict Western politics,” says John Hultquist, who has been monitoring the activities of Russian state hackers for a long time. "The need for this information is particularly acute given the war in Ukraine and the upcoming elections."

According to the analysis by IT security experts at Mandiant, the attackers used a new malware called Wineloader. According to their own statements, the analysts first observed these in attacks in India, Lithuania, the Czech Republic and Germany at the end of January this year. The malware is a new variant of Trojans that “Cozy Bear” had already used in the past.

The malware got its name from the analysts because they had already sent out invitations for wine tastings. “Using events seems to work well for the hackers,” says Hultquist.

hpp/mnz/rom/wow