A major cyber-attack that resulted in the compromise of a communications network used by several government ministries in Germany took place after hackers weaponised emails with malicious code before sending them to Outlook inboxes of German officials.
Earlier this week, we revealed how a group of hackers had managed to compromise Informationsverbund Berlin-Bonn, a server that served as a communication exchange platform for several government ministries, the parliament, the Federal Audit Office, the Chancellery, and other government departments in Germany.
In a press statement, Germany’s Interior Ministry said: “We can confirm that the Federal Office for Information Security (BSI) and intelligence services are investigating a cybersecurity incident concerning the federal government’s information technology and networks.”
Malicious code delivered via Outlook
German daily Süddeutsche Zeitung has now revealed the modus operandi of hackers behind the operation. The paper said that the hackers weaponised emails with malicious code before sending them to Outlook inboxes of German officials. Once opened automatically by Outlook, these attachments activated previously-injected malware in systems owned by the German Foreign Office, which then proceeded to send data stored in such computers to a remote server.
“So the Turla hackers send an e-mail to a computer that they have already infected with malware. Because after the infection, the attackers have to somehow get the data interesting for them from the completed networks. Hacker groups typically try to establish encrypted connections to a server over the Internet and send the data from the protected area directly to them.
“They use this infrastructure to communicate from the outside with their malicious software. In the networks of the Foreign Office, however, according to SZ information such connections are blocked. The only way out leads therefore via Mails. So also the control of the malicious software should have gone over mail,” read a translated version of the report.
The report added that by exploiting this method, hackers managed to infect as many as 17 computers belonging to the Foreign Office. Even though the government has confirmed the incident, it is yet to name the culprits or nations that sponsored the operation.
Series of attacks
The cyber-attack on the German government’s communications platform is the second such major attack in three years, even though government ministries and departments have suffered smaller security incidents on a regular basis. Back in 2015, a cyber-attack conducted by a suspected Russian hacker group resulted in the loss of large amounts of data and also affected Angela Merkel’s Christian Democratic Union (CDU).
“We recognize this as a campaign being directed from Russia. Our counterpart is trying to generate information that can be used for disinformation or for influencing operations. Whether they do it or not is a political decision … that I assume will be made in the Kremlin,” said Hans-Georg Maassen, president of the BfV agency which is entrusted with keeping Germany’s constitution secure.
Information stolen via such cyber-attacks were reportedly used by Russians to create fake news and propaganda to influence opinions of voters ahead of last year’s general elections, he added. One such example was the news about the rape of a 13-year Russian-German girl by migrants. Rumours were also spread about the father of former European Parliament President Martin Schulz running a Nazi concentration camp during the world war.