According to the Polish government, the group UNC1151 was behind the hacker attack as part of the “Ghostwriter” action, the head of the Prime Minister’s Office Mikhail Dorczyk was destined to fall victim. The Minister’s spokesman and intelligence coordinator, Stanisław Sarin, declared that “the agencies have reliable information linking the activities of the UNC1151 group to the activities of Russian intelligence.” Their goal is to destabilize the political situation in the countries of Central Europe.
Recently, the group will also be active in Germany. It was also founded in March of this year. “Der Spiegel”, as part of the work of the “Ghostwriter”, 7 members of the Bundestag and more than 70 members of the parliaments of the German federal states were attacked. According to press sources, this was the first major work of this group in Western Europe in the German services.
The attack put the German services on its feet, because elections for the Bundestag will take place in September in Germany. – We believe that the danger to the candidates in the elections is great. A spokesperson for the Federal Bureau of Information Technology Security (BSI) said attacks on the information space are still expected.
Germany suspects the presence of Russian intelligence
According to journalists from public stations WDR and BR, Thomas Haldenwang, head of the Federal Office for the Protection of the Constitution (BfV), is said to have testified in March before the Parliamentary Intelligence Committee that the GRU was suspected of being attacked. As part of the Ghostwriter process.
Thomas Haldenwang, President of the Federal Office for the Protection of the Constitution
According to German media, the hackers were almost exclusively targeting politicians from the ruling CDU/CSU and SPD parties. It is not known how many of them fell into the trap, as well as whether and what data were stolen from them. So far, none of them have been announced. Germany has been following the “Ghostwriter” campaign since February of this year. According to the WDR and BR report, the devices “detected the wave of attacks early and then notified those affected.”
In messages that the services will send to parliamentarians, the letter will include, inter alia, that “work and/or private email addresses” may be the target of a “planned phishing campaign”. The passwords and information collected can be used to “access accounts on social networks or spread false information”.
Special squares in focus
In Poland, according to the government, 4,350 addresses were attacked, including about 100 belonging to people performing public functions. About 500 people were supposed to fall into the trap.
According to WDR and BR, more than 200 emails were sent in total in Germany, mainly to private addresses registered in the popular GMX and T-Mobile domains. In the messages, recipients were asked to prove they were “not spam bots” by entering a special website and entering their name and password on it. Otherwise, their mailbox will be blocked within three days.
German forces fear further attacks ahead of the September Bundestag elections
US company FireEye, which first described the “Ghostwriter” campaign, in a report released in April of this year. Listed domains impersonated by UNC1151 hackers. In addition to the aforementioned German GMX and T-Mobile, there are titles similar to those of Onet, Interia or Wirtualna Polska. It was the special mailbox on the last gate that was to be used by the head of the Prime Minister’s Office, Mikhail Dorczyk.
Government emails from private addresses – also a problem in Germany
Among the alleged materials from his mailbox published in the Telegram messenger, a lot of controversy was aroused by photos of correspondence that he was supposed to have with other employees of the Prime Minister’s Office. They are supposed to show that not only Dworczyk, but also Prime Minister Mateusz Morawiecki, and government spokesperson Piotr Müller, used private email addresses to conduct business correspondence.
In Germany, too, members of the government are criticized for using private email boxes in business matters. Moreover, there is no law regulating their use: in August 2020 the German Ministry of the Interior responded to a parliamentary question on the matter: “It cannot be excluded that members of the government also communicate on official matters via private email addresses.” Thing.
Head of Chancellor’s Office Helge Braun (CDU)
Private emails and text messages do not end up in files, which later makes it difficult to explain any wrongdoing. According to the daily Die Welt, private email addresses have been used by Chancellor Helge Braun’s chief of staff and Health Minister Jens Spahn (both CDU) to combat the coronavirus pandemic. “In recent years, it has become clear several times that the government is communicating in a way that leaves no trace,” Die Welt wrote.
Concerns about a repeat of 2015
It is not publicly known which German politicians were hacked as part of the “Ghostwriter” campaign. The most serious cyber attack on German politicians to date occurred in the spring of 2015, when the perpetrators managed to infiltrate the internal system of the Bundestag. It is estimated that they stole up to 16 gigabytes of data at the time, including thousands of emails and parliamentarian documents. Two computers in Chancellor Angela Merkel’s office were also hacked.
The German Federal Prosecutor’s Office accuses the Russian Military Intelligence, the same agency that is supposed to be behind Operation Ghostwriter, of carrying out this attack. In connection with this attack, last year an arrest warrant was issued in Germany for the arrest of 30-year-old Russian Dmitry Badin, who is said to be one of the GRU hackers. At least in Germany, the work of “Ghostwriter” has been less exciting so far – as German media reported, hackers were unable to break into government systems.