Germany has summoned a top Russian envoy over a series of cyber-attacks targeting members of the governing Social Democrats and its defence and technology sector.
The 2023 attacks, in which several websites were knocked offline in apparent response to Berlin’s decision to send tanks to Ukraine, have been blamed on a hacker group linked to Russian military intelligence.
It exploited a then unknown vulnerability in the Microsoft Outlook email service and, according to German officials, compromised the servers of affected companies.
“Today we can say unambiguously [that] we can attribute this cyber-attack to a group called APT28, which is steered by the military intelligence service of Russia,” the German foreign minister, Annalena Baerbock, told a news conference during a visit to Australia. “In other words, it was a state-sponsored Russian cyber-attack on Germany, and this is absolutely intolerable and unacceptable and will have consequences.”
The Czech Republic said its institutions had also been targeted. “Czechia has long been targeted by the APT28. Such violations are in violation of UN norms of responsible state behaviour,” a foreign ministry statement said.
APT28, also known as Fancy Bear or Pawn Storm, has been accused of dozens of cyber-attacks in countries around the world. The UK’s National Cyber Security Centre has described the unit as “a highly skilled threat actor” that has “used tools including X-Tunnel, X-Agent and CompuTrace to penetrate target networks”.
Germany’s interior ministry said a series of cyber-attacks attributable to the Russian military intelligence service GRU had also targeted the country’s logistics, defence, aerospace and IT sectors, exploiting the vulnerability in Microsoft Outlook in order to compromise email accounts.
“The Russian cyber-attacks are a threat to our democracy, which we are resolutely countering,” said the interior minister, Nancy Faeser, adding that Germany was acting alongside the EU and Nato. “Under no circumstances will we allow ourselves to be intimidated by the Russian regime.”
She said it was particularly critical to counter such attacks from Russia ahead of the European elections in June. The EU on Friday condemned the “irresponsible” cyber-attacks on Germany and the Czech Republic, revealing that “state institutions, agencies and entities in member states, including in Poland, Lithuania, Slovakia and Sweden have been targeted by the same threat actor before”.
Nato condemned the “malicious” attacks and said they were a reminder that “cyber threat actors persistently seek to destabilise the alliance”.
The summoning of an ambassador or high-ranking official is considered a strong diplomatic tool. A spokesperson for the German foreign ministry said the acting chargé d’affaires had been invited to attend a meeting as the incident shows “that the Russian threat to security and peace in Europe is real and it is enormous”
Germany was at the time of the attack in 2023 inching towards a decision to send Leopold 2 battle tanks to the frontline after Ukraine appealed for a fleet of 300 from Europe. The EU’s computer security response unit, Cert-EU, last year noted a German media report that an SPD executive had been targeted in a cyber-attack in January 2023 “resulting in possible data exposure”. Berlin also said Russian activist hackers had knocked several German websites offline in response to its decision to send tanks to Ukraine, although with little tangible effect.
The pro-Russia hacking group Killnet took credit for the attack at the time, with the Kremlin spokesperson, Dmitry Peskov, saying: “We are not aware of what [Killnet] is. We honestly wonder why any group of hackers is associated with Russia and not with some other European country.”
Cyber-attacks are officially considered by European leaders to be part of Russia’s “hybrid” war against Ukraine and the EU. Disinformation across social media and doppelganger or fake news websites that look almost exactly like legitimate media are part of the weaponry deployed by the Kremlin, with more than 17,000 disinformation units identified by the EU since the start of the war.
The pro-Russian doppelganger network of sites was uncovered in 2022 and is still active. In April, a fake Der Spiegel website claimed the German finance minister, Christian Lindner, was “robbing” pensioners.
The EU’s chief diplomat, Josep Borrell, said earlier this year that Russia was using disinformation to undermine the credibility of mainstream parties, sow seeds of distrust in democracy and create hate against minorities. He said this new kind of warfare “does not involve bombs that kill you” but words and ideas that “colonise you”.
The World Economic Forum ranked disinformation and cyber-attacks – so-called foreign information manipulations and interference – as “the second biggest risk the world is going to face this year”, while Nato said it was treating it as being as important as physical weaponry.
Baerbock’s comments come two months after Russian media published an audio recording of a meeting of senior German military officials, after one participant had dialled in through an “unauthorised connection” leading to the leak. Germany has said it will work with EU countries on potential sanctions against any new people working with APT28, which was previously sanctioned after an attack on the Bundestag in 2015.