German Bundestag breach: Two threat actors, two different Trojans?

News by Doug Drinkwater

German chancellor Angela Merkel inadvertently helped spread Trojan malware in the German Parliament (Bundestag), which is now facing a new wave of cyber-attacks. But there remain more questions than answers when it comes to the full scope of the compromise, and the people behind it.

German newspaper Bild reported last weekend that an office computer used by Merkel in the lower house of Parliament was amongst those to be infected by a Trojan horse. After infection, the hackers supposedly used her computer to send poisoned, phishing emails to other Bundestag members, claiming to be an invite to a conference. Instead, it contained a malicious link which, when opened, would infect recipients PC with malware.

However, earlier today, some doubt was cast over that line of thinking; with German blogger Alvar Freude pointing out that the email does not appear to come from Merkel's email account – but rather a Polish one using the name of the Chancellor.

Local sources estimate that the attack of the lower house of parliament, which started in late May, could have resulted in the theft of data from up to 20,000 PCs and could cost millions to clean up, although Bild claims that only 15 machines were targeted and five had data stolen from them. Some claims of the entire network having to be rebuilt have now been downplayed.

May's attack has been blamed on Russia, and despite the possibility of attackers using the country or a proxy, or this being some kind of false flag operation as claimed in the TV5 Monde hack, surveillance agencies are sticking to that view.

RT reports that Germany's domestic intelligence service head, Hans-Georg Maassen, told a conference last Thursday that this last attack may have been carried out by a “foreign intelligence service.”

"My service has always repeatedly confirmed that in any case the cyber-attacks on Russian services are highly qualified and give us great concern."

On a blog post posted yesterday, German software security firm G Data Security Labs reported that the German Parliament was being hit by a second wave of Trojan attacks, this time via new variants of online banking Trojan 'Swatbanker'.

“The G Data analyses show that new variants of the online banking Trojan Swatbanker have been used,” reads the firm's blog post. “Investigation of the configuration files embedded in the malware has shown that the operators of the Swatbanker botnet integrated new filter functions for the domain "Bundestag.btg" between 8 and 10 June 2015. This is the address for the Bundestag's intranet.

“In the opinion of G Data, it cannot be ruled out that this attack has once again defeated the anti-virus solution used in the Bundestag”.

The firm added that Swatbanker would collect all data entered onto forms, plus data about the browser and last websites visited, and transfer this to attackers. Server responses would also be watched, so attackers could use the attack to hit the relevant server. Banking Trojans can be adapted to suit a victim's location.

Eddy Willems, security evangelist at G Data Security Labs, told that there were more questions than answers and, looking at the firm's own data, suggested there has been more than one attack, with more than one type of malware.

“We don't know exactly [details of the attack] at this moment in time, we're investigating it – is it one attack or two? My suspicion is that there is a second [Trojan] involved.”

Interestingly, he noted that Swatbanker is a successor to Cridex, of Russian origin, and said that the firm believes Swatbanker is the work of Russian hackers too.

Willems said that Swatbanker could have been hired by a nation-state or criminal group, adding that its spying capabilities could have been leveraged as part of some back-up plan.

“It could be a second type of attack, or used as a back-up mechanism.”  Williams said that phishing was the likely entry point, though noting that it was investigating any use of zero-day exploits.

He doesn't believe, however, that this second wave of attack is as professional as nation-states, although acknowledged this could be designed as some sort of red herring.

“Certainly, this second of attack doesn't look at professional in my eyes. However, you never know.”

As for the intranet compromise, he said that compromise of this and the server sitting on it would serve up a wealth of sensitive data, potentially includig credentials and other records.

Thomas Rid, professor in the Department of War Studies at King's College London, told SC, that a lot of questions on the hack are still unanswered, such as whether this compromise was just of the Bundestag network or of others, whether the whole network is compromised or just endpoints, and who the mystery company was which informed Bvf of the breach (a company working for another country supposedly notified BfV of C2 infrastructure and malware).

But he questioned the sophistication of the attack, saying that the media often promoted sophisticated attacks which aren't so much.

“If it's the Bundestag network, it's not so difficult to do. Yes, it's some kind of APT actor, but its medium range in terms of how difficult it is to do. It's probably a nation state, given the nature of the target…but it's not really exciting from a surveillance perspective.”

He added that Merkel would have been interesting as her PC may have given access to “more sensitive parts of the government network”.

He suspects Five Eyes help with finding the attacker, and believes Russians are the likely foe.

“The Russians, in this space, have a reputation of being way more sophisticated than anybody else outside Five Eyes,” he said citing the ‘Moonlight Maze' campaign against the US government systems in 1998. “They've only got better since, so I wouldn't be surprised at all if it could be Russia.”

However, he added that there are quite a lot of misconceptions around attribution. “People assume that it can't be done, that you can't reach the levels needed to be accurate, but in many ways that's quite naïve”, citing attacker MOs and attribution work done in recent years on Flame and Equation.

This hybrid warfare is just one part of governments' efforts to destabilise other economies, and Rid says that the news should act as a ‘wake-up call' for the German government which failed to prioritise cyber-security, and to industry too – where there are too few local security companies.

“Germany has not had a wake-up call in this space…the government has been dragging its feet on cyber-security.”

He added: “Within limits, the hype about cyber-war and cyber-security is useful, as it creates a market for security. In Germany, that hasn't really happened yet – they've been complacent.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews