German Bundestag breach: Two threat actors, two different Trojans?
German Bundestag breach: Two threat actors, two different Trojans?

German newspaper Bild reported last weekend that an office computer used by Merkel in the lower house of Parliament was amongst those to be infected by a Trojan horse. After infection, the hackers supposedly used her computer to send poisoned, phishing emails to other Bundestag members, claiming to be an invite to a conference. Instead, it contained a malicious link which, when opened, would infect recipients PC with malware.

However, earlier today, some doubt was cast over that line of thinking; with German blogger Alvar Freude pointing out that the email does not appear to come from Merkel's email account – but rather a Polish one using the name of the Chancellor.

Local sources estimate that the attack of the lower house of parliament, which started in late May, could have resulted in the theft of data from up to 20,000 PCs and could cost millions to clean up, although Bild claims that only 15 machines were targeted and five had data stolen from them. Some claims of the entire network having to be rebuilt have now been downplayed.

May's attack has been blamed on Russia, and despite the possibility of attackers using the country or a proxy, or this being some kind of false flag operation as claimed in the TV5 Monde hack, surveillance agencies are sticking to that view.

RT reports that Germany's domestic intelligence service head, Hans-Georg Maassen, told a conference last Thursday that this last attack may have been carried out by a “foreign intelligence service.”

"My service has always repeatedly confirmed that in any case the cyber-attacks on Russian services are highly qualified and give us great concern."

On a blog post posted yesterday, German software security firm G Data Security Labs reported that the German Parliament was being hit by a second wave of Trojan attacks, this time via new variants of online banking Trojan 'Swatbanker'.

“The G Data analyses show that new variants of the online banking Trojan Swatbanker have been used,” reads the firm's blog post. “Investigation of the configuration files embedded in the malware has shown that the operators of the Swatbanker botnet integrated new filter functions for the domain "Bundestag.btg" between 8 and 10 June 2015. This is the address for the Bundestag's intranet.

“In the opinion of G Data, it cannot be ruled out that this attack has once again defeated the anti-virus solution used in the Bundestag”.

The firm added that Swatbanker would collect all data entered onto forms, plus data about the browser and last websites visited, and transfer this to attackers. Server responses would also be watched, so attackers could use the attack to hit the relevant server. Banking Trojans can be adapted to suit a victim's location.

Eddy Willems, security evangelist at G Data Security Labs, told that there were more questions than answers and, looking at the firm's own data, suggested there has been more than one attack, with more than one type of malware.

“We don't know exactly [details of the attack] at this moment in time, we're investigating it – is it one attack or two? My suspicion is that there is a second [Trojan] involved.”