On Friday, Foreign Minister Annalena Baerbock said a German federal government investigation into who was behind the 2023 cyberattack on the SPD, a leading member of the governing coalition, had just concluded.
“Today we can say unambiguously [that] we can attribute this cyberattack to a group called APT28, which is steered by the military intelligence service of Russia,” she said at a news conference in the Australian city of Adelaide.
“In other words, it was a state-sponsored Russian cyberattack on Germany, and this is absolutely intolerable and unacceptable and will have consequences.”
APT28, also known as Fancy Bear or Pawn Storm, has been accused of dozens of cyberattacks around the world.
The attack on German Chancellor Olaf Scholz’s SPD was made public last year and blamed on a previously unknown vulnerability in Microsoft Outlook.
Germany’s Federal Ministry of the Interior said German companies, including in the defence, aerospace and information technology sectors, as well as targets related to Russia’s war in Ukraine were also a focus of the attacks.
German Interior Minister Nancy Faeser said the campaign was orchestrated by Russia’s military intelligence service GRU and began in 2022.
A German Federal Foreign Office spokesperson said on Friday that the acting charge d’affaires of the Russian embassy in Berlin has been summoned.
The cyberattack showed “that the Russian threat to security and peace in Europe is real and enormous”, the spokesperson said.
Russia has denied past allegations by Western governments of being behind cyberattacks. On Friday, its embassy in Germany said it “categorically rejected the accusations that Russian state structures were involved in the given incident … as unsubstantiated and groundless”.
The Czech Republic’s Ministry of Foreign Affairs said on Friday that the country’s institutions had also been targeted by APT28 by exploiting a vulnerability in Microsoft Outlook from 2023.
“Cyberattacks targeting political entities, state institutions and critical infrastructure are not only a threat to national security but also disrupt the democratic processes on which our free society is based,” the ministry said. It didn’t provide details about the targets.
The European Union condemned the “malicious cyber campaign conducted by the Russia-controlled Advanced Persistent Threat Actor 28 (APT28) against Germany and Czechia”.
NATO said APT28 targeted “other national governmental entities, critical infrastructure operators” across the alliance, including in Lithuania, Poland, Slovakia and Sweden.
I strongly condemn #Russia’s malicious cyber activities against #NATO Allies, incl. #Germany & #Czechia. NATO remains committed to countering the substantial, continuous & increasing cyber threat. Read the statement:https://t.co/fDkRqLDemz
— Jens Stoltenberg (@jensstoltenberg) May 3, 2024
“We are determined to employ the necessary capabilities in order to deter, defend against and counter the full spectrum of cyberthreats to support each other, including by considering coordinated responses,” said the North Atlantic Council, the political decision-making body within NATO.
‘Concrete signs’ of Russian origin
The EU’s computer security response unit, CERT-EU, last year noted a German media report that an SPD executive had been targeted in a cyberattack in January 2023, “resulting in possible data exposure”.
It said there were reportedly “concrete signs” it was of Russian origin.
Baerbock spoke after a meeting with Australian Foreign Minister Penny Wong, who said: “We have previously joined the United States, UK, Canada and New Zealand in attributing malicious cyberactivity to APT28.”
It is not the first time that Russian hackers have been accused of spying on Germany.
In 2020, then-Chancellor Angela Merkel said Germany found “hard evidence” that Russian hackers had targeted her.
One of the most high-profile incidents so far blamed on Russian hackers was a cyberattack in 2015 that paralysed the computer network of Germany’s lower house of parliament, the Bundestag, forcing the entire institution offline for days while it was fixed.