When Claudia Haydt unwittingly discovered that the German parliament had been targeted with a hacking attack, she was sitting at her desk – and she was exasperated. Her office is on the first floor of a parliament office building located on the central Berlin boulevard Unter den Linden. Birch trees were flowering in the courtyard. Haydt, 50, is the office manager for parliamentarian Inge Höger of the Left Party and she was in the process of writing an email to an acquaintance named René. But she couldn't even get past the salutation. The small accent above the é refused to appear. Haydt pushed the key but nothing happened. She tried again and again. Nothing.
Finally, Haydt called 117, the tech support hotline for the Bundestag, Germany's parliament, and described the problem she was having. The technician, she remembers, suggested that she restart her computer. But that didn't help either. It was the afternoon of Friday, May 8, 2015.
On Monday, the problem with René's name reappeared, and again on Tuesday. Finally, a Bundestag computer technician dropped by and reinstalled Claudia Haydt's programs – but the accent refused to reappear.
That was when the German parliament's tech team knew something was wrong. What they didn't know, however, is that they had long since lost control over the Bundestag's computer network.
On that day in May 2015, a several weeks long digital battle began, the likes of which Germany had never seen before. It was as if a unit of foreign guerilla fighters had stormed the parliament building, occupied its nerve center and broke into the offices – except that this fight was taking place digitally. Ultimately, the offices of at least 16 parliamentarians were combed through, mail boxes copied, hard drives scrutinized and internal data, some of it likely classified, misappropriated.
Among the attackers' targets were the offices of German Chancellor Angela Merkel and of Bundestag Vice President Johannes Singhammer, a member of the Christian Social Union (CSU), the Bavarian sister party of Merkel's Christian Democrats (CDU). Social Democrat Martin Rabanus was also victimized as was Bettina Hagedorn, who is a member of the so-called Confidential Committee, which has parliamentary oversight of the budgets of Germany's intelligence agencies.
Once the attack was finally repelled, German federal prosecutors launched an investigation on suspicions of espionage and Merkel spoke of "hybrid warfare." Chancellery staff even considered launching counterattacks – because the government was convinced that the intruders were acting on behalf of a foreign country. To be more precise, they believed they came from Russia, from a unit of the country's military intelligence agency known as APT28, or "Fancy Bear."
It was these same cyberspies who infiltrated the Democratic Party in the United States last summer, hacking into the email account of Hillary Clinton's campaign chief John Podesta, among others. One of the emails, which were released publicly not long after they were stolen, showed how the party's leadership close to chairwoman Debbie Wasserman Schultz was scheming against the campaign of fellow Democrat Bernie Sanders. The incident cost Schultz her job and became a millstone around the neck of the Clinton campaign.
Then, last Friday night, just as the French presidential campaign was drawing to a close, documents from Emmanuel Macron's campaign headquarters suddenly appeared on a website – including emails, invoices and budget documents. The data dump came just before the legal deadline marking the end of the campaign – after which candidates are no longer allowed to speak publicly. Macron's team had mere minutes to send out a statement to the press. Fancy Bear was behind this attack as well.
How do these digital burglars work? How did they find their way into the German parliament? And will they also try to influence the German campaign by publishing internal documents in the weeks ahead?
It Begins with an Apparently Harmless Email
On April 30, just over a week before Claudia Haydt tried to write to her acquaintance René, several German parliamentarians received an email at the same time. The sender's address ended with @un.org, making it look like it was from the United Nations. In truth, though, it was from the hackers, from a server that the Bundestag firewall did not recognize as problematic. The email subject line read, "Ukraine conflict with Russia leaves economy in ruins," and contained a link to a supposed UN bulletin. Those who clicked on the link ended up on an internet site that looked like a UN page, but actually surreptitiously installed malware onto the computer of the mail's recipient – a so-called trojan.
Defenseless Against the Dangers of the Digital World
It is no longer possible to determine how many parliamentarians clicked on the link. What is certain, though, is that the trojans provided the hackers with a kind of digital backdoor into the Bundestag. They were now inside the German parliament's computer system.
The timing of the attack was not chosen at random. The next morning was May 1, a holiday. Behind the Reichstag, the German Trade Union Confederation was celebrating Labor Day, complete with bouncy castles for the kids, while inside the parliament, nothing was going on. The tech support division had the day off and the thieves could do their worst without fear of being disturbed.
Once they got into the system, they uploaded additional programs onto the Bundestag network, including one that combed through the memory of all computers connected to the system in the search for passwords. It only took a few hours before they had set up official access to the Bundestag network. On the computer system, the attackers now looked like a parliamentarian or a Bundestag staff member.
Defenseless Against the Dangers of the Digital World
One of the programs they used consists of just a couple of lines of code and is known in the hacker scene as Mimikatz. It can be downloaded from the internet for free. Its symbol is a kiwi.
Mimikatz conducts targeted searches for administrator passwords – and it is highly effective. In this case, it took several days rather than just a couple of hours, but ultimately the hackers had control of five of the six administrator accounts in the Bundestag network. From that point on, the computer system recognized the hackers as members of its own IT department and there were no doors left for the intruders to break down. They had a "silver ticket," as this kind of broad access is known among computer experts.
The Bundestag's computer system is the size of a small digital city. In spring 2015, it included more than 5,600 computers, 500 copiers and 130 printers. There were almost 12,000 registered users.
A total of 210 technicians were on staff at the time to secure and maintain the network, yet when Claudia Haydt called them on May 8 to report her accent problem, they were still completely oblivious to the break-in.
But a security firm with offices in the United Kingdom and Lithuania had noticed something. For some time, the company had been monitoring a foreign server from which several hacking attacks had already been launched. They noticed that the server was suddenly in contact with two computers belonging to the German Bundestag. Something was going on. On May 11, the company notified Germany's domestic intelligence agency, the Federal Office for the Protection of the Constitution (BfV).
On May 12, the day that technicians unsuccessfully analyzed Claudia Haydt's computer searching for the problem, the domestic intelligence agency forwarded the warning to the Bundestag and to the Federal Office for Information Security (BSI), based in Bonn. But it took three long days for the warning to wend its way through the bureaucracy. It was only on May 15 that the BSI sent an emergency team from Bonn to Berlin. A week had passed since Claudia Haydt's first call to the tech support team.
The BSI employs 660 people, but only 15 of them have the specialized knowledge necessary to thwart a digital attack of the kind that had targeted the German parliament. These experts are responsible for providing around-the-clock security to the German government's executive branch. As such, even in this crisis, the BSI was only able to provide the Bundestag with three experts.
The leader of the team is Dirk Häger, an austere bureaucrat who wears a suit and metal-rimmed glasses. Once arrived in Berlin, his people took stock. Which systems had been affected and how deeply had the hacker penetrated the system?
Häger printed out the log files from the Bundestag network, which included every connection made by a Bundestag computer to the internet in the several preceding days. Häger began going through them line-by-line, reading and sorting them. "It's repetitive work, like police officers looking for clues," he says.
It quickly became apparent that the hackers had infiltrated so many computers that radical measures were necessary – and the BSI team literally pulled the plug. Thousands of users suddenly found themselves confronted with a message saying they had one minute to save the documents they were working on – and then their screens went dark. Germany's parliament was offline – the only way to keep the intruders out.
Parliamentarians and their staff were shocked. They no longer had access to email and Google wasn't available either, but they initially assumed it was a just technical problem, some kind of silly mishap. Very few knew about the battle that was being fought in the background. CSU member Reinhard Brandl spoke for many when he wondered why they couldn't at least have been given a five-minute warning.
The Attack Could Have Been Prevented
The domestic intelligence agency offered the three-person BSI team its assistance, but the parliamentarians, who had by now been informed of the hacking attack, rejected the offer. They were concerned that the agency could seek to spy on them as well. Instead, the Bundestag administration commissioned a private IT firm for assistance, a University of Karlsruhe spin-off company with which the BSI had worked several times in the past. Two employees from the company began searching through the parliament's server for peculiar software.
The Office for Information Security team tried to save what could be saved, but their work also made it clear just how ill-prepared the Bundestag had been in the face of the dangers of the digital age – and how poorly German agencies worked together.
The BSI maintains a black list including some 160,000 servers around the world that have been identified as dangerous. But because the BSI is only responsible for the executive branch's computer system, and not for the parliamentary network, it had not forwarded this list on to the Bundestag – a step that was only taken months after the attack. Bundestag technicians also maintained a black list, but it only included some 5,000 servers. Information pertaining to suspicious servers, complains the responsible division head in the Bundestag administration, "only reaches the Bundestag late or not at all."
With its entryway metal detectors, the Bundestag is well-protected against attackers armed with guns or knives. But it was virtually defenseless against the threats presented by the digital world.
"Bettina, Just Stay Cool!"
As it would later become clear, the BSI was even familiar with the server the hackers had used. On April 13, two weeks before the attack on the Bundestag, the agency had blocked all data originating from the server. That move protected the executive branch, but not the Bundestag. If the authorities had contacted each other earlier, the attack could have been prevented.
And now that the intruder was already inside and the BSI was attempting to help, the problems continued. Neither Dirk Häger and his team, nor the company in Karlsruhe, knew enough about the inner workings of the Bundestag's network, so they turned to experts at T-Systems, a subsidiary of Deutsche Telekom, for help.
Now three BSI employees, two from the company in Karlsruhe and one from T-Systems were working to repel the hackers' attack on the German parliament. Six men battling the great unknown.
One day after they pulled the plug, IT specialists reconnected the Bundestag to the internet, having installed a short-term redirect for all data traffic. Parliamentary email and internet access now ran through the heavily secured network of the executive branch, which had just four internet access points, each monitored by the BSI specialists like bouncers. This provided them with their first detailed look at the data that was flowing in and out of the Bundestag.
Michael Hange, who headed the BSI at the time, told the parliament's Advisory Committee that the attackers were "deeply anchored in the systems and would be moving around relatively conspicuously because, based on their experience, they no longer had to fear removal using basic methods."
The emergency team was able to determine the individual victims of the hackers – people like Martin Rabanus and Bettina Hagedorn, both of whom are SPD members of parliament, and Bundestag Vice President Joahnnes Singhammer, of the CSU.
Rabanus has been a member of parliament only since 2013. From Fulda, he has a corner office in one of the parliament's office buildings, from which he has a view of the glass roof of Berlin's central station and of the Chancellery right next to it.
In December 2014, a few months before the hacking attack, Rabanus had traveled to Kiev and Moscow with a Bundestag delegation. Members of the delegation met with the Ukrainian government's education and science minister and criticized the annexation of Crimea by Russia as a violation of international law. In Moscow, they called for a solution to the Ukraine conflict.
Now, in a phone call with his secretary, Rabanus was alerted that his office had been spied on. The Bundestag's administration would later inform him that data from a computer in his office's antechamber had been copied over the course of two days.
The MP was confused. "I never considered the idea that the attack might have been directed specifically at my office or my person," he says. But Rabanus says he can imagine what the goal of the spying might have been. "Perhaps someone wanted to gather munition to personally vilify decision-makers," he says.
The Attackers' Tracks Lead to Moscow
Fellow SPD parliamentarian Bettina Hagedorn, a trained jeweler from Schleswig-Holstein, serves on the Bundestag's Confidential Committee. The nine members of this committee are the only members of parliament who know how much money German intelligence services receive and how it is spent. Hagedorn is familiar with the requests made and projects pursued by the BND foreign intelligence service, the military counterintelligence service (MAD) and the domestic intelligence agency BfV.
Despite her knowledge of the country's intelligence services, though, Hagedorn admits to knowing little about computers. "Technically," she says, "I'm a total failure." The news that someone had deeply penetrated her computer, was reading her emails and was monitoring her messages, bothered her. When she learned of the breach, she says she took a deep breath and told herself: "Bettina, just stay cool!"
In the weeks and months that followed, Hagedorn traveled frequently back home to her constituents in places like the Baltic Sea island of Fehmarn or Bad Schwartau, a town famous in Germany for its jams. She avoided Berlin to the extent possible, particularly the Bundestag – which she describes as "self-defense." Hagedorn was overcome with the same kind of feeling people get when their homes are broken into: She no longer felt safe in her own space. If the point of the attackers had been to rattle Germany's elected representatives, they had succeeded in the case of Bettina Hagedorn.
But if their target had been the Confidential Committee's secret documents, they failed, because these papers are not distributed digitally. They are delivered on paper by curriers, just like in the days before computers. Hagedorn even had to have a steel safe specially installed in her office to store the documents. "But whoever it was who was interested in me could not have known that," she says.
Bundestag Vice President Johannes Singhammer, for his part, was lucky by comparison. At the height of the May 2015 attack, IT technicians suddenly showed up at his office and removed his computer. And it seems they got there just in time: No data had apparently been siphoned from his computer. But Singhammer was troubled nonetheless. "We cannot downplay this in any way," he says.
IT specialists would later find an additional spyware program called XTunnel on the computer of Left Party staffer Claudia Haydt that the attackers installed remotely. Unlike Mimikatz, this program can't simply be downloaded from the internet – it was programmed especially for attacks of this kind. It also has a digital signature: It would be used again later in the hack of the Democratic Party in the United States.
Where were the attacks really coming from?
Not trusting the official BSI investigation, the Left Party turned to Claudio Guarnieri, a 29-year-old Italian from Milan who lives in Berlin, for assistance. Formerly a hacker himself, Guarnieri now works for Amnesty International. He made a name for himself in the scene by fighting on behalf of digital surveillance victims and because of his ability to dissect spyware with the cool precision of a forensic scientist. He examined both Left Party computers that had been attacked.
In addition to XTunnel, Guarnieri found an other software program used by the intruders. He disassembled it into its component parts and stumbled across the address of the server used to conduct the attacks: 18.104.22.168.
Every computer connected to the internet is assigned a unique combination of numbers called an IP address, not unlike a car's license plate. At the time of the Berlin attack, the IP address 22.214.171.124 was assigned to the French internet firm OVH in Paris, located close to the Seine River. But Guarnieri learned that the French company had a subtenant and that the server was actually administered by a Pakistani company in the small city of Kakra Town, located southeast of Islamabad.
In the course of their investigations, German security authorities determined that the server's communications with the Bundestag had been disguised with the name bitcoin-dn.hosting – a name meant to sound unsuspicious, as if it were a provider of the internet currency bitcoin. This computer would also be involved in the subsequent attack on the Democrats in the U.S. in addition to a hack on the World Anti-Doping Agency (WADA). It was also used in a failed attack on CDU national party headquarters in Berlin in April and May of 2016. The server has since been taken offline.
A server in Paris, a firm in Islamabad: Where were the attacks really coming from?
It is striking that all of the attacks in some way serve Russia's foreign policy interests. That alone, though, is not enough to prove that Fancy Bear operates out of Moscow. The tracks that the hackers left behind in the Bundestag are only clues and not proof that could stand up in court. But the group has made several mistakes over the years.
Authorized Directly by the Kremlin
German intelligence agencies say that one of the servers the group uses for its attacks can be traced to a Russian who investigators consider to be a frontman for Russia's GRU military intelligence service.
Then, in the Macron attack, metadata was discovered in an Excel document showing who had worked on the file. It includes the name Georgy Petrovitch Roshka, a young Russian who appears to work for a Moscow-based security firm called Eureka CJSC. The firm maintains close ties with Russian intelligence services and with the military. Roshka did not respond to an email from DIE ZEIT requesting comment.
There was also an unexpected occurrence during an earlier Fancy Bear attack: The amount of stolen data was so great that it had to be rerouted through a cloud server. For a certain amount of time, there was no active encryption. Suddenly an open connection had been exposed, leading to northeastern Moscow, where Russia's GRU intelligence service is based in a building complex referred to internally as the "Aquarium." The program that the attackers used to transport the data to Moscow was also found on the Bundestag computers in Germany and those of the Democratic Party in the United States.
GRU is likely Russia's most powerful intelligence agency. The man who leads it, General Igor Korobov, is one of President Vladimir Putin's advisers. There is a joke that GRU employees like to tell that says a lot about the intelligence agency's self-image: What kinds of fish swim in the aquarium? Just one. Piranhas.
At the time of the inauguration of the intelligence agency's new headquarters at Moscow's northwest periphery in 2006, Putin landed in a helicopter on the heliport that crowns its roof. Russian state television images show a masked agent wearing camouflage handing a pistol to former KGB man Putin. The president then casually sauntered up to the firing range, his left hand in the pocket of his suit pants, lifted the weapon and fired at the target. Once a secret service man, it seems, always a secret service man.
Putin said at the time that GRU's agents are the "eyes and the ears" of the Russian military around the world.
In 1996, the then-head of the National Security Agency (NSA) in the U.S. said that "control of information technology will be key to power in the 21st century." A short time later, the Russians succeeded for the first time in infiltrating the networks of the U.S. Navy, the U.S. Department of Energy and NASA. The operation, codenamed Moonlight Maze, made history.
In an essay published in February 2013, then Russian military chief of staff Valery Vasilyevich Gerasimov sketched out his vision of a modern army. In the networked age, Gerasimov wrote, political goals can no longer be achieved exclusively by means of conventional military power. Instead, such means must be augmented by the "broad deployment of disinformation" aimed at strengthening the protest potential of the populace – through leaked documents, for example.
For a former world power like Russia, the internet offers excellent opportunities to exercise political influence. A destabilized West whose inconsistencies are brought to light through the publication of the elite's internal documents helps the Kremlin not only politically, but also morally. Dirty details like those of Hillary Clinton's appearances at major banks make it easier for Putin to counter the West's reproach of Russia's alleged democratic deficiencies. His message: Don't lecture us about human rights and democracy – you should be taking a closer look at your own shortcomings.
The destabilization of the European Union, which still maintains a sanctions regime against Moscow, would also mean a shifting of the geopolitical balance in Russia's favor. Donald Trump, meanwhile, has declared reconciliation with Russia to be one of his most important foreign policy goals. And Marine Le Pen declared that she would like to "destroy" the EU and loosen France's ties with the West.
Authorized Directly by the Kremlin
From the Russian perspective, there were plenty of reasons to intervene on behalf of Trump and Le Pen in the recent election campaigns, even if it wasn't enough to propel Le Pen to victory in France.
"The West still hasn't understood well enough the possibilities of cyberspace," says Dmitri Alperovitch. Alperovitch is a short, stocky man with parted blond hair who is standing in a broadly cut, sand-colored suit on this evening in the bar of a Munich hotel. Alperovitch has been monitoring the Russian intelligence services' internet activity since 2007. Together with a colleague, he's the one who gave the Russian hacker group the name Fancy Bear.
Born in Moscow, Alperovitch was 13 when his parents emigrated to the United States. He's in his mid-30s today, but he doesn't want to reveal his precise age out of fear the Russians might use his personal data in a spying attack. A lot of damage can be done online if you know a person's date of birth and other details, such as their American Social Security number.
When suspicions arose in early 2016 that the Democratic Party in Washington had been hacked, the Democrats didn't call the FBI first. Rather, they turned to Alperovitch and his IT firm CrowdStrike for help. Trump has openly disparaged CrowdStrike several times as "some company" where some "pretty bad things" were happening.
After the Democrats called for help, Alperovitch and his staff spent six weeks battling Fancy Bear. The attack was similar to the one perpetrated against the Bundestag.
Alperovitch says he believes several thousand employees at GRU's "Aquarium" headquarters are involved in online operations like the ones in Washington and Berlin. Indeed, the internet has created an entire new branch of the espionage industry.
Presumably, not even the Russians believed that Trump could actually win the election. Clinton, of course, ultimately lost because she ran a weak campaign and not primarily because of Fancy Bear. But the leaking of her staff's mails last fall did contribute to a shift in sentiment in the country. "The historical lesson for Putin is: You can do it and you get away with it," says Alperovitch.
Does that also apply to Germany?
The BSI's battle to drive out the hackers lasted until May 20, 2015, with the agency's experts eliminating the malware computer by computer. Even on the very last day of the fight, the thieves were still capturing data from the office of SPD parliamentarian Martin Rabanus.
For most of the parliamentarians who were spied on, explanations can be found for why they might have been of interest to Russian hackers. Rabanus had visited Kiev and Moscow a short time earlier. Bettina Hagedorn possessed classified knowledge of the workings of the German intelligence services. Johannes Singhammer, as vice president of the Bundestag, had insights into many of its internal operations. Inge Höger of the Left Party is a politician viewed as being sympathetic toward Moscow. And the chancellor, of course, is always interesting, even if the spying was only aimed at her parliamentary office and not at the Chancellery. But it is nevertheless surprising that the hackers failed to breach the computers of a single member of parliament's Foreign Relations Committee. No leader of a party caucus in parliament got hacked, either.
Or is it possible that they were?
The hackers had already been at work for two weeks by the time the BSI emergency team arrived on the scene. But the Bundestag only logs the traffic on its network for a period of seven days, with the data disappearing after that. Nobody knows for sure what happened during the first days of the break-in.
Will Germany Strike Back?
It's not possible to retrace which members of parliament or what staff members clicked on the purported United Nations link that commenced the attack. Nor do we know the exact number of computers the hackers ultimately breached. Officials at the BSI are certain that the offices of 16 members of parliament were infected and that the attackers installed malware in at least 25 places. The stolen data, 16 gigabytes of it, was transferred to nine servers located around the world.
Because the data was encrypted before it was sent, investigators don't even know exactly what was stolen. They do, however, know that the hackers targeted "locally stored Outlook data" as well as Office documents. "The data that got siphoned off," says Dirk Häger, the head of emergency response at BDI, were "primarily complete mailboxes." Only the parliamentarians know what they wrote in their emails. They and the hackers.
What Should the German Government Do?
In January 2016, about two months after the BSI had completed its investigation, Merkel's staff asked them to attend a meeting at the Chancellery. Initially, the invite list included representatives of the BND, the BfV and the Federal Interior Ministry, but officials at the Foreign and Defense ministries were later added. The question under discussion was: How should Germany respond to the Russian hacker attack?
The intelligence services were tasked with drafting a situation report on Russia's confrontation course, with Chancellor Merkel herself wanting to know the background. Shortly before Christmas 2016, the BND and BfV presented a top secret report stating it "could be determined that present-day Russia centrally controls its influencing activities directed against the West." Cyberoperations like the one perpetrated against the Bundestag, which seek to "exert influence, and presumeably also to spread disinformation and propaganda on a grand scale," were likely "directly authorized by the presidential administration in the Kremlin and left up to the services to carry out." In other words: German intelligence is convinced Vladimir Putin is behind Fancy Bear.
So, what options does the German government have? Higher and better digital walls? More security staff at the BSI? Perhaps even counterstrikes? The latter has the potential to unleash a cyberwar with Russia, a form of conflict that Germany has no experience with and in which it would be hopelessly overmatched. It is still under consideration nonetheless.
The Foreign Ministry sees the Bundestag hack as "a violation of Germany's sovereignty, if not an attempt to interfere with our country's domestic affairs." Such is the view of Dirk Roland Haupt, who is responsible for international cyberpolicy at the ministry. If an attack can clearly be identified as having come from a specific country, Haupt argues, "then Germany has the right to take countermeasures." Internally, the term used in German government discussions is "hackback."
Is Germany planning to strike back?
The Foreign Ministry presented its position to the Chancellor, but Merkel and Chief of Staff Peter Altmaier decided against launching a retaliatory strike. Nobody knows, they reasoned, how Putin might respond. At the end of March 2017, the German Security Council – which includes the chancellor, her chief of staff and a handful of important ministers – decided instead to draft a law providing a legal framework for digital counterattacks in preparation for future hacking incidents.
The Chancellery also backtracked on the intelligence file that identified the Kremlin as having been ultimately responsible for the hacking attack. The plan had been to release an abridged version of the report to the public as a way of sending a clear signal to Moscow. But in the meantime, Donald Trump had been elected president of the U.S. and it was no longer clear who Germany's allies were and who its enemies. Altmaier was not interested in further escalation and the file remained classified.
Instead, a Chancellery emissary delivered a stern warning during a visit to Moscow that the Germans would no longer accept such espionage. The Russians rejected all accusations.
Today, two years after the attack, the Bundestag hack still weighs on German-Russian relations. Last week, Merkel flew to Russia for the first time since the breech, where she addressed the issue with Putin during a meeting at his summer residence in Sochi. Russia, Putin responded with a frosty smile, "never interferes in the domestic affairs of other countries."
Merkel responded sharply by saying that she assumes "German parties will be able to decide their election campaign among themselves."
Thus far, none of the stolen data has made an appearance, "but we expect it will," says Andreas Könen, head of cybersecurity in the Interior Ministry. Often, it is just a clause about a colleague in an email that makes waves in public. Or the misuse of public funds documented in the correspondence.
Will such words or numbers appear in Germany in the future, brought to the public's attention by the Russians?
The campaign might get dirty, Merkel recently warned her colleagues in the CDU's national executive committee.
It is also possible, though, that the information will never see the light of day – perhaps the emails written by German parliamentarians are simply too boring. In comparison to Washington, where political conspiracies are part of day-to-day life, Berlin politics sometimes seems like a boys and girls club. And perhaps the Russians don't currently have an interest in heating up the debate any further.
It is likely that the spies have long since analyzed all the emails, Word documents and PDF files in the search for new espionage targets. Since last year, the GRU is thought to have perpetrated more than 70 new cyberattacks in Germany. On August 15 and 24 last year, for example, Fancy Bear launched several attacks on the SPD caucus in the German parliament, on the Left Party and on the CDU's state chapter in Saarland. Green Party parliamentarian Marieluise Beck was also targeted. The bears have long since begun their search for new prey.
The digital break-in at the German parliament was a "wake-up call," says Arne Schönbohm, the new president of the BSI. "Now we can prepare for the next one."
Schönbohm, though, didn't say: Now we are prepared. And apparently with good reason. In early 2017, the Bundestag commissioned the company secunet Security Networks to examine the parliamentary network. In a confidential report, which DIE ZEIT has seen, the company simulated an attack similar to the one that took place two years ago and reached the conclusion that, depending on circumstances, an intruder could still "navigate the network unhindered and obtain data." Unsecured access points still exist via USB ports, which "constitute gateways for malware and provide opportunities to pilfer data." Furthermore, much of the data traffic in the Bundestag still hasn't been encrypted.
The hackers who went after the Democratic Party in Washington published some of the files they stole on WikiLeaks, while other information was posted on a site called dcleaks.com, which had been set up expressly for that purpose. In France, the data ended up on "emleaks," a reference to Macron's En Marche movement.
A few months ago, on January 13, unknown persons registered a site called btleaks.com, a site which could well stand for Bundestag leaks.
The site hasn't yet gone online.
With reporting by Alice Bota
Translated by Charles Hawley and Daryl Lindsey