When Claudia Haydt unwittingly discovered that the German parliament had been targeted with a hacking attack, she was sitting at her desk – and she was exasperated. Her office is on the first floor of a parliament office building located on the central Berlin boulevard Unter den Linden. Birch trees were flowering in the courtyard. Haydt, 50, is the office manager for parliamentarian Inge Höger of the Left Party and she was in the process of writing an email to an acquaintance named René. But she couldn't even get past the salutation. The small accent above the é refused to appear. Haydt pushed the key but nothing happened. She tried again and again. Nothing.
Finally, Haydt called 117, the tech support hotline for the Bundestag, Germany's parliament, and described the problem she was having. The technician, she remembers, suggested that she restart her computer. But that didn't help either. It was the afternoon of Friday, May 8, 2015.
On Monday, the problem with René's name reappeared, and again on Tuesday. Finally, a Bundestag computer technician dropped by and reinstalled Claudia Haydt's programs – but the accent refused to reappear.
That was when the German parliament's tech team knew something was wrong. What they didn't know, however, is that they had long since lost control over the Bundestag's computer network.
On that day in May 2015, a several weeks long digital battle began, the likes of which Germany had never seen before. It was as if a unit of foreign guerilla fighters had stormed the parliament building, occupied its nerve center and broke into the offices – except that this fight was taking place digitally. Ultimately, the offices of at least 16 parliamentarians were combed through, mail boxes copied, hard drives scrutinized and internal data, some of it likely classified, misappropriated.
Among the attackers' targets were the offices of German Chancellor Angela Merkel and of Bundestag Vice President Johannes Singhammer, a member of the Christian Social Union (CSU), the Bavarian sister party of Merkel's Christian Democrats (CDU). Social Democrat Martin Rabanus was also victimized as was Bettina Hagedorn, who is a member of the so-called Confidential Committee, which has parliamentary oversight of the budgets of Germany's intelligence agencies.
Once the attack was finally repelled, German federal prosecutors launched an investigation on suspicions of espionage and Merkel spoke of "hybrid warfare." Chancellery staff even considered launching counterattacks – because the government was convinced that the intruders were acting on behalf of a foreign country. To be more precise, they believed they came from Russia, from a unit of the country's military intelligence agency known as APT28, or "Fancy Bear."
It was these same cyberspies who infiltrated the Democratic Party in the United States last summer, hacking into the email account of Hillary Clinton's campaign chief John Podesta, among others. One of the emails, which were released publicly not long after they were stolen, showed how the party's leadership close to chairwoman Debbie Wasserman Schultz was scheming against the campaign of fellow Democrat Bernie Sanders. The incident cost Schultz her job and became a millstone around the neck of the Clinton campaign.
Then, last Friday night, just as the French presidential campaign was drawing to a close, documents from Emmanuel Macron's campaign headquarters suddenly appeared on a website – including emails, invoices and budget documents. The data dump came just before the legal deadline marking the end of the campaign – after which candidates are no longer allowed to speak publicly. Macron's team had mere minutes to send out a statement to the press. Fancy Bear was behind this attack as well.
How do these digital burglars work? How did they find their way into the German parliament? And will they also try to influence the German campaign by publishing internal documents in the weeks ahead?
It Begins with an Apparently Harmless Email
On April 30, just over a week before Claudia Haydt tried to write to her acquaintance René, several German parliamentarians received an email at the same time. The sender's address ended with @un.org, making it look like it was from the United Nations. In truth, though, it was from the hackers, from a server that the Bundestag firewall did not recognize as problematic. The email subject line read, "Ukraine conflict with Russia leaves economy in ruins," and contained a link to a supposed UN bulletin. Those who clicked on the link ended up on an internet site that looked like a UN page, but actually surreptitiously installed malware onto the computer of the mail's recipient – a so-called trojan.