It is no longer possible to determine how many parliamentarians clicked on the link. What is certain, though, is that the trojans provided the hackers with a kind of digital backdoor into the Bundestag. They were now inside the German parliament's computer system.
The timing of the attack was not chosen at random. The next morning was May 1, a holiday. Behind the Reichstag, the German Trade Union Confederation was celebrating Labor Day, complete with bouncy castles for the kids, while inside the parliament, nothing was going on. The tech support division had the day off and the thieves could do their worst without fear of being disturbed.
Once they got into the system, they uploaded additional programs onto the Bundestag network, including one that combed through the memory of all computers connected to the system in the search for passwords. It only took a few hours before they had set up official access to the Bundestag network. On the computer system, the attackers now looked like a parliamentarian or a Bundestag staff member.
Defenseless Against the Dangers of the Digital World
One of the programs they used consists of just a couple of lines of code and is known in the hacker scene as Mimikatz. It can be downloaded from the internet for free. Its symbol is a kiwi.
Mimikatz conducts targeted searches for administrator passwords – and it is highly effective. In this case, it took several days rather than just a couple of hours, but ultimately the hackers had control of five of the six administrator accounts in the Bundestag network. From that point on, the computer system recognized the hackers as members of its own IT department and there were no doors left for the intruders to break down. They had a "silver ticket," as this kind of broad access is known among computer experts.
The Bundestag's computer system is the size of a small digital city. In spring 2015, it included more than 5,600 computers, 500 copiers and 130 printers. There were almost 12,000 registered users.
A total of 210 technicians were on staff at the time to secure and maintain the network, yet when Claudia Haydt called them on May 8 to report her accent problem, they were still completely oblivious to the break-in.
But a security firm with offices in the United Kingdom and Lithuania had noticed something. For some time, the company had been monitoring a foreign server from which several hacking attacks had already been launched. They noticed that the server was suddenly in contact with two computers belonging to the German Bundestag. Something was going on. On May 11, the company notified Germany's domestic intelligence agency, the Federal Office for the Protection of the Constitution (BfV).
On May 12, the day that technicians unsuccessfully analyzed Claudia Haydt's computer searching for the problem, the domestic intelligence agency forwarded the warning to the Bundestag and to the Federal Office for Information Security (BSI), based in Bonn. But it took three long days for the warning to wend its way through the bureaucracy. It was only on May 15 that the BSI sent an emergency team from Bonn to Berlin. A week had passed since Claudia Haydt's first call to the tech support team.
The BSI employs 660 people, but only 15 of them have the specialized knowledge necessary to thwart a digital attack of the kind that had targeted the German parliament. These experts are responsible for providing around-the-clock security to the German government's executive branch. As such, even in this crisis, the BSI was only able to provide the Bundestag with three experts.
The leader of the team is Dirk Häger, an austere bureaucrat who wears a suit and metal-rimmed glasses. Once arrived in Berlin, his people took stock. Which systems had been affected and how deeply had the hacker penetrated the system?
Häger printed out the log files from the Bundestag network, which included every connection made by a Bundestag computer to the internet in the several preceding days. Häger began going through them line-by-line, reading and sorting them. "It's repetitive work, like police officers looking for clues," he says.
It quickly became apparent that the hackers had infiltrated so many computers that radical measures were necessary – and the BSI team literally pulled the plug. Thousands of users suddenly found themselves confronted with a message saying they had one minute to save the documents they were working on – and then their screens went dark. Germany's parliament was offline – the only way to keep the intruders out.
Parliamentarians and their staff were shocked. They no longer had access to email and Google wasn't available either, but they initially assumed it was a just technical problem, some kind of silly mishap. Very few knew about the battle that was being fought in the background. CSU member Reinhard Brandl spoke for many when he wondered why they couldn't at least have been given a five-minute warning.