It's not possible to retrace which members of parliament or what staff members clicked on the purported United Nations link that commenced the attack. Nor do we know the exact number of computers the hackers ultimately breached. Officials at the BSI are certain that the offices of 16 members of parliament were infected and that the attackers installed malware in at least 25 places. The stolen data, 16 gigabytes of it, was transferred to nine servers located around the world.
Because the data was encrypted before it was sent, investigators don't even know exactly what was stolen. They do, however, know that the hackers targeted "locally stored Outlook data" as well as Office documents. "The data that got siphoned off," says Dirk Häger, the head of emergency response at BDI, were "primarily complete mailboxes." Only the parliamentarians know what they wrote in their emails. They and the hackers.
What Should the German Government Do?
In January 2016, about two months after the BSI had completed its investigation, Merkel's staff asked them to attend a meeting at the Chancellery. Initially, the invite list included representatives of the BND, the BfV and the Federal Interior Ministry, but officials at the Foreign and Defense ministries were later added. The question under discussion was: How should Germany respond to the Russian hacker attack?
The intelligence services were tasked with drafting a situation report on Russia's confrontation course, with Chancellor Merkel herself wanting to know the background. Shortly before Christmas 2016, the BND and BfV presented a top secret report stating it "could be determined that present-day Russia centrally controls its influencing activities directed against the West." Cyberoperations like the one perpetrated against the Bundestag, which seek to "exert influence, and presumeably also to spread disinformation and propaganda on a grand scale," were likely "directly authorized by the presidential administration in the Kremlin and left up to the services to carry out." In other words: German intelligence is convinced Vladimir Putin is behind Fancy Bear.
So, what options does the German government have? Higher and better digital walls? More security staff at the BSI? Perhaps even counterstrikes? The latter has the potential to unleash a cyberwar with Russia, a form of conflict that Germany has no experience with and in which it would be hopelessly overmatched. It is still under consideration nonetheless.
The Foreign Ministry sees the Bundestag hack as "a violation of Germany's sovereignty, if not an attempt to interfere with our country's domestic affairs." Such is the view of Dirk Roland Haupt, who is responsible for international cyberpolicy at the ministry. If an attack can clearly be identified as having come from a specific country, Haupt argues, "then Germany has the right to take countermeasures." Internally, the term used in German government discussions is "hackback."
Is Germany planning to strike back?
The Foreign Ministry presented its position to the Chancellor, but Merkel and Chief of Staff Peter Altmaier decided against launching a retaliatory strike. Nobody knows, they reasoned, how Putin might respond. At the end of March 2017, the German Security Council – which includes the chancellor, her chief of staff and a handful of important ministers – decided instead to draft a law providing a legal framework for digital counterattacks in preparation for future hacking incidents.
The Chancellery also backtracked on the intelligence file that identified the Kremlin as having been ultimately responsible for the hacking attack. The plan had been to release an abridged version of the report to the public as a way of sending a clear signal to Moscow. But in the meantime, Donald Trump had been elected president of the U.S. and it was no longer clear who Germany's allies were and who its enemies. Altmaier was not interested in further escalation and the file remained classified.
Instead, a Chancellery emissary delivered a stern warning during a visit to Moscow that the Germans would no longer accept such espionage. The Russians rejected all accusations.
Today, two years after the attack, the Bundestag hack still weighs on German-Russian relations. Last week, Merkel flew to Russia for the first time since the breech, where she addressed the issue with Putin during a meeting at his summer residence in Sochi. Russia, Putin responded with a frosty smile, "never interferes in the domestic affairs of other countries."
Merkel responded sharply by saying that she assumes "German parties will be able to decide their election campaign among themselves."
Thus far, none of the stolen data has made an appearance, "but we expect it will," says Andreas Könen, head of cybersecurity in the Interior Ministry. Often, it is just a clause about a colleague in an email that makes waves in public. Or the misuse of public funds documented in the correspondence.
Will such words or numbers appear in Germany in the future, brought to the public's attention by the Russians?
The campaign might get dirty, Merkel recently warned her colleagues in the CDU's national executive committee.
It is also possible, though, that the information will never see the light of day – perhaps the emails written by German parliamentarians are simply too boring. In comparison to Washington, where political conspiracies are part of day-to-day life, Berlin politics sometimes seems like a boys and girls club. And perhaps the Russians don't currently have an interest in heating up the debate any further.
It is likely that the spies have long since analyzed all the emails, Word documents and PDF files in the search for new espionage targets. Since last year, the GRU is thought to have perpetrated more than 70 new cyberattacks in Germany. On August 15 and 24 last year, for example, Fancy Bear launched several attacks on the SPD caucus in the German parliament, on the Left Party and on the CDU's state chapter in Saarland. Green Party parliamentarian Marieluise Beck was also targeted. The bears have long since begun their search for new prey.
The digital break-in at the German parliament was a "wake-up call," says Arne Schönbohm, the new president of the BSI. "Now we can prepare for the next one."
Schönbohm, though, didn't say: Now we are prepared. And apparently with good reason. In early 2017, the Bundestag commissioned the company secunet Security Networks to examine the parliamentary network. In a confidential report, which DIE ZEIT has seen, the company simulated an attack similar to the one that took place two years ago and reached the conclusion that, depending on circumstances, an intruder could still "navigate the network unhindered and obtain data." Unsecured access points still exist via USB ports, which "constitute gateways for malware and provide opportunities to pilfer data." Furthermore, much of the data traffic in the Bundestag still hasn't been encrypted.
The hackers who went after the Democratic Party in Washington published some of the files they stole on WikiLeaks, while other information was posted on a site called dcleaks.com, which had been set up expressly for that purpose. In France, the data ended up on "emleaks," a reference to Macron's En Marche movement.
A few months ago, on January 13, unknown persons registered a site called btleaks.com, a site which could well stand for Bundestag leaks.
The site hasn't yet gone online.
With reporting by Alice Bota
Translated by Charles Hawley and Daryl Lindsey