State-sponsored Russian hackers are targeting German political parties with fake dinner invites to deploy malware, establish persistence, and exfiltrate data.
Alphabet’s cybersecurity firm Mandiant said it observed hackers allied to Russia’s foreign spy agency trying to trick German politicians into clicking a phishing email inviting them to a March 1 dinner apparently hosted by the Christian Democratic Union (CDU).
The Google Cloud firm attributed the phishing campaign to a hacking group linked to Russia’s Foreign Intelligence Service (SVR) known as APT29, Cozy Bear, NOBELIUM, or Midnight Blizzard.
On March 22, 2024, Mandiant said it detected the Russian hackers’ activity in late February and determined it was consistent with APT29’s cyber campaigns since 2021.
Russian hackers target German political parties with backdoors
Since Feb 26, 2024, APT29 has targeted German political parties with malicious emails from its website “waterforvoiceless[.]org/invite.php.”
The email contains an external link that drops a ZIP archive containing the ROOTSAW malware dropper, which deploys the second-stage WINELOADER backdoor.
The Google Cloud firm believes WINELOADER is linked to Russia’s SVR and was used in other hacking campaigns targeting diplomatic missions in Germany, Italy, India, Czechia, Latvia, and Peru. In February 2024, Zscaler observed the variant actively used in targeting diplomats with a fictitious wine-tasting event.
Mandiant also believes the hacking attempt marks the first time APT29 used the WINELOADER variant to target political parties. It was also the first time the Russian hackers used “German-language lure content,” suggesting a localized campaign.
While WINELOADER remains APT29’s primary initial access method, Mandiant warned that the group could attempt to compromise organizations by bypassing cloud authentication and brute-force attacks, such as password spraying.
Nevertheless, Russia’s hacking campaign was quickly detected. It prompted the German cybersecurity agency BSI to issue an alert on Russian cyber spies targeting German political parties.
Similarly, the center-right Christian Democratic Union said it was quickly notified of the incident, adding that it has frequently encountered several foreign and domestic hacking attempts.
“In this case, too, we received very prompt information about the attack,” the party’s spokesperson said. “There was no official CDU dinner on 1 March, the event was fictitious.”
Meanwhile, CDU is working with relevant German authorities to investigate the incident and is taking additional security measures to protect its systems from potential attacks.
A broader geopolitical campaign by state-affiliated Russian hackers
Russian hackers targeting German politicians is part of a broader campaign by the Kremlin to undermine support for Ukraine and gather information on Western politics.
“This latest targeting is not just about going after Germany or its politicians; it is part of Russia’s wider effort aimed at finding ways to undermine European support for Ukraine,” Mandiant’s Dan Black said in a statement.
“The Russians have ratcheted up attacks against Germany due to their support for Ukraine. Much like they did in the U.S., the Russians are intent on sowing discord in Germany to destabilize the regime,” said Tom Kellermann, SVP of Cyber Strategy at Contrast Security. “Let’s remember that they provide support and amplify the messaging of the far right white supremacy movement throughout Europe via cyber.”
Russia’s attempt to spy on German politics extends beyond the SVR-backed spear-phishing campaign. In March 2024, Germany detained a soldier for allegedly leaking secrets to Russia; the same month the Kremlin published intercepted conversations between Bundeswehr officers on weapons delivery to Ukraine.
So far, Mandiant has not disclosed the names of German political parties or officials targeted by the state-sponsored Russian hackers.
However, BSI warned that Russian hackers might be looking beyond German political parties and targeting the upcoming European elections for information-gathering purposes.
Mandiant also believes that Western political parties and associated bodies will likely become “targets for future SVR-linked cyber espionage activity.”
“There is no reason to believe this activity is limited to any single party or country,” Black concluded.