According to the Polish government, the UNC1151 group was behind the hacker attack within the framework of the “Ghostwriter” action, of which Prime Minister Mikhail Dorczyk’s chief of staff was doomed to be the victim. Spokesman for the Minister and Intelligence Coordinator Stanisław Sarin said that “the agencies have reliable information linking the activities of the UNC1151 group to the activities of Russian intelligence”. Their aim is to destabilize the political situation in the countries of central Europe.
Recently, the group will also be active in Germany. It was also founded in March of this year. “Der Spiegel”, within the framework of the work of the “Ghostwriter”, 7 members of the Bundestag and more than 70 members of the parliaments of the German Länder were attacked. According to press sources, this was the first major work of this group in Western Europe in the German services.
The attack has put the German services on their feet, as the Bundestag elections will take place in September in Germany. – We believe that the danger for the candidates for the elections is great. A spokesperson for the Federal Office for Information Technology Security (BSI) said attacks on the information space were still expected.
Germany suspects Russian intelligence
According to journalists from the public channels WDR and BR, Thomas Haldenwang, head of the Federal Office for the Protection of the Constitution (BfV), reportedly told the parliamentary intelligence committee in March that the GRU was suspected of being attacked. As part of the Ghostwriter process.
Thomas Haldenwang, President of the Federal Office for the Protection of the Constitution
According to German media, the hackers almost exclusively targeted politicians from the ruling CDU / CSU and SPD parties. It is not known how many of them fell into the trap, nor if and what data was stolen from them. So far, none of them have been announced. Germany has been following the “Ghostwriter” campaign since February this year. According to the WDR and BR report, the devices “detected the wave of attacks early and then notified those affected.”
In the messages that the services will send to parliamentarians, the letter will indicate, among other things, that “professional and / or private e-mail addresses” may be the target of a “planned phishing campaign”. The passwords and information collected can be used to “access social media accounts or disseminate false information”.
Special squares in focus
In Poland, according to the government, 4,350 addresses were attacked, including around 100 belonging to persons exercising public functions. About 500 people were supposed to fall into the trap.
According to WDR and BR, more than 200 emails were sent in total in Germany, mostly to private addresses registered in the popular GMX and T-Mobile domains. In the messages, recipients were asked to prove that they were not spam bots by entering a special website and entering their name and password there. Otherwise, their mailbox will be blocked within three days.
German forces fear further attacks ahead of September Bundestag elections
The American company FireEye, which first described the “Ghostwriter” campaign, in a report published in April of this year. Listed domains spoofed by UNC1151 hackers. In addition to the aforementioned German GMX and T-Mobile, there are titles similar to Onet, Interia or Wirtualna Polska. It was the special mailbox on the last door that was to be used by the head of the prime minister’s office, Mikhail Dorczyk.
Government emails from private addresses – also a problem in Germany
Among the alleged mailbox materials published in the Telegram messenger, much controversy was sparked over photos of correspondence he was believed to have with other employees in the prime minister’s office. They are supposed to show that not only Dworczyk, but also Prime Minister Mateusz Morawiecki and government spokesman Piotr Müller, used private email addresses to conduct business correspondence.
In Germany, too, members of the government are criticized for using private e-mail boxes in business. In addition, there is no law regulating their use: in August 2020, the German Ministry of the Interior replied to a parliamentary question on the subject: “It is not excluded that members of the government also communicate on official matters via private email addresses. Thing.
Head of Chancellor’s Office Helge Braun (CDU)
Private emails and texts do not end up in files, making it difficult to explain a wrongdoing afterwards. According to the daily Die Welt, private email addresses have been used by Chancellor Helge Braun’s Chief of Staff and Health Minister Jens Spahn (both CDU) to fight the coronavirus pandemic. “In recent years it has become clear on several occasions that the government communicates in a way that leaves no trace,” Die Welt wrote.
Concerns about a 2015 rehearsal
It is not publicly known which German politicians were hacked as part of the “Ghostwriter” campaign. The most serious cyberattack against German politicians to date occurred in the spring of 2015, when the perpetrators successfully infiltrated the internal Bundestag system. It is estimated that they stole up to 16 gigabytes of data at the time, including thousands of emails and parliamentary documents. Two computers in Chancellor Angela Merkel’s office were also hacked.
The German Federal Prosecutor’s Office accuses Russian military intelligence, the same agency that is believed to be behind Operation Ghostwriter, of carrying out the attack. In connection with this attack, last year an arrest warrant was issued in Germany against 30-year-old Russian Dmitry Badin, who is believed to be one of the GRU pirates. At least in Germany, the job of “Ghostwriter” has so far been less exciting – as German media reported, hackers were unable to penetrate government systems.