US, WASHINGTON (ORDO NEWS) — Investigative bodies are convinced that Russian military intelligence is behind this. In 2015, unknown persons managed to gain access to the office computers of the Federal Chancellor – and to all electronic correspondence of the office of its authorized representatives since 2012.
This happened five years ago, on May 8, 2015, when Angela Merkel participated in a ceremony in the Bundestag dedicated to the 70th anniversary of the end of World War II. Among the invited guests were ambassadors of different countries, in particular, the representative of Russia.
However, on that day a certain uninvited guest from Moscow got into the Bundestag – virtually. He managed to gain access to office computers in the office of Merkel’s representatives. A day earlier, his attempt to hack electronic correspondence was still prevented, because there were no German ollauts on his keyboard. But on the anniversary of the end of the war, this man under the nickname “Scaramouche” (Scaramouche) achieved his goal.
Five years have passed from the moment of the cyberattack, but so far it’s not completely clear what exactly the extraction of “Scaramush” and his accomplices in the German parliament turned out to be. The IT system was disabled for several days. Even when a secret attack became known, thieves were able to continue to steal information. In total, according to various estimates, 16 gigabytes of various data “leaked”, including, presumably, several thousand emails from Merkel’s office.
Investigations into the circumstances of the attack were carried out by experts from the Federal Criminal Police Directorate, the Federal Information Security Administration, as well as private companies. As part of the investigation, more than 300 servers were seized. Assistance requests were sent to 21 countries.
According to authorities, hackers managed to gain access to two accounts of the “Chancellor” and all electronic correspondence of the office of its representatives from 2012 to 2015. They probably managed to copy these letters. How much “attackers” got, whether it is all correspondence or only part, is “impossible to establish reliably,” security officials say.
The FBI is also looking for “Scaramusha”
We are talking about letters from Merkel’s office in the Bundestag, not the Office of the Federal Chancellor, whose correspondence can be truly “delicate” and strictly classified. But even after gaining access to the correspondence of Merkel’s representatives in the Bundestag, hackers could learn a lot of valuable information about her personal and business environment, as well as about the political cuisine of the Federal Republic, inaccessible to people from outside.
Russian intelligence agencies are happy to use such information to sow discord and uncertainty in the West. Even lists of telephone numbers are valuable prey for spies.
The Russian authorities are behind the attack on Merkel’s email – the German security authorities have no doubt about this. For a long time, they cautiously said that behind this hacker attack, “probably”, is Moscow, namely the Main Intelligence Directorate (GRU) there. Now, the Federal Supreme Court has taken an unequivocal position on this issue.
Investigators do not hope to catch Dmitry Badin
This week, the Federal Supreme Court, on behalf of Attorney General Peter Frank, issued an arrest warrant for Dmitry Badin, a Russian spy born in 1990. He is accused of “undercover activities.” According to representatives of the Supreme Court, this hacker is hiding behind the nickname Scaramush. The Bellingcat website claims that its last registration address was code number 26165 in Moscow, owned by the GRU hacker department.
German justice has more and more claims to Russia. The prosecutor general accuses Moscow of the fact that the hired killer shot a Chechen living in Berlin in refugee status. Now official charges are brought against the Kremlin “cyber warriors”. However, the arrest warrant issued in Karlsruhe has rather symbolic significance – the investigating authorities do not hope to catch Dmitry Badin.
Not only the German authorities are looking for this young man with blonde hair – the FBI also hunts for a member of the hacker group ART28, which is part of the GRU (also known as Sofacy Group and Fancy Bear). US intelligence agencies accuse this group of a number of high-profile hacker attacks.
So, according to them, ART28 in 2016 hacked the server of the US Democratic Party and gained access to information that allowed it to influence the presidential election and contribute to the victory of Donald Trump. In addition, “Kremlin hackers” were caught spying on the Organization for the Prohibition of Chemical Weapons (OPCW) after the poisoning of former spy defector Sergei Skripal in the UK. In Germany, this group is also suspected of several hacker attacks.
All these attacks are united by one thing: the attackers, it seems, do not care if they are able to detect them or not. Attacking the servers in the Bundestag, they did not even bother to cover their tracks.
This is how the cyber attack went
The attack on the German parliamentarians began with one email sent ostensibly by UN representatives regarding the alleged conflict in Ukraine. When one of the employees of the Left Party faction followed the link, a malicious program was installed on the computer. It is believed that this “first infection” occurred on April 30, 2015 at 11:46.
Investigators of the criminal police and the BFK company from Karlsruhe were able to literally constantly reconstruct the course of events that day. “Skaramush” and its possible accomplices quickly gained access to the database of the entire Bundestag, gaining administrator rights. “Admins”, as you know, are the real masters in the world of information technology – they can see and allow almost everything.
Thus, Russian hackers managed to gain access to the entire Bundestag computer network – more than 5.6 thousand computers and their contents.
On the day that “Skaramush” was introduced into Merkel’s computers, the experts of the IT department of the Bundestag decided to inform the Federal Office of Information Security about this. However, several days passed before the truly decisive reaction, and this time was essentially lost. Moreover, if the experts contacted the Federal Office in a timely manner, then under certain conditions they could have completely prevented the attack, since the server used by the attackers was on the “black list” of the Information Security Administration.
But “Skaramush”, copying files from two mailboxes of Merkel’s representatives, made a mistake: he forgot to delete the “path” to the folder in which his malicious program was located. So the investigation was able to find out that the hacker saved the software from his computer in the Projects folder. At the same time, they recognized his nickname: “Scaramouche” – the name of the masked character of the Italian comedy del arte, which means “little bully”. It was like leaving a business card.
We watched football and looked for spare parts for cars
For the investigation, this information was extremely valuable. After all, “Skaramush” was soon to appear somewhere else. Together with colleagues from department 26165, he used servers not only for official purposes (for espionage), but also for personal purposes. And they did it already in front of the experts of the Federal Constitutional Defense Service and the Federal Criminal Police Directorate, who have been watching them since 2016.
German investigators observed how the Russians used the Internet for personal purposes during office hours. In particular, they watched football, searched for car parts, and wrote private emails.
Especially carelessly behaved just “Scaramush”. He constantly used his personal mailbox on the Gmail server, which was monitored by FBI agents. They managed to find contracts, personal photos, personal correspondence, training documents – that is, a lot of information about the life of Dmitry Badin, who was born on November 15, 1990 in Kursk. At the same time, the password from his account was truly amateurish: Badin1990.
Contact us: [email protected]