Why hackers may turn their attention to Angela Merkel

The goal? Manipulate media, strengthen extremist groups and fan anger over issues like migration

If the hacking of the Democratic Party in the US and of Emmanuel Macron's campaign in France tell us one thing, it's that Germany's chancellor, Angela Merkel, will be next.

For the German security services this battle for “digital sovereignty” is already under way. For months, they have been tracking “a striking increase” in Russian propaganda and disinformation “aimed at destabilising German society” and in cyber-attacks targeting domestic political parties.

Even by Russian standards, these operations have been “aggressive”, says Hans-Georg Maassan, head of the domestic intelligence agency, BfV. Their aim: to manipulate the media, strengthen extremist groups and fan popular anger over reliably inflammatory issues such as migrants.

With German federal elections scheduled for September, Maassen took the unusual step of warning that some of the real-world consequences of this hacking could be to “endanger German government officials, members of parliament and employees of democratic parties”.


Technically proficient

The spymaster also revealed that the identity of the group behind the most technically proficient attacks of this kind – the kind that can compromise states and their economies and undermine critical infrastructure – is already well known to western intelligence agencies.

They know its identity because in 2016 alone it was behind not just the hacking of the Democrats in the US but of Merkel's party, the CDU, in Germany; of President Recep Tayyip Erdogan's AK Party in Turkey; of the parliament of Montenegro, where there were accusations of a coup aimed at derailing elections as Nato accession moves closer; and of activists and even infrastructure in Ukraine.

Among the same hackers' targets in 2015 was the Dutch Safety Board, where an attempt was made to access the final report into the Malaysia Airlines Flight MH17 disaster – which found that the jet, carrying 298 passengers and crew, was blown apart by a missile transported to eastern Ukraine from neighbouring Russia and fired from a site controlled by pro-Russian separatists.

The hacking of the Democratic National Committee and of the Democratic Congressional Campaign Committee in the US, of course, played into allegations of inappropriate contact between members of Trump's campaign team and Moscow, and of Russian meddling in the US election – a row which led to the firing of FBI director, James Comey.

The Russian response from Kremlin spokesman, Dmitry Peskov, has been absolute: "Russia has never meddled, does not meddle, and has no intention of meddling in US affairs in the future."

Total deniability

In diplomatic terms there is total deniability. Yet the attacks – consistently aligned with Russian geopolitical interests and targeting pro-western interests – continue.

The group – first identified as far back as 2004 – is known as Pawn Storm, appropriately, given its Russian connections, a chess term in which pawns are moved towards an opponent in quick succession in a strategy aimed at overwhelming his defences.

It’s also known as APT28. APT stands for “Advanced Persistent Threat”, a term used to denote the sophistication and military-style capability of hackers typically backed by governments. Other names occasionally used are Fancy Bear (originally a coding term), Sofacy, Sednit and STRONTIUM.

So Pawn Storm-APT28 as an organisation has long been identified, although remarkably, even after 13 years of persistent online activity tracked by the West, not one individual behind it has been named – indicating a high level of operational security consistent with its technological expertise.

In the cybersecurity world there's no doubt about the Russian connection – tracked separately by industry leaders such as Trend Micro, FireEye, Dell SecureWorks, ThreatConnect, CrowdStrike and others – which is kept at arm's length through links to the military intelligence agency, GRU.

“While we don’t have pictures of a building, personas to reveal, or a government agency to name, what we do have is evidence of long-standing focused operations that indicate a government sponsor – specifically a government based in Moscow,” says FireEye in a 45-page report, “APT28: A Window into Russia’s Cyber Espionage Operations.”

“APT28’s characteristics – their targeting, malware, language, and working hours – have led us to conclude that we are tracking a focused, long-standing espionage effort. Given the available data, we assess that APT28’s work is sponsored by the Russian government.”

Information warfare

Why? For President Vladimir Putin, information warfare aimed at destabilising its geopolitical opponents is nothing less than a cornerstone of Russian foreign policy, maintains Dr Stephen J Blank, a senior fellow at the American Foreign Policy Council.

For that reason, Putin “continues to wage a cold war” in Europe. His aim is “a reversal of Nato’s current military build-up in response to Russian aggression” – and to that end, Blank is unequivocal, “the Russians intend to unseat prime minister Angela Merkel of Germany” among others.

Those are the political aims. The most informative tactical insights come from Dutch expert Feike Hacquebord, leader of the Forward-Looking Threat Research Team at Trend Micro, a publicly listed security software company founded in California and now based in Tokyo.

For Hacquebord – originally a theoretical physicist – Pawn Storm-APT is essentially an army of “cyber propagandists” using electronic means to influence public opinion.

“Aside from manipulating the public, its operations also discredit political figures and disrupt the established media. The proliferation of fake news and of fake news accusations in 2017 can in part be attributed to constant information leaks and manipulations by malicious actors. This creates problems on multiple levels.”

If this level of confusion or “problems on multiple levels” was what Pawn Storm intended in the US, for example, then it arguably describes quite well a shifting post-election landscape in which information often seemed no longer anchored in facts or even in truth.


To achieve that confusion and compromise its targets, Pawn Attack favours “spear phishing”, the creation of convincing web pages where individuals are induced to sign in giving their user names and passwords. Those compromised accounts can then be used to send e-mails from the stolen identities, to leak emails that will damage the individual or organisation and/or influence public opinion, or for silent data-gathering, sometimes for years.

Other tactics at the more technically accessible end include “tabnabbing”, which exploits computer users’ tendency to keep several tabs open in their browser at the same time; compromising DNS (Domain Name Server) settings, and “watering hole attacks”, which infect websites that targets are known to visit.

Nobody is immune. Among the international media known to have been targeted by Pawn Storm are the New York Times, the Economist Intelligence Unit, Buzzfeed, Al Jazeera, and the influential Turkish newspaper Hurriyet, and news agency Anadolu.

Trend Micro research includes long lists of governments, government agencies (including armed forces, defence ministries and foreign ministries), political parties, international organisations, private contractors, energy companies, universities, and others, all over the world, that have been targeted, frequently successfully.

In anticipation of increasing Russian pressure between now and September, the German government has promised a new Centre for Defence against Disinformation – already nicknamed “the Ministry of Truth” by some sceptics.

Political parties have been urged not to use internet bots (software that runs automated tasks such as spreading information on social media) or to spread fake news during campaigning.

“The acceptance of a post-truth age would be the equivalent of political capitulation,” said one interior ministry official.

The Pawn Storm: APT28

AKA: Fancy Bear, Sofacy, Sednit and STRONTIUM.

Aim: To manipulate geopolitics in line with Russian interests

Not to be Confused With: The hackers behind the WannaCry attack who are demanding ransoms to “free” computers. Pawn Storm’s hacking is espionage, not extortion.