Russian Hackers Lure German Politicians With Fake Dinner Party Invite

Matthew Broersma,
Linkedin
Germany

Russian state-based hackers targeted German politicians with email posing as CDU dinner party invitation as spy activity intensifies

Hackers working on behalf of a Russian intelligence service last month targeted German political parties with malware hidden in an emailed invitation to a fictitious dinner party, according to an alert from Germany’s cybersecurity agency and Google-owned computer security firm Mandiant.

The email supposedly invited politicians to a 1 March dinner party hosted by the Christian Democratic Union (CDU), the party of former chancellor Angela Merkel, which has been in opposition since its defeat in 2021 federal elections.

It contained malware in an effort to infiltrate political parties’ systems to gain information for Russia’s foreign intelligence service, the SVR, which gathers intelligence for government decision-making.

Mandiant said the campaign was carried out by a cluster within the threat group APT29 that usually targets governments, foreign embassies and other diplomatic missions.

The APT29 lure document branded with the CDU logo. Image credit: Mandiant
APT29 lure document branded with CDU logo. Image credit: Mandiant

Further attacks likely

The attack, carried out in late February, represented a departure for this threat cluster and indicates the SVR is likely to continue sponsoring such attacks on “European and other Western political parties from across the political spectrum”.

The attack “almost certainly reflects the SVR’s interest in gleaning information from political parties and other aspects of civil society that could advance Moscow’s geopolitical interests”, Mandiant said in an advisory.

“APT29’s interest in these organisations is unlikely to be limited to Germany,” the company warned.

“Western political parties and their associated bodies from across the political spectrum are likely also possible targets for future SVR-linked cyber espionage activity given Moscow’s vital interest in understanding changing Western political dynamics related to Ukraine and other flashpoint foreign policy issues.”

russia, kremlin, st basil's cathedral

Ukraine conflict

Based on recent activity from other APT29 subclusters, attempts to achieve initial access beyond phishing may include attempts to hack into cloud-based systems or brute-force methods such as password spraying, Mandiant said.

“This latest targeting is not just about going after Germany or its politicians; it is part of Russia’s wider effort aimed at finding ways to undermine European support for Ukraine,” Mandiant analyst Dan Black said in a statement.

Mandiant has said that simultaneous campaigns mounted by APT29 shows it appears to have had a huge increase in resources in the last year.

An alert from Germany’s BSI cybersecurity agency relating to the same attack said state-backed hackers were targeting German political parties in an effort to gain long-term access and exfiltrate data.

European elections

The BSI said “upcoming European elections” spurred intensified interest in spying on politicians.

On 1 March Russian media published a 38-minute recording of a call in which top German military officers discussed issues surrounding sensitive weapons systems being delivered to Ukraine in a highly embarrassing leak.