Security Experts:

Industry Reactions to Massive Data Leak in Germany

The German government revealed last week that information on hundreds of politicians and celebrities was leaked online via Twitter.

The exposed information includes addresses, phone numbers, chat records, financial information, and copies of identity documents belonging to politicians from all parties except Alternative for Germany, journalists, artists and comedians. Germany’s Federal Office for Information Security (BSI) has launched an investigation, but its response has been criticized by officials.

The German government says there is no evidence that its computer systems have been compromised. The data appears to come from hacked email, social media and cloud services accounts.

Twitter has suspended the @_0rbit account used to distribute the stolen information.

The incident has reminded many cybersecurity experts of the hacker attack on the U.S. Democratic Party in 2015-2016, which has been widely attributed to the Russian government.

And the feedback begins…

Chris Dawson, Threat Intelligence Lead, Proofpoint:

“While actor attribution is notoriously difficult, early indications suggest that the Russian APT group Turla (a.k.a. Snake, Venomous Bear, Waterbug, and Uroboros) is behind the German data breaches reported earlier today. Proofpoint researchers have seen Turla targeting German interests before, particularly leveraging a G20 summit on the Digital Economy that took place in Hamburg in October 2017; other activity associated with this group has been well-documented and stretch back to at least 2008.

 

Even as additional details about the German cyber-attacks continue to emerge, organizations and agencies worldwide should look at their defenses against a variety of attacks, whether state-sponsored or financially motivated. Layered defenses at the network edge and email gateway can prevent exposure to a range of threats or alert administrators to exfiltration of data while up-to-date endpoint protection and rigorous patching regimens can help prevent exploitation of device vulnerabilities. Finally, user education is critical to enabling users to be last lines of defense, spotting potential attacks via email, the web, and other vectors.”

Matt Walmsley, EMEA Director, Vectra:

“The breached credit card information can be monetized, which could motivate both cybercriminals, and liquidity poor state sponsored attackers such as North Korea. Erosion of confidence in the government could benefit nation states wishing to promote political instability in Germany and it was interesting to see that the members of the right wing AfD party were not reportedly affected.

 

There is a history of Russian state sponsored interference and cyber-attacks into western democracies, particularly those aligned with NATO. I haven’t seen evidence to support direct attribution yet, however, if Russia is behind this attack it would not be surprising to see the multi-named Fancy Bear / APT 28 / Sofacy group implicated as they have been linked to the Russian GRU military intelligence agency and previously linked to cyberattacks on the German parliament and politicians.

 

This is just the first of many high-profile breaches we’ll see this year and it serves a powerful reminder that well-resourced, motivated and persistent attackers almost always succeed. There are no perfect defenses, so we need to adopt a healthy paranoia of a “I’m already compromised” mindset and focus on detection and responses to threats, and accept that something is trying, and invariably succeeding to get inside our systems. Hunting for, and responding to, the stealthy progress of advanced attackers inside an organization is a painstakingly slow and arduous job. Increasingly, automation powered by AI is taking over the heavy lifting to work at a speed and scale human security teams alone cannot achieve. This means that security teams can wrestle back the advantage and get ahead of attacks before they become full blown security incidents like we’ve seen today in Germany.”

Max Heinemeyer, Director of Threat Hunting, Darktrace:

“This attack not only has direct consequences for the individuals whose personal data has been exposed, but far reaching political ramifications. It is plausible that the precise purpose of this attack is an attempt to foster division and political tension.

 

Following Wikileaks, and the hacking of Hillary Clinton’s emails, we are seeing cyber-attacks become a serious method to meddle in democratic processes. However, the real motivations behind this attack currently remain unclear.

 

This data appears to have been collected over a number of weeks, raising questions as to how such an extensive and intrusive operation could have remained undetected until this stage. We must embrace technologies that allow us to work out what is happening with our data, before private information is made public.”

Adam Meyers, VP of Intelligence, CrowdStrike:

“An analysis of the Twitter follower network used to leak the data indicates that the leak may have a political angle—the user @_0rbit is part of a small cluster of four accounts that follow each other. CrowdStrike Intelligence assesses that these accounts are likely managed by the same group or individual. The motivation behind the leaks remains unclear. With the analysis presently available, CrowdStrike Intelligence cannot rule out an information operation.”

Craig Young, computer security researcher, Tripwire:

“In the wake of political hacking events, it is important that we don’t jump to conclusions. Unlike typical financially motivated hacks, it can be next to impossible to determine the specific motivation behind a political attack. While it may be easy to assume this is the work of an AfD operative, it is perhaps equally possible that an external actor could have perpetrated this attack to stir up controversy and distractions.

 

While there does not appear to be any tremendous damage from the released data so far, it may ultimately contribute to eroding confidence in the German information security office. This was a difficult year for the BSI’s reputation as it was revealed that the Russian hacking group APT28 had managed to penetrate the highly sensitive “Informationsverbund Berlin-Bonn” (IVBB) network.”

David Ginsburg, Vice President of Marketing, Cavirin:

“What we’re seeing is another example of a multi-faceted attacks designed to destabilize Western democracies. This includes voting systems, ‘fake’ news and now deepfakes, and in this case, attacks against prominent individuals. No protections are fail-safe, but individuals and organizations must do everything they can to follow best practices in protecting their cyber posture. Hopefully, in the lead-up to the 2020 election, we’ll learn from these attacks.”

Kirill Kasavchenko, principal security technologist, NETSCOUT:

“The facts are still emerging, but the scale of this hack will add urgency to international efforts to fight cybercrime. Regardless of the true motivations for this particular attack, all too often it’s still too easy for hackers to access and exploit sensitive information.

 

That’s why 2019 will be the year western governments devise policy-driven initiatives that put the right security infrastructure in place, and provide government and law enforcement agencies with the means to combat criminal or nation-state cyberattacks.”

Tom Goodman, Director International Cyber Business, Raytheon Intelligence, Information and Services:

“State-sponsored actors are not only continuing this type of activity, they are increasing their efforts and collaborating with insiders to drive political agendas and outcomes. Systems like email and social media accounts remain prime targets.

 

Organizations need to assess the security of their systems continually. They need to watch closely for data exfiltration and have the technology to detect data loss in real time. They also need response plans, so they can ensure the public's confidence in their government organizations. This breach appears to be less about the data itself and more about the intent – to embarrass officials and undermine public confidence.”

Shahrokh Shahidzadeh, CEO at Acceptto:

“It appears that nation-led cyber-attacks impacting elections is now becoming the norm, given the allegations levied against Russia in both the US and now in Germany. We need to assume that all of our credentials are breached already and we have not become aware of it. The surge of cyber-attacks, nation-led or not, impacting our government officials and agencies is perhaps the inflection point that dials the contrast on how broken the system is. Relying on binary authentication such as login/password, 2FA or even multi-factor authentication requiring another device, is clearly not sufficient enough to protect individual cyber credentials. The time is now to evaluate continuous authentication options based on new AIML technologies and Biobehavioral characteristics.”

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.