The Washington PostDemocracy Dies in Darkness

Apparent attack by Russian hackers penetrated Germany’s foreign ministry

Security experts discovered malware on the German foreign ministry’s network in December. The defense ministry may have been affected, too. (Michael Kappeler/AP)

BERLIN — German officials said Wednesday that the government’s information technology networks had been infiltrated and that evidence pointed toward a Russian hacking group that’s been implicated in high-profile cyberattacks worldwide.

The breach, acknowledged by the interior ministry in a statement, had been known since December, when security experts discovered malware in the secure computer networks of the foreign ministry, according to a senior German security official. German media outlets reported that the defense ministry also was affected.

The senior security official, who spoke on the condition of anonymity because he was not authorized to comment on the record, said the Federal Office for the Protection of the Constitution and the Federal Office for Information Security allowed the malicious program to keep running in recent months so they could monitor hacker activity. But no significant data was transmitted, according to the official. He said at some stage German officials decided to stop monitoring.

The official also said the country’s security agencies suspected that the Russian-linked hacking network known as APT28, or Fancy Bear, was behind the attack. Germany’s Süddeutsche Zeitung reported that the hackers may have had access to German governmental networks for up to a year.

Fancy Bear has previously been connected to a range of cyberattacks, including one in which phishing and malware was used to infiltrate the U.S. Democratic National Committee before the 2016 presidential election, as well as the networks of Emmanuel Macron’s election campaign before last year’s French presidential election, according to the Tokyo-based cybersecurity research group Trend Micro. 

The extent of damage in Germany, if any, was not made public. The interior ministry said in a statement that the breach was “isolated and brought under control.”

Still, the revelation that sensitive systems had been penetrated, with potential Russian fingerprints, represented a major breach just three years after suspected Russian hackers broke into the computer networks at the German parliament and made off with 16 gigabytes worth of data, enough for about a million emails. The information stolen in that attack has never been published.

If the Russian link is proved, it could mark a potential escalation in hostilities between Moscow and the West.

“If the details reported so far are accurate, this attack represents an unprecedented incident,” said Sven Herpig, Director for International Cyber Politics at Germany’s New Responsibility Foundation. “The prior hacking of the German parliament was also problematic, but it only lasted for a short period of time.”

He indicated that whoever was behind the latest attack must have assumed that it would eventually become public.

“Following the parliamentary breach, the German government strongly urged Russia to refrain from attacks,” Herpig said. “The likelihood that such incidents become public relatively quickly is high.”

Some experts believe Fancy Bear was also behind the cyberattack on the parliament, known as the Bundestag, though other experts say there’s not sufficient proof. German security officials publicly said they believed that attack was of Russian origin.

Mekhennet reported from Frankfurt, Noack from London and Beck from Berlin. Griff Witte contributed from Athens.

Russian hackers who compromised DNC are targeting the U.S. Senate, company says

Obama’s secret struggle to punish Russia for Putin’s election assault

Today’s coverage from Post correspondents around the world

Like Washington Post World on Facebook and stay updated on foreign news