The “Bundestag election” in Germany is set to take place on Sunday, 26 September, and officials from the central European country are already accusing Russian hackers of trying to intervene. As Andrea Sasse, a spokeswoman of the Foreign Ministry, stated during a press conference, Russian hackers of the “Ghostwriter” group have been combining conventional cyberattack methods like phishing with disinformation and influence operations targeting German audiences for some time now.
Sasse believes these attacks are culminating because the actors have a political interest to influence the results in the upcoming election and believe that “Ghostwriter” is directly backed by the GRU (Russian Military Intelligence Service). As such, she openly called the Russian government to end these activities immediately - and even mentioned that she had made that demand directly to Russian officials too during two meetings held between them last week.
Sasse warned that the German government would take further measures if the attacks won't stop but didn’t go into specifics around that. It appears that Russian state-supported hackers aren’t very subtle in operations of this type, as we have seen many countries launching similar allegations against Moscow.
In May 2021, the same group of actors, “Ghostwriter,” launched a phishing cyberattack that affected several members of the German parliament, policymakers, and other high-ranking officials. In July, a disinformation campaign attributed to the same hackers was discovered by FireEye, and it involved German media too. That campaign relied upon leveraging website compromises and posting fabricated stories aligned with Russian interests, promoting an anti-NATO agenda.
Speaking of interests, the CDU and the Greens have been fighting neck and neck during these months, according to polls, while the SPD has now gotten strong too following the floods in Germany. The Russian hackers are mostly worried about the Greens’ chancellor candidate, Annalena Baerbock, who has expressed opposition to completing the Nord Stream 2 gas pipeline that will connect the two countries energetically. Undoubtedly, the Russians would go to great lengths to block her path to office, and based on the latest poll tracker results, it looks like their disinformation campaign is working.
“Ghostwriter” has been active since at least 2017, and they were always focusing their operations on central Europe, hitting mainly Germany, Poland, Latvia, and Lithuania. However, they’re not the only ones to have compromised German entities. In 2015, ‘APT28’, aka “Fancy Bear,” also believed to be GRU hackers, managed to access emails belonging to Angela Merkel. This remained a secret until 2020 - when the story blew in German media.