Der Spiegel (Germany): how Russian hackers broke into the emails of Angela Merkel

The investigating authorities believe that this is Russian military intelligence. In 2015 unknown managed to access the corporate computers of the Federal Chancellor, and to all electronic correspondence of the office of its authorized representatives starting in 2012.

It happened five years ago, may 8, 2015 when Angela Merkel took part in a ceremony in the Bundestag, dedicated to the 70th anniversary of the end of the Second world war. Among the invited guests were ambassadors from different countries, in particular the representative of Russia.

However, that day in the Bundestag, and got a uninvited guest from Moscow — virtual. He was able to access the service computers in the office representatives Merkel. The day before his attempted break-in of electronic correspondence has failed to prevent, because his keyboard was not German umlauts. But on the anniversary of the end of the war this man under the name of Scaramouche (Scaramouche) succeeded.

Since the cyber attacks it’s been five years, but still not clear what specifically was the production of “Scaramouche” and his accomplices in the German Parliament. IT was a few days out of order. Even when a secret attack became known, thieves were able to steal information. In total, according to various estimates, leaked 16 gigabytes of various data, including, presumably, a few thousand emails from the office of commissioners Merkel.

Investigating the circumstances of the attack were engaged experts from the Federal criminal police office, Federal office for information security, as well as private companies. As part of the investigation was seized more than 300 servers. Requests for assistance were sent to 21 countries.

Assessment of the authorities, the hackers managed to access two accounts “kantslerin” and all e-correspondence of office of its representatives from 2012 to 2015. Perhaps they could copy the letters. What amount was “mining” the attackers, whether we are talking about the whole conversation or only in part, “it is impossible to ascertain”, they say in the circles of security agencies.

The FBI is also looking for “Scaramouche”

We are talking about the letters from the office of Merkel in the Bundestag and not of the Federal Chancellery, whose correspondence may not be truly “sensitive” and highly classified. But getting access to the correspondence between representatives of Merkel in the Bundestag, the hackers were able to learn a lot of valuable information about her personal and business environment, and the political kitchen of the Federal Republic, to be inaccessible from the outside.

Russian special services are willing to use such information to sow discord and insecurity in the West. Even lists of telephone numbers are valuable for spies extraction.

Behind the attack on e-mail Merkel are the Russian authorities — in this respect, the German security agencies no doubt. For a long time they carefully said that this hacker attack is “likely” is Moscow, and it thence the Main intelligence Directorate (GRU). Now the Federal Supreme court has taken a clear position on this issue.

The investigators hope to catch Dmitry Badin

This week the Federal Supreme court on behalf of attorney General Peter Frank (Peter Frank) has issued a warrant for the arrest of Dmitry Badin — Russian spy born in 1990. He is accused of “intelligence activities.” According to representatives of the Supreme court, the hacker behind the name “Scaramouche”. The website Bellingcat claims that his last registration address was just a code number 26165 in Moscow, owned by the hacker division of the GRU.

The German justice new claims to Russia. The attorney General accuses Moscow of the fact that the assassin shot and killed lived in Berlin as a refugee Chechen. Now, the official charges levelled against the Kremlin, “cyberview”. However, the arrest warrant issued in Karlsruhe, has more symbolic meaning — the investigative authorities do not expect to catch Dmitry Badin.

This young man with blond hair looking for not only the German authorities — a member of the hacker group АРТ28, part of the GRU (also known as the Sofacy Group and Fancy Bear), also hunts and the FBI. U.S. intelligence agencies accuse the group as a whole the number of high-profile hacker attacks.

So, according to them, АРТ28 in 2016 broke into the server of the Democratic party of the USA and got access to information that enabled it to influence the election of the President and to facilitate the victory of Donald trump. Moreover, “Kremlin hackers” accused of spying on the Organization for the prohibition of chemical weapons (OPCW) after the poisoning ex-spy defector Sergei Skripal in the UK. In Germany this group is also a suspect in several hacking attacks.

All these attacks share one thing: the attackers seem to care, will be able to find them or not. Attacking servers in the Bundestag, they didn’t even bother to cover their tracks.

I was a cyber attack

The attack on the German Parliament began with an e-mail sent allegedly by the UN regarding the alleged conflict in Ukraine. When one of the officers faction of the Left party went to the link, to a computer installed malware. It is believed that this “first infection” occurred on 30 April 2015 at 11:46.

Investigators of the criminal police and of the company BFK from Karlsruhe could literally minute-by-minute reconstruction of the events in that day. “Scaramouche” and his possible accomplices quickly gained access to a database of all of the Bundestag by gaining administrative rights. “Admins”, as you know, the real masters in the world of information technology — they can see and are allowed almost everything.

Thus, the Russian hackers managed to gain access to the entire computer network of the Bundestag — more than 5,6 thousand computers and their contents.

In the day when “Scaramouche” infiltrated the computers Merkel, experts in the IT Department of the Bundestag decided to inform the Federal office of information security. However, to really strong reaction a few days later, and this time, it was, in fact, lost. And if the coaches got in touch with the Federal authority, under certain conditions, could not prevent the attack, since the server used by the attackers, was listed in the “black list” Management of information security.

But “Scaramouche” by copying the files from the two mailboxes of the representatives of Merkel, made a mistake: he forgot to remove the “path” to the folder in which it was malware. So the investigation found that the hacker kept ON your computer and it is in the folder “Projects”. At the same time they learned his nickname: “Scaramouche” is the name of the character-masks of the Italian Commedia Dell’arte translates as “little bully”. It was like to leave a card.

Watching football and looking for spare parts for cars

For the investigation this information was extremely valuable. Because “Scaramouche” would soon show up somewhere else. Together with colleagues from the Department 26165 he used the servers in the service (for espionage), but also for personal purposes. And they did it already in the eyes of specialists of the Federal service for the protection of the Constitution and the Federal criminal police office, who was watching them from 2016.

German investigators watched as a Russian in the service time used the Internet for personal purposes. In particular, they watched football, looking for spare parts for cars and wrote private e-mails.

Especially carelessly behaved just Scaramouche. He always used a personal mailbox on the Gmail server, which was tracked by the FBI. They managed to find contracts, personal photos, personal correspondence, teaching documents — that is a lot of information about the life of Dmitry Badin, who was born 15 November 1990 in Kursk. The password of his account was truly amateurish Badin1990.