German Federal Parliament IT Abyss
Wednesday, 01 July 2015
In 2015 the German parliament gazed into its own IT abyss. However unknown even to its own employees, the actual disaster took place some time ago already. This article covers the events by temporal occurrence, along with our respective points of view on various matters, ranging from computer sciences to politics.

First covered by mass media in May 2015, a cyber attack on the German Federal Parliament (Bundestag) later appeared to be more devastating than previously thought. About a month after the first press releases, computer systems of the parliament were still infected with malicious software. Also the attackers ware able to harvest large amounts of data via these different types of malware, implanted into the computes used by two German political parties [1]. During the same period of time a computer forensic analysis of one of the infected systems took place. Independently media coverage later indicated substantial hardware damage to computer systems. After weeks passed, we realized criticism regarding crisis management was expressed nationwide.

According to further reports a total loss of the so called "Parlakom" network infrastructure, including computer hardware and software, was soon feared in the parliamentary sphere. Replacement and reconstruction would cost millions of dollars and take several months, a secret expertise stated. As a matter of fact the attackers were able to infiltrate the Parlakom network infrastructure, in particular its Microsoft Windows Active Directory serves, as well as independently hosted Windows clients and servers of the political parties "Die Linke" and "CDU" [2]. The attack was initially discovered by employees of the IT administration, when one infected client system commenced massive downloads of data, hosted on the parliament's main servers. The attack was not automated and those ones who mounted it gained administrative privileges on the mentioned directory server in the course of events. Additionally there were indications that even more than one attack took place, and for sure different malware was put to use, according to security experts at G Data [3]. Indeed there was no evidence of malware which attacked hardware, such as EEPROMs plus their residing UEFI or BIOS. In case though hardware replacements turn out to be necessary, we think that would raise the question of suitable hardware vendors, especially in view of the latest Snowden revelations.

In some circles it was suggested that the late migration from Microsoft Windows 5.1/XP to a later version may have de facto enabled the attackers to penetrate parliamentary core infrastructure systems. Also BYOD as a widespread concept was discussed controversial in the past. As a matter of fact security researcher C. Guarnieri reported on malware findings in mid June 2015 [4]. A subsequent expert opinion included an analysis of two pieces of software, one for remote management and the other for file transfers, with a self-compiled crypto implementation and dated 22 April. That computer forensic analysis furthermore revealed an IP address to a command and control server located within AS 16276 of the French company OVH LLC. The researcher then concluded this cyber crime operation was hasty and no privileged accounts were created. However we think that is a false assumption. Finally the advisory opinion concluded with the release of a YARA signature and the assumption of cyber crime group Sofacy/APT28 being involved in all attacks [5].

Albeit in our opinion that involvement was not proven by any forensic evidence. Without actual data a confirmation of the suggested link, to as well as and Sofacy, seems impossible though. Interestingly the expert opinion omitted several past SPAMHAUS listings of OVH owned networks, which predated the attacks by months. We therefore conclude that any link to Russia or similar is not substantiated at this point, since neither indicated trough forensic results nor in terms of a proper assessment with regards to the political situation [6].

In late July 2015 also no plans became public on how to prevent future reinfections of computer systems within the Parlakom infrastructure. Given the presumable fact that additional, yet unknown malware will likely be hidden within backups, even a small recovery job could cause a reinfection and successive malware spread. The government already had to assign external specialists in computer forensics and malware to the ongoing recovery and security operations [7]. These specially trained experts of course demand an appropriate salary, which in turn raises the question of wages in public service again. Ultimately the individuals responsible in Berlin have to face the problems associated with insufficient funds and personnel, with proprietary systems instead of free open source software, and finally with combating an unequally, powerful adversary. For that reason we are sure the only solution to these issues would be a complete turnaround. It seems more necessary than ever to stop austerity and outsourcing, in favor of the support and empowerment of the existing federal parliament IT staff. Domestic security laws as well as BSI and BfV supervision may each help in their own separate ways, but surely cannot be a definitive answer to all named challenges [8]. We are convinced great, and thus secure IT is first and foremost »people« — ones with the true potential to stop such disasters in their early tracks [9].

Last Updated (Wednesday, 01 July 2015)


  2022-01-08 ✴ 20:00 UTC




  ᐊ 1&1 INTR. AG  CDN


Should ✛ΔO engage more in counter-intelligence?
∘ Yes, there is a need for such operations.
∘ No, because it may be very dangerous.


Bookmark site Press Cmd or Ctrl + D
Bookmark page Press Cmd or Ctrl + D


  Visitors: 788.250+ ℮


  25 Years of Linux



  Code of Arms: Frankfurt


  Facility: open and operating
©  2003 - 2024   TRON-DELTA.ORG  (NGO)   –   Nongovernmental  Intelligence  Organization
Portal v5.06.102 R 1 on ✛ΔO LXCMS v1.1