Over the past week, someone using the Twitter handle “_0rbit” and describing themselves as a “security researcher” and “artist” published archive files appearing to containing personal data belonging to an array of German politicians. The apparent victims include Chancellor Angela Merkel, members of the Bundestag (Germany’s parliamentary body) and the European Parliament, as well as regional and local officials.
Today, a German government spokesperson acknowledged that at least some of the documents appear to be genuine, dating back to 2017. German deputy government spokesperson Martina Fietz told reporters that “personal data and documents belonging to hundreds of politicians and public figures were published on the Internet… the government is taking this incident very seriously.” The data includes home addresses, mobile telephone numbers, letters, invoices, and copies of identity documents.
While the Twitter account, Blogger page, and other websites associated with the breach have been taken down, dozens of mirror sites remain up and running. Fietz said that none of the data regarding Merkel reviewed thus far contained sensitive information—Merkel’s data included copies of letters she had sent and received, two email addresses apparently tied to the Chancellor, and a fax number.
However a German Ministry of the Interior spokesperson told AFP that German President Frank-Walter Steinmeier and government deputies from all the political parties represented in the Bundestag had been affected by the breach, which appeared to have come from multiple sources. German government networks were not apparently targeted, according to Germany’s Federal Office for Information Security (BSI)
In 2015, members of the Bundestag were targeted by the Russian threat group known as APT 28 (also known as Fancy Bear—the GRU intelligence operation identified and indicted by the US Justice Department). And in December of 2016, the German government warned of rising hacking and Internet disinformation operations activity in advance of the 2017 Bundestag elections. While there has been no official attribution for the attacks that led to the breach of the data leaked by “_0rbit,” a link to the GRU operation remains possible.
In a statement today, Interior Minister Horst Seehofer said, “After an initial analysis, there are many indications that data were obtained through the misuse of access data to cloud services, email accounts, or social networks.” The evidence suggests that the data was collected as part of a large espionage operation.
The files dumped by “_0rbit” also included data on a number of German celebrities, bloggers, and Internet video personalities. Included in the targeted group was Tarik Tesfu, who posts videos on race, gender, and sexuality issues, including same-sex marriage.
At least one German politician was quick to draw conclusions about the data leaks based on the nature of the breaches. Patrick Sensburg, a deputy from Merkel’s Christian Democratic Union party, accused right wing extremists for the data leaks by telling the German newspaper Handelsblatt, “I assume this was a hacker attack by people close to the AfD [Alternative for Germany, a right-wing political party].”