In March and April hackers tried to infiltrate computers of think tanks associated with Germany’s top two political parties. A year earlier, scammers set up a fake server in Latvia to flood German lawmakers with phishing emails. And in 2015 criminals breached the network of the German Parliament, stealing 16 gigabytes of data. Although there’s no definitive proof, the attacks have been linked to Pawn Storm, a shadowy group with ties to Russian intelligence agencies—raising the possibility that the Kremlin might disrupt a September vote in which Chancellor Angela Merkel, Russian President Vladimir Putin’s strongest critic in Europe, is seeking a fourth term. “There’s increasing evidence of attempts to influence the election” by Russia, says Hans-Georg Maassen, head of the BfV, Germany’s domestic intelligence agency. “We expect another jump in cyberattacks ahead of the vote.”
While polls show Merkel is likely to defeat the left-leaning Social Democratic Party (SPD), the concern is that the Kremlin will try to strengthen the far-right Alternative for Germany and turn the estimated 2.5 million voters who speak Russian against her. “Cybersecurity is a top priority, and Chancellor Merkel is taking it very seriously,” says Arne Schönbohm, president of the BSI, the country’s top technology security agency.
To guard against mischief similar to what Russia instigated in the U.S. last year and may have sought to do in France this spring, the Germans are shoring up their defenses. Merkel’s Christian Democratic Union (CDU) is calling for a law that would allow the country to “hack back” and wipe out attacking servers. The BSI this year is hiring 180 people—from lawyers to coders—and will embed experts with the election watchdog to protect the vote. The agency has set up cybersecurity response teams to clean up after attacks and help infiltrated government agencies keep computer systems from collapsing. In May the BSI held talks with counterparts such as France’s online security agency to gather information on thwarting attacks like one that targeted the presidential campaign of Emmanuel Macron.
Germany’s education ministry is backing a new cybersecurity school where politicians and IT officials are taught to spot and react to hacking. In April the armed forces set up a cyberdefense unit that will soon employ 12,000 soldiers and 1,500 civilians. Their orders: protect critical infrastructure such as power plants and hospitals, as well as military networks—which have been targeted 820,000 times this year, according to the defense ministry. “Since late 2016 we’ve been identifying attacks on Chancellor Merkel, and we are anticipating quite a strong barrage” as the election approaches, says Maks Czuperski, head of the digital forensic research lab at the Atlantic Council in Washington.
This spring, cybersecurity consultant Trend Micro Inc. alerted the BSI that Pawn Storm had taken aim at the two think tanks, the CDU’s Konrad Adenauer Stiftung and the SPD’s Friedrich Ebert Stiftung. Internet domains closely resembling those of the two organizations had been set up and were being hosted on servers often used by Pawn Storm, Trend Micro reported. The domains were used to launch email phishing attacks similar to those against the CDU and the Parliament, says Trend Micro researcher Feike Hacquebord, though the think tanks say no data were stolen. Pawn Storm is “constantly attacking,” Hacquebord says. “Government ministries, the defense industry in Germany. They don’t give up easily.”
Russia has repeatedly denied it’s hacked foreign governments, and on June 1, responding to a question about the possibility of hacking in the German election, Putin said his country never engages in such activity “at the government level.” But he wouldn’t rule out the possibility that “patriotically minded” Russians might be acting on their own.
Among the biggest concerns in Germany is that the 16 gigabytes of data (potentially more than 1 million emails) from the 2015 Parliament hack will be released. The breach was so severe—the attackers roamed the network for more than a week before they were detected—that the legislature’s entire IT system had to be taken down for several days to fix the problem. The Parliament averted another intrusion this spring that lured lawmakers to a manipulated website of the Jerusalem Post, the BSI says. “Everyone in our party is aware of the threat,” says CDU legislator Thomas Jarzombek. “I’m pretty sure we’ll see those 16 gigabytes again in September.”
The top parties are so concerned about potential Russian meddling that they’ve agreed to a truce, pledging not to exploit any last-minute dumps from the Parliament hack for political gain, according to a person familiar with the pact, who declined to be named because the discussions are private. “We’ve become much more careful with what we send by email and what we save where,” says CDU lawmaker Ansgar Heveling. “A lot of evidence indicates Russia is behind these attacks, and you can expect it to be in Russia’s interest to weaken Germany.”