Germany on Friday accused Russian military agents of hacking the top echelons of Chancellor Olaf Scholz’s party and other sensitive government and industrial targets, and was joined by NATO and fellow European countries in warning that Russia’s cyberespionage would have consequences.
Relations between Russia and Germany were already tense, with Germany providing military support to Ukraine in its ongoing war with Russia.
German Foreign Minister Annalena Baerbock said Russian military cyber operators were behind the hacking of emails of the Social Democrats, the leading party in the governing coalition. Officials said they did so by exploiting Microsoft Outlook.
Officials described a hacking campaign that persisted for months.
The German Interior Ministry said in a statement that the hacking campaign began at least as early as March 2022 — a month after Russia’s full-scale invasion of Ukraine — with emails at Social Democrat party headquarters accessed beginning that December. It said German companies, including in the defense and aerospace sectors, as well as targets related to the war were also a focus.
The statement said international efforts led by the FBI shut down in late January a botnet of compromised network devices used by the Russian hackers — known as APT28 or Fancy Bear — in the cyberespionage scheme.
“Russian state hackers attacked Germany in cyberspace,” Baerbock said at a news conference in the Australian city of Adelaide. She attributed the hack to a unit of Russia’s GRU military intelligence unit.
“This is absolutely intolerable and unacceptable and will have consequences,” she said, without specifying what they might be.Advertisement. Scroll to continue reading.
A separate German statement said the hacking occurred over “a relatively long period” and also targeted various unidentified German government authorities, foundations and associations. It said the Social Democrats’ executive committee was targeted.
The Council of the EU and the Czech Foreign Ministry said Czechia’s institutions have also been targeted by the same group. Both German and Czech officials said the GRU hackers leveraged a previously unknown vulnerability in Microsoft Outlook.
In a statement by the EU’s top diplomat, Josep Borrell, the bloc’s nations said they “strongly condemn the malicious cyber campaign” by Fancy Bear “against Germany and Czechia.”
The EU noted that it had previously imposed sanctions on individuals and entities associated with the group for targeting the German parliament in 2015. It said it will not tolerate the continuation of such attacks, particularly with EU elections upcoming in June.
NATO accused Fancy Bear of targeting “other national governmental entities, critical infrastructure operators and other entities across the Alliance,” including in Lithuania, Poland, Slovakia and Sweden.
“We are determined to employ the necessary capabilities in order to deter, defend against and counter the full spectrum of cyberthreats to support each other, including by considering coordinated responses,” said the North Atlantic Council, the principal political decision-making body within NATO.
Baerbock is visiting Australia, New Zealand and Fiji, with the trip focusing on security policy as China pushes for influence in the Pacific region.
“The defense cooperation between Germany and Australia is close and we would like to deepen it further and together expand it, because we are in a situation where we face similar threats,” said Baerbock, who is the first German foreign minister to visit Australia in 13 years.
Discussions between Baerbock and Australia counterpart Penny Wong centered on the conflict in Gaza. “I think we all understand that the only path out of this cycle of violence that we see in the Middle East at such great cost is one that ultimately ensures a two-state solution,” Wong said.

Czechia and Germany on Friday revealed that they were the target of a long-term cyber espionage campaign conducted by the Russia-linked nation-state actor known as APT28, drawing condemnation from the European Union (E.U.), the North Atlantic Treaty Organization (NATO), the U.K., and the U.S.
The Czech Republic’s Ministry of Foreign Affairs (MFA), in a statement, said some unnamed entities in the country have been attacked using a security flaw in Microsoft Outlook that came to light early last year.
“Cyber attacks targeting political entities, state institutions and critical infrastructure are not only a threat to national security, but also disrupt the democratic processes on which our free society is based,” the MFA said.
The security flaw in question is CVE-2023-23397, a now-patched critical privilege escalation bug in Outlook that could allow an adversary to access Net-NTLMv2 hashes and then use them to authenticate themselves by means of a relay attack.
Germany’s Federal Government (aka Bundesregierung) attributed the threat actor to a cyber attack aimed at the Executive Committee of the Social Democratic Party using the same Outlook vulnerability for a “relatively long period,” allowing it to “compromise numerous email accounts.”
Some of the industry verticals targeted as part of the campaign include logistics, armaments, the air and space industry, IT services, foundations, and associations located in Germany, Ukraine, and Europe, with the Bundesregierung also implicating the group to the 2015 attack on the German federal parliament (Bundestag).

APT28, assessed to be linked to Military Unit 26165 of the Russian Federation’s military intelligence agency GRU, is also tracked by the broader cybersecurity community under the names BlueDelta, Fancy Bear, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, Pawn Storm, Sednit, Sofacy, and TA422.
Late last month, Microsoft attributed the hacking group to the exploitation of a Microsoft Windows Print Spooler component (CVE-2022-38028, CVSS score: 7.8) as a zero-day to deliver a previously unknown custom malware called GooseEgg to infiltrate Ukrainian, Western European, and North American government, non-governmental, education, and transportation sector organizations.
NATO said Russia’s hybrid actions “constitute a threat to Allied security.” The Council of the European Union also chimed in, stating the “malicious cyber campaign shows Russia’s continuous pattern of irresponsible behavior in cyberspace.”
“Recent activity by Russian GRU cyber group APT28, including the targeting of the German Social Democratic Party executive, is the latest in a known pattern of behavior by the Russian Intelligence Services to undermine democratic processes across the globe,” the U.K. government said.
The U.S. Department of State described APT28 as known to engage in “malicious, nefarious, destabilizing and disruptive behavior” and that it’s committed to the “security of our allies and partners and upholding the rules-based international order, including in cyberspace.”
Earlier this February, a coordinated law enforcement action disrupted a botnet comprising hundreds of small office and home office (SOHO) routers in the U.S. and Germany that the APT28 actors are believed to have used to conceal their malicious activities, such as the exploitation of CVE-2023-23397 against of targets of interest.
According to a report from cybersecurity firm Trend Micro this week, the third-party criminal proxy botnet dates back to 2016 and consists of more than just routers from Ubiquiti, encompassing other Linux-based routers, Raspberry Pi, and virtual private servers (VPS).

“The threat actor [behind the botnet] managed to move over some of the EdgeRouter bots from the C&C [command-and-control] server that was taken down on January 26, 2024, to a newly set up C&C infrastructure in early February 2024,” the company said, adding legal constraints and technical challenges prevented a thorough cleanup of all ensnared routers.
Russian state-sponsored cyber threat activity – data theft, destructive attacks, DDoS campaigns, and influence operations – is also expected to pose a severe risk to elections in regions like the U.S., the U.K., and the E.U. from multiple groups such as APT44 (aka Sandworm), COLDRIVER, KillNet, APT29, and APT28, per an assessment released by Google Cloud subsidiary Mandiant last week.
“In 2016, GRU-linked APT28 compromised U.S. Democratic Party organization targets as well as the personal account of the Democratic presidential candidate’s campaign chairman and orchestrated a leak campaign ahead of the 2016 U.S. Presidential election,” researchers Kelli Vanderlee and Jamie Collier said.
What’s more, data from Cloudflare and NETSCOUT show a surge in DDoS attacks targeting Sweden following its acceptance to the NATO alliance, mirroring the pattern observed during Finland’s NATO accession in 2023.

“The likely culprits of these attacks included the hacker groups NoName057, Anonymous Sudan, Russian Cyber Army Team, and KillNet,” NETSCOUT said. “All these groups are politically motivated, supporting Russian ideals.”
The developments come as government agencies from Canada, the U.K., and the U.S. have released a new joint fact sheet to help secure critical infrastructure organizations from continued attacks launched by apparent pro-Russia hacktivists against industrial control systems (ICS) and small-scale operational technology (OT) systems since 2022.
“The pro-Russia hacktivist activity appears mostly limited to unsophisticated techniques that manipulate ICS equipment to create nuisance effects,” the agencies said. “However, investigations have identified that these actors are capable of techniques that pose physical threats against insecure and misconfigured OT environments.”
Targets of these attacks comprise organizations in North American and European critical infrastructure sectors, including water and wastewater systems, dams, energy, and food and agriculture sectors.
The hacktivist groups have been observed gaining remote access by exploiting publicly exposed internet-facing connections as well as factory default passwords associated with human machine interfaces (HMIs) prevalent in such environments, followed by tampering with mission-critical parameters, turning off alarm mechanisms, and locking out operators by changing administrative passwords.
Recommendations to mitigate the threat include hardening human machine interfaces, limiting exposure of OT systems to the internet, using strong and unique passwords, and implementing multi-factor authentication for all access to the OT network.
“These hacktivists seek to compromise modular, internet-exposed industrial control systems (ICS) through their software components, such as human machine interfaces (HMIs), by exploiting virtual network computing (VNC) remote access software and default passwords,” the alert said.
Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.

Welcome to CISO Corner, Dark Reading’s weekly digest of articles tailored specifically to security operations readers and security leaders. Every week, we’ll offer articles gleaned from across our news operation, The Edge, DR Technology, DR Global, and our Commentary section. We’re committed to bringing you a diverse set of perspectives to support the job of operationalizing cybersecurity strategies, for leaders at organizations of all shapes and sizes.In this issue of CISO Corner:Verizon DBIR: Basic Security Gaffes Underpin Bumper Crop of BreachesHeld Back: What Exclusion Looks Like in CybersecurityWhy Haven’t You Set Up DMARC Yet?DR Global: ‘Muddling Meerkat’ Poses Nation-State DNS MysteryShadow APIs: An Overlooked Cyber-Risk for OrgsThe Cybersecurity Checklist That Could Save Your M&A DealAlso: Dark Reading’s brand-new podcast, Dark Reading Confidential, is coming this month, bringing you rare, firsthand stories from cybersecurity practitioners in the cyber trenches. Follow or subscribe on Spotify, Apple, Deezer or Pocket Cast, so you won’t miss any episodes!Verizon DBIR: Basic Security Gaffes Underpin Bumper Crop of BreachesBy Tara Seals, Managing Editor, Dark ReadingMOVEit drove a big chunk of the increase, but human vulnerability to social engineering and failure to patch known bugs led to a doubling of breaches since 2023, said Verizon Business.The Verizon Business’ 2024 Data Breach Investigations Report (DBIR) this week detailed just how far patching can go in heading off a data breach, with big spikes in the use of zero-day use and the use of exploits overall marking the beginning point of breaches in the past year.The MOVEit software breaches alone accounted for a significant number of analyzed attacks.It also noted that a full 68% of the breaches Verizon Business identified involved human error — either someone clicked on a phishing email, fell for an elaborate social-engineering gambit, was convinced by a deepfake, or had misconfigured security controls, among other snafus.In all, a picture in this year’s DBIR emerges of an organizational norm where gaps in basic security defenses — including the low-hanging fruit of timely patching and effective user awareness training — continue to plague security teams, despite the rising stakes for CISOs and others that come with “experiencing a cyber incident.”Fortunately, there are ways to make these insights actionable for enterprises.Read more: Verizon DBIR: Basic Security Gaffes Underpin Bumper Crop of BreachesRelated: Anatomy of a Data Breach: What to Do If It Happens to You, a free Dark Reading virtual event scheduled for June 20. Verizon’s Alex Pinto will deliver a keynote, Up Close: Real-World Data Breaches, detailing DBIR findings and more.Held Back: What Exclusion Looks Like in CybersecurityBy Jane Goodchild, Contributing Writer, Dark ReadingYou can’t think about inclusion in the workplace without first understanding what kinds of exclusive behaviors prevent people from advancing in their careers.Systemic exclusion of certain demographics is a troubling reality for many in the cybersecurity industry, even as they try to innovate, collaborate, and make a meaningful impact in their roles. These groups still struggle in making connections with colleagues, being invited to key meetings, and getting face time with important executives in the company.Women are five times more likely to report exclusion from direct managers and peers, according to Women in CyberSecurity’s (WiCyS) “2023 State of Inclusion Benchmark in Cybersecurity Report.” But exclusion is not just limited to gender. Individuals with disabilities and intersectional identities experience levels of workplace exclusion comparable to, or even exceeding, those related to gender, emphasizing the compounded impact of multiple differing identity traits.It’s not just about being left out of the room. Being on the receiving end of disrespectful behaviors, sexually inappropriate advances, and a lack of appreciation for skills and experience can also make it hard to advance in the workplace. These kinds of microaggressions are difficult to pin down, experts say.Read more: Held Back: What Exclusion Looks Like in CybersecurityRelated: Cybersecurity Is Becoming More Diverse … Except by GenderWhy Haven’t You Set Up DMARC Yet?By Robert Lemos, Contributing Writer, Dark ReadingDMARC adoption is more important than ever following Google’s and Yahoo’s latest mandates for large email senders. This Tech Tip outlines what needs to be done to enable DMARC on your domain.In January, adoption of the email standard for protecting domains from spoofing by fraudsters — Domain-based Messaging Authentication, Reporting and Conformance, or DMARC — became a necessity as companies prepared for the enforcement of mandates by email giants Google and Yahoo. DMARC uses a domain record and other email-focused security technologies to determine whether an email comes from a server authorized to send messages on behalf of a particular organization.Yet three months later, while almost three-quarters of large organizations (73%) have adopted that most basic version of DMARC, the share of those organizations that would pass the most stringent standards vary significantly by nation. At the same time, threats are ramping up that target those who last strong DMARC protection.Here are the steps for setting up DMARC and avoiding an easily defended-against compromise.Read more: Why Haven’t You Set Up DMARC Yet?Related: DPRK’s Kimsuky APT Abuses Weak DMARC Policies, Feds WarnDR Global: ‘Muddling Meerkat’ Poses Nation-State DNS MysteryBy Rob Lemos, Contributing Writer, Dark ReadingLikely China-linked adversary has blanketed the Internet with DNS mail requests over the past five years via open resolvers, furthering Great Firewall of China ambitions. But the exact nature of its activity is unclear.A freshly discovered cyber threat group dubbed Muddling Meerkat has been uncovered, whose operations feature covert traffic immune to China’s government-run firewall; it also uses open DNS resolvers and mail records to communicate.The China-linked group has demonstrated its ability to get specific DNS packets through the Great Firewall, one of the technologies separating China’s Internet from the rest of the world; and Muddling Meerkat is also able to get DNS mail (MX) records with random-looking prefixes in response to certain requests, even when the domain has no mail service.The goal of the capability remains unclear — most likely it’s for reconnaissance or establishing the foundations of a DNS denial-of-service attack, but it’s sophisticated and needs further analysis.The threat research comes as the governments of the United States and other nations have warned that China’s military has infiltrated critical infrastructure networks with a goal of pre-positioning their cyber operators for potential future conflicts.Read more: ‘Muddling Meerkat’ Poses Nation-State DNS MysteryRelated: China Infiltrates US Critical Infrastructure in Ramp-up to ConflictShadow APIs: An Overlooked Cyber-Risk for OrgsBy Jai Vijayan, Contributing Writer, Dark ReadingOrganizations shoring up their API security need to pay particular attention to unmanaged or shadow application programming interfaces.Shadow APIs are Web services endpoints that are no longer in use, outdated, or undocumented, and therefore not actively managed. Often neither documented nor decommissioned, they often translate to significant risk for organizations.In recent years, many organizations have deployed APIs extensively to integrate disparate systems, applications, and services in a bid to streamline business processes, boost operational efficiencies, and enable digital transformation initiatives.But one of the biggest surprises for enterprises that increase their visibility into API activity is the sheer number of shadow endpoints in their environment that they were previously unaware of, says Rupesh Chokshi, senior vice president, application security at Akamai.How to tackle this proliferation challenge? The first step to enabling better API security is to discover these shadow endpoints and either eliminate them or incorporate them into the API security program, he notes.Read more: Shadow APIs: An Overlooked Cyber-Risk for OrgsRelated: API Security Is the New BlackThe Cybersecurity Checklist That Could Save Your M&A DealCommentary by Craig Davies, CISO at GathidWith mergers and acquisitions making a comeback, organizations need to be sure they safeguard their digital assets before, during, and after.When two companies are combined, a vast amount of sensitive data and information is exchanged between them, including financial records, customer information, and intellectual property. Additionally, different types of software and hardware often need to be integrated, which can create security vulnerabilities for cybercriminals to exploit.With mergers and acquisitions (M&A) making a much-anticipated comeback, soaring by 130% in the US to top $288 billion, baking in cybersecurity to the process is critical to protect and safeguard the integrity of confidential data. In fact, it can make or break an M&A deal.To avoid that terrible scenario, take a look at the M&A Cybersecurity Checklist, aimed at helping organizations safeguard their digital assets before, during, and after a deal goes through:Adopt risk metrics.Establish a dedicated, joint cybersecurity team.Develop a risk mitigation strategy.Plan for IT integration.Check for third-party risks.Establish identity and access governance and management.Create an incident response plan.Ensure ongoing monitoring.Train employees.Read more on each of the steps: The Cybersecurity Checklist That Could Save Your M&A DealRelated: Navigating Tech Risks in Modern M&A Waters