Published: 17 October 2024 Author: Rohan Sinha
In recent years, Germany has repeatedly been the target of Russian cyber attacks, including cyber espionage. Such cyber attacks are often part of disinformation campaigns, for example when websites or well-known social media accounts are hacked in order to spread false information. The intention is to destabilise the target country by sowing uncertainty among its population, influencing public opinion, emotionalising controversial debates, amplifying social tensions and stoking distrust in State institutions and the government. When such disinformation campaigns are State-sponsored, the Federal Government speaks of a ‘hybrid threat’. When States like Russia combine such operations with traditional military action, economic pressure and subversive activities, the Federal Government refers to this approach as ‘hybrid warfare’.
Ahead of the 2021 German federal elections, the Federal Office for the Protection of the Constitution, Germany’s domestic intelligence agency, observed ‘intensive activities of a cyber actor in Germany’ with a likely ‘intelligence service background’. According to media reports, Russian hackers had launched a cyber attack against seven members of the Federal Parliament and 31 federal state parliamentarians. The targeted legislators were members of the political parties forming the government at the time. The hackers, who used phishing emails, were allegedly linked to Russia’s military intelligence service GRU. These media reports triggered a statement by the spokeswoman of the Russian Foreign Ministry, who stated that ‘it looks as if the Western media have once again played the worn out “Russian hacker” plate’.
Half a year after the media reports, the Federal Foreign Office confirmed the attacks. During the regular government press conference on 6 September 2021, a spokesperson for the Federal Foreign Office made the following statement:
About the attribution of cyberattacks on members of the Federal Parliament and federal state parliaments. For several years now, the cyber actor ‘Ghostwriter’ has been combining conventional cyber attacks with disinformation and influence operations. For some time now, we have also been observing a focus of these activities on Germany. In Germany, in the run-up to the federal elections, phishing emails were used to try to obtain personal login details, particularly of members of the Federal Parliament and federal state parliaments, in order to commit identity theft. These attacks can serve as preparations for influence operations such as disinformation campaigns in relation to the Federal Parliament elections.
The Federal Government has reliable information on the basis of which the ‘ghostwriter’ activities can be attributed to cyber actors of the Russian State and specifically to the Russian military intelligence service GRU. The Federal Government regards this unacceptable activity as a threat to the security of the Federal Republic of Germany and to the democratic decision-making process, and as a severe strain on bilateral relations. The Federal Government strongly urges the Russian government to cease these unauthorised cyber activities with immediate effect. The Federal Government has also expressed this demand directly to Russian officials, most recently at the meeting of the German-Russian High-Level Working Group on Security Policy, which took place last week on 2 and 3 September.
Answering a parliamentary question, the State Secretary at the Federal Ministry of the Interior, Building and Community explained:
The affiliation of GHOSTWRITER to the Russian military intelligence service is the result of an attribution process that involved findings of our own intelligence services as well as information from exchanges with national and international partners.
In response to the Federal Foreign Office’s statement, the spokesperson for the Russian Foreign Ministry stated on 9 September 2021:
This is not the first time Russia has been accused of involvement in hacker attacks on German deputies. Germany made similar allegations in 2015 and 2017. The internet remembers everything. It is easy to find this information through search engines and you will understand that after the 2017 parliamentary elections the then German Minister of the Interior Thomas de Maiziere had to acknowledge the absence of any Russian influence on the voting. However, apparently Berlin is not learning from its past mistakes.
Despite our repeated requests via diplomatic channels, our German partners have not presented any evidence of Russia’s involvement in hacker attacks. I would like to emphasise that we used existing diplomatic channels for this purpose. Russian proposals to conduct a joint inquiry were ignored. At the same time, Germany has initiated two packages of anti-Russia sanctions from the EU in this context.
We are convinced that in the case of Ghostwriter, these allegations have a foreign policy background like the similar groundless US accusations against Russia. It appears that this is yet another PR escapade in the context of the domestic political struggle in Germany on the eve of the elections to the Bundestag on September 26, 2021.
Like a bad student, in accusing Russia, Berlin is trying to parrot its overseas teacher and copy whatever it does in the hope of getting good marks and gaining political points. …
Therefore, we believe that the afore-mentioned [sic] recent statement reflects the desire of individual German politicians to show their main ally, to whom this lobby is oriented, that they allegedly keep the Russians at a distance and will not allow breeches [sic] in trans-Atlantic solidarity. On top of that, they are likely to once again use the hackneyed ‘threat from the East’ on the eve of the elections to the [Federal Parliament]. We would like to recommend that our German partners that [sic] it would be good to return to a civilised election agitprop campaign without any insinuations or groundless accusations against foreign countries. If you are denouncing or accusing someone, please support your claims with facts. This is a point of interest because, as we understand it, Berlin is averse to the facts.
While explicitly attributing the cyberattacks to Russia and specifically to the Russian State, the Federal Government did not accuse Russia of violating international law, but rather labelled the cyber attack merely as ‘unacceptable behaviour’. Foreign interference with parliamentary elections may, however, violate international law under certain circumstances. For example, State sovereignty may be violated if the interference either amounts to an illegal intervention in the State’s internal affairs or constitutes a violation of the target State’s territorial integrity. The latter would generally require physical damage in the State or a loss of functionality of cyber infrastructure. A violation of State sovereignty could also occur when a cyber operation interferes with the inherently governmental functions of another State, which includes the conduct of elections. Depending on the scale and effect of a foreign State’s cyber operation directed against the electorate, disinformation campaigns could also be qualified as coercive and thus violate the prohibition of intervention. This may be the case when a State, by spreading disinformation via the internet, deliberately incites violent political upheaval, riots or civil strife, thereby significantly impeding the orderly conduct of an election and the casting of ballots.
The Russian cyber attack on German legislators did not, however, come close to any of these scenarios. Indeed, there was no actual damage caused. The language of the Federal Government’s statement implies that the intended identity theft of the targeted lawmakers remained unsuccessful and that the cyber attacks were merely ‘preparations for influence operations such as disinformation campaigns’. The statement’s language, which stopped short of blaming Russia of acting illegally, was thus in line with Germany’s position on violations of international law in cyberspace.
The Russian cyber attack can therefore only be described as an unfriendly act, to which Germany was allowed to respond with a lawful but unfriendly act of its own – an act of retorsion. Acts of retorsion typically include the expulsion of diplomats or the imposition of sanctions. For example, on 15 April 2021 the United States expelled ten Russian diplomats and imposed sanctions in response to Russian cyber operations that hacked several US federal agencies and interfered with the 2020 US presidential elections. Germany took no such action but simply called out Russia in the regular government press conference. Considering that the attempt of the hackers to publish disinformation with stolen identities was unsuccessful, a further diplomatic escalation was probably seen as unnecessary. In any case, the statement seemed to be addressed more to the general public in Germany than to the Russian State. Since the cyber attacks did not cease after German government officials had raised the issue with their Russian counterparts in private, making the hacks public and calling out Russia arguably served to avert damage in the future by raising awareness with the media and the general public.
Category: Political independence