Since 1 December, one or more hackers have been publishing data and documents from hundreds of German politicians in a Twitter advent calendar – a massive assault on the government that wasn’t discovered until Thursday night.
Apparently, nobody noticed until the hacker hijacked the Twitter account of German YouTube star Simon Unge.
On Friday, Berlin public broadcaster RBB Inforadio was the first to report on the hack.
RBB reported that it’s not yet known who the culprit(s) are. But there are theories: A YouTuber named Tomasz Niemiec told news outlet T-online.de that a guy who’s out to gain attention is behind the attacks.
Niemiec said that he knew the hacker strictly through online communications and that the man has been active for years, collecting data and hacking YouTube accounts.
Niemiec says he talked to the hacker on Friday in an effort to get him to surrender Unge’s hijacked account: a highly valuable one with two million YouTube followers. According to what Niemiec told T-online.de, the hacker has hinted that he hijacked Unge’s account by exploiting a supposed bug in two-factor authentication – a purported bug that he doesn’t intend to publish, Niemiec said.
Interior Minister Horst Seehofer told reporters that an initial analysis suggests that the stolen material was obtained from cloud services, email accounts or social networks.
It’s a motley collection that, at least upon initial review, doesn’t seem to contain any highly sensitive political documents. The data sets contain party memos, mobile phone numbers, contact info, photo ID cards, letters, invoices, direct debit authorizations, invitations, chats between politicians’ family members, and credit card information from their family circles.
The targets included Chancellor Angela Merkel and President Frank-Walter Steinmeier. The hackers published Merkel’s fax number, email address and several letters written by and addressed to her, Deutsche Welle reported, citing the DPA news agency.
A government spokeswoman:
With regard to the Chancellery it seems that, judging by the initial review, no sensitive information and data have been published and this includes [from] the chancellor.
Within hours after the news having broken, Twitter shut down the account that for weeks had been leaking the data. The account, named G0d, claims to be based in Hamburg. Security researcher Luca Hammer, who works on identifying Twitter bots, said that two other Twitter accounts, @_0rbit and @_0rbiter, had also been used to spread the material, as well as the Google blog http://0rbiter.blogspot.com. They’ve all since been taken down.
Luca Hammer (@luca) January 04, 2019
Besides politicians, artists and journalists with leftist leanings were also targeted. The first target, on 1 December, was the German television comedian Jan Böhmermann. It went on up from there to pull in members of Chancellor Angela Merkel’s center-right party and its Bavarian counterpart.
All German political parties were affected except one: the far right Alternative for Germany, or AfD.
According to the New York Times, the Federal Office for Information Security called a crisis meeting on Friday to coordinate with the country’s domestic and foreign intelligence agencies in investigating the leaks.
Germany’s digital defense body said that it’s “intensively” investigating the apparent data leak, a spokesman for the Federal Office for IT Safety (BSI) said on Friday:
Hackerangriff auf Politiker: Das BSI prüft den Fall derzeit in enger Abstimmung mit weiteren Bundesbehörden intensi… twitter.com/i/web/status/1…—
BSI (@BSI_Presse) January 04, 2019
A computer translation:
Hacker attack on politicians: The BSI is currently intensively examining the case in close cooperation with other federal authorities. The National Cyber Defense Center has taken over the central coordination. According to the current state of knowledge there is no concern of the governmental networks.
Hammer said that one of the Twitter accounts, @_0rbit, had over 18,000 followers. Most of them were probably bots, given that they followed the account in batches in April 2017. It looks like the account had a gaming/YouTube/right-wing background, Hammer said: a hunch that supports what Niemiec claims about the YouTube account hijacker he thinks is behind the hacks.
In the early hours following the news breaking, speculation is rife. Was it a YouTube account hijacker out for glory? An inside job? Was it the exploit of a platform with old, known vulnerabilities used by the Bundestag?
We’ll let you know when and if these questions get answered. Here’s some advice we gave back when terrorists were told to hijack social media accounts to spread propaganda:
How to fend off account hijackers
We write about account hijacking quite a bit. Fortunately, many of the big social media platforms are supporting a way – app-based authentication – to protect our accounts from these attacks, which come in such forms as phishing and SIM swaps.
Using application-based 2FA (such as Sophos Authenticator, which is also included in our free Sophos Mobile Security for Android and iOS) mitigates a lot of the risk of SIM swap attacks because mobile authentication apps don’t rely on communications tied to phone numbers.