Cyber Incident Victim: Bündnis 90/Die Grünen
Date:
May 2022
Location:
Germany
Summary
A cyberattack compromised email accounts of a German political party, including those of high-ranking officials, by redirecting incoming communications to an external server controlled by the perpetrators. Attackers gained administrative access to the party's IT systems, establishing unauthorized mail forwarding rules that exfiltrated messages over a two-week period. The breach was detected when server errors caused redirected emails to bounce back to the original accounts. Technical indicators and the use of infrastructure in Moldova—a region with significant Russian influence—led investigators to suspect Russian state-backed involvement. While no public data leaks occurred initially, authorities acknowledged potential future disclosures of intercepted communications. National cybersecurity agencies and forensic experts collaborated in the ongoing investigation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The cyberattack targeting Germany's Green Party (Bündnis 90/Die Grünen) unfolded between May 16 and May 30, 2022, with attackers gaining unauthorized access to the party's email infrastructure. The breach involved a systematic compromise of administrative accounts within the party's IT department, which managed its email systems. Attackers exploited these credentials to establish automated mail forwarding rules, diverting incoming emails from at least 14 accounts belonging to high-profile party members to an external server in Moldova. Among the affected individuals were party co-chairs Omid Nouripour and Ricarda Lang, as well as then-co-chairs and federal ministers Annalena Baerbock and Robert Habeck. This redirection allowed threat actors to monitor real-time communications without direct access to individual mailboxes. Technical evidence indicated the attackers operated with significant planning and professionalism, employing multiple vectors to target the party's administrative systems.
The breach was discovered on or around May 30 when a server error caused bounced emails with error notifications to reappear in the victims' mailboxes, exposing the unauthorized forwarding mechanism. The Greens filed a criminal complaint with Berlin authorities on May 30, prompting investigations by the Berlin Public Prosecutor's Office, State Criminal Police Office (LKA), and Federal Criminal Police Office (BKA). Forensic analysis by the Federal Office for Information Security (BSI) and external IT experts confirmed the attackers exfiltrated all incoming emails during the two-week period. Security agencies attributed the operation to Russian-aligned actors based on technical patterns, the Moldovan server's location (noted for Russian influence), and the targeted extraction of political intelligence. No public leakage of stolen emails was confirmed at the time, though the party acknowledged future publication remained possible. Containment measures included disabling the malicious forwarding rules and securing compromised administrative accounts.