Cyber Incident Victim: Federal Government of Germany
Date:
May 2015
Location:
Germany
Summary
The Federal Government of Germany faced cyber espionage attributed to Russian state-linked actors, specifically targeting Chancellor Angela Merkel's email accounts and the Bundestag. Hackers employed the Sofacy/APT28 malware to infiltrate systems, exfiltrating years of correspondence and disrupting parliamentary operations. Merkel publicly condemned the attacks as part of a broader Russian strategy involving cyber-disinformation and election interference, expressing diplomatic frustration despite efforts to improve bilateral relations. The incident exacerbated existing tensions stemming from Russia's geopolitical actions, with German intelligence identifying a suspect also wanted by the FBI for other high-profile cyberattacks. Germany signaled potential retaliatory measures, referencing prior sanctions imposed following a separate state-linked assassination on its soil.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
In 2015, Russian state-sponsored hackers targeted the German Bundestag and Chancellor Angela Merkel’s email accounts in a cyber espionage operation. The attack, attributed to the group Sofacy or APT 28, employed aggressive tactics that compromised parliamentary systems and exfiltrated sensitive data. German intelligence services confirmed that hackers successfully copied the contents of two of Merkel’s email accounts, containing correspondence spanning 2012 to 2015. The same group had previously targeted NATO members and was responsible for knocking French television station TV5Monde offline. German media identified Dmitry Badin, a suspect also sought by the FBI for cyberattacks including interference in the 2016 U.S. presidential election, as a key perpetrator. Investigators linked the breach to a broader pattern of Russian cyber operations characterized by disinformation campaigns and data distortion. The Bundestag’s IT infrastructure sustained significant damage, requiring extensive remediation efforts. Merkel publicly acknowledged the incident years later, citing “hard evidence” of Russian involvement during a 2020 parliamentary address.
The incident strained Germany-Russia relations, with Merkel condemning the hacking as “outrageous” and detrimental to diplomatic trust. She emphasized that such actions contradicted ongoing efforts to improve bilateral ties, particularly amid disputes over Russia’s annexation of Crimea, Syrian policy, and election meddling. The breach amplified existing tensions, exemplified by Germany’s response to the 2019 assassination of a former Chechen commander in Berlin, which German prosecutors linked to Russian or Chechen state actors. Following that killing, Germany expelled Russian diplomats as a sanction—a measure Merkel hinted could apply to future cyber intrusions. While no immediate cyber-specific sanctions were imposed after the 2015 attack, Merkel warned that Russia’s “cyber-disorientation” strategy would face consequences if unchecked. The breach underscored systemic vulnerabilities in governmental communications and reinforced Germany’s focus on cybersecurity hardening. Intelligence agencies continued monitoring APT 28’s activities, noting its persistent targeting of political entities. Merkel’s disclosure highlighted the operational and diplomatic fallout of the incident, framing it as part of a sustained adversarial campaign against democratic institutions.