Cyber Incident Victim: German Christian Democratic Union

In early May 2016, the Pawn Storm advanced persistent threat (APT) group targeted members of Germany’s Christian Democratic Union (CDU), the political party of Chancellor Angela Merkel. The attackers employed phishing tactics, establishing a fraudulent corporate webmail server designed to mimic CDU’s legitimate infrastructure on a Latvian server. They simultaneously registered three deceptive domains—account-web.de, account-gmx.de, and account-gmx.net—hosting counterfeit login pages impersonating the German email services Web.de and GMX. These domains served as lures to harvest credentials from both personal and professional email accounts of CDU affiliates. The operation aligned with Pawn Storm’s historical focus on entities perceived as adversarial to Russian interests, including prior campaigns against NATO, the US State Department, Turkish government officials, and investigators probing the MH17 incident. Trend Micro researchers attributed the group’s activities to Russian origins based on its consistent targeting patterns and operational methods.

The campaign extended beyond credential theft, leveraging the XAgent iOS malware to surveil targets through compromised mobile devices. Trend Micro identified over a dozen active command-and-control servers supporting the XAgent infrastructure, underscoring the group’s operational scale. Successful phishing attempts enabled Pawn Storm to exfiltrate entire email inboxes and establish covert email forwarding rules for persistent monitoring of communications. The attackers’ multi-vector approach—simultaneously targeting corporate and personal accounts—reflected their documented tactics against governments, military organizations, and media entities. No specific mitigation actions by CDU were disclosed in available reporting. The incident highlighted the group’s continued adaptability in exploiting both technical vulnerabilities and human factors to compromise high-profile political targets.