Cyber Incident Victim: Bundestag

On or around March 25, 2021, Russian state-sponsored hackers targeted email accounts belonging to multiple members of the German Parliament in a spearphishing campaign. Attackers sent phishing emails to private email addresses of seven members of the German federal parliament (Bundestag) and 31 members of regional parliaments, with most victims affiliated with the CDU/CSU and SPD governing parties. The Bundestag confirmed its internal network was not compromised during this incident. Upon detection, all affected parliament members received immediate notifications. German security authorities attributed the operation to Ghostwriter, a Russian military intelligence-linked hacking group active since at least March 2017. This group historically employed fabricated personas impersonating journalists and analysts to disseminate anti-NATO narratives through compromised websites and spoofed email accounts, primarily targeting audiences in Lithuania, Latvia, and Poland.

The incident followed a pattern of Russian cyber operations against European governmental entities. In 2015, APT28—another Russian state-backed group—compromised email accounts of Bundestag members, leading to EU sanctions against APT28 operatives in October 2020. Norway disclosed an almost identical attack in August 2020 against its parliamentary representatives, later attributed to Russian state hackers who successfully exfiltrated data from breached accounts. Ukrainian authorities also reported Russian-sponsored attacks targeting government systems through compromised document management infrastructure. While the 2021 Bundestag phishing campaign’s data theft impact remained unconfirmed, its operational overlap with Ghostwriter’s established tactics—including information operations aimed at undermining NATO cohesion—aligned with broader geopolitical objectives. US Cyber Command had previously documented related malware implants targeting national legislatures and diplomatic entities globally.