Cyber Incident Victim: German Christian Democratic Union
Date:
Dec 2018
Location:
Germany
Summary
A 20-year-old German student confessed to conducting a years-long data breach targeting politicians, journalists, and public figures, including members of the Christian Democratic Union, motivated by annoyance over their public statements. The attacker exfiltrated personal data such as addresses, emails, chat logs, and letters, then systematically leaked the information online through an Advent calendar-style Twitter campaign with numerous mirrored links to evade takedowns. Right-wing politicians were notably affected, while the AfD party was excluded. The suspect, who acted alone, destroyed his computer before arrest, but authorities recovered backups for analysis, finding no evidence of foreign involvement or third-party participation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early January 2019, German authorities announced the arrest of a 20-year-old suspect in connection with a years-long data exfiltration campaign targeting hundreds of German politicians, journalists, and public figures. Dubbed the "Hacker-Angriff" (Hacker Attack) by local media, the incident involved the systematic theft and public release of sensitive personal data beginning in December 2018. The attacker compromised victims across the political spectrum, with notable exceptions including the right-wing Alternative für Deutschland (AfD) party, while explicitly targeting members of Chancellor Angela Merkel's Christian Democratic Union (CDU) and other right-wing politicians. Exfiltrated data included names, home addresses, personal email contents, private chat logs, phone numbers, letter scans, and official documents. Between December 2018 and early January 2019, the perpetrator leaked this information through a coordinated Twitter campaign designed as an "Advent calendar," with new data batches released daily.
The Federal Criminal Police Office (BKA) identified a Central Hesse resident after tracing the attacks, with the suspect confessing during initial interrogations to acting alone out of "annoyance over public statements" made by his victims. Investigators confirmed finding no evidence of third-party involvement or foreign intelligence service connections. The suspect, described as a student living with his parents, destroyed his primary computer two days before police executed a search warrant at his residence. Forensic teams recovered a data backup from a file-hosting service and analyzed the destroyed hardware. Authorities also questioned a 19-year-old Heilbronn resident who had communicated with the suspect but found no evidence of collaboration. Twitter suspended accounts disseminating the leaked data after identifying the coordinated campaign, though the attacker had created over 70 mirrored download links and 161 file mirrors across multiple platforms to circumvent takedowns. Security analysts observed variations in data packaging methods suggesting the leaks occurred through multiple sessions rather than a single operation. The BKA concluded its initial investigation with a press conference scheduled for January 8, 2019, while emphasizing the suspect's limited awareness of his actions' legal consequences despite the sophisticated evasion techniques employed.