My Take on the Massive Data Leak Affecting German Politicians and Public Figures
On Friday 4th reports of a massive data leak affecting hundreds of German politicians and public figures hit the news. As someone with a good overview of politics and cyber activity in Germany, I’d like to state some facts and explain what I think happened and led to this massive leak of private and confidential data.
The Facts
- A twitter user with the handle $_0rbit leaked data of political parties and public figures each day of December 2018 in form of a Christmas calendar
- Back then the account was followed by a lot of accounts that look like bots and no one noticed its activity
- The data was distributed on over 70 paste sites and file sharing platforms
- It looks as if the leaker tried to distribute the information to as many sites as possible to make it more difficult for the authorities to remove all the information.
- A first paste text contained a table of contents linking to other pastes and mirrors of these pastes. The text contained personal information like the phone numbers, credit card data, addresses and contained links to archives or images on many different file sharing sites.
The leaked data contains:
- Direct victims (30+): Detailed personal information, documents and message archives of some of the affected victims. These data sets include: private phone numbers, private email addresses, home addresses, bank data, credit card data, private chat messages (Facebook, WhatsApp), documents, private Email archives, ID and passport scans (front, back) of the victim and often his/her spouse and children.
- Indirect victims (200+): Some personal information like phone numbers, private email addresses, some chat archives, some emails. This data has most likely been extracted from data of the directly compromised accounts.
- Politicians from all major German political parties except the conservative Alternative for Germany (AfD) were targeted in the leaks.
- Public figures were also affected. Some of these public figures are related to one of the German public-service broadcaster ARD and its youth and YouTube channel called “Funk”. Others are just other random German Youtube “stars” that I haven’t been aware of.
Speculation
Hacktivism is Improbable
The extent of the leak is massive. It affects hundreds of victims. Although only a subset of the victims have actually been compromised, it is a big subset. This cannot be accomplished with brute force methods and targeted phishing campaigns with this success rate and extend are less likely performed by a hacktivist or hacktivist group.
Platform Hack is Improbable
A platform hack, e.g. access to personal data of a victim on only one of the major social media platforms like Facebook or Twitter would grant an attacker access to private messages of the affected users. They wouldn’t get access to the clear text credentials of the users in order to access other services like the user’s Microsoft’s OneDrive or Dropbox.
Sure — some users actually did sent their bank account data including password and pushTAN via Facebook messages to family members, but it is highly unlikely that all(!) the directly compromised victims did share clear text passwords to their cloud storage providers via one of the social media platforms.
Compromised OAuth tokens are still a possibility. I haven’t checked if services like OneDrive or Dropbox offer logins with Facebook, Google and the like.
Contents Provide No Timeline
People said that some private messages, documents and contact data is of newer date (2017/2018) and therefore the leak couldn’t be the result of earlier attacks.
I cannot follow that argument. An attacker that gained access to credentials in 2015 can use these credentials as long as the user doesn’t change its password, can’t he?
The Most Likely Explanation
The most likely explanation from my point of view is a scenario in which most or rather all of these directly compromised victims used the Internet connection of a compromised network.
We all know that users use the same passwords for many different services and therefore single unencrypted POP3 email access would have been enough to compromise not just the user’s email account but also it’s social media and cloud storage solution accounts. Furthermore, SSL/TLS certificate warnings are often disregarded by users, which means that a single accepted, untrusted SSL certificate presented in an intercepted connection could have led to sniffed credentials in secured connections like HTTPS or IMAP+SSL as well.
With access to the user’s private email box, attackers would even have been in a position to reset passwords of other accounts that used different passwords or were not findable as clear text credentials in the mailbox itself. However, this kind of activity should have risen the suspicion of the users as their Apps would have requested a new authentication and logins with the old password would have failed.
This could be an aftershock of the attack on the German parliament in 2015, as some journalists already have speculated in their articles. This would also explain why the conservative AfD was spared as it wasn’t represented in the German parliament until 2017. But it could also be the result of an intrusion set similar to DarkHotel — compromised Wifi access points, hotel routers in Berlin near the parliament, a conference hotel, wifi in the Berlin train station etc.
I don’t have any evidence to prove the theory of a compromised network. I just think that a phishing attack of that quality and extend cannot be carried out by a hacktivist or hacktivist group without any external help. (address data from previous campaigns and high grade tooling)
Update 1 — 06.01.2018 / 10:00am
I’d like to add some objections raised by my notes and my replies to these.
Platform Attack: “what if OAuth tokens were used”
Yes, possible. I haven’t checked if a compromised OAuth token could have been used to access data in Dropbox or OwnCloud.
Phishing: “seems more like a simple phishing attack”
Yes, possible, but I consider it as less likely. In the case of an untargeted phishing attack, how many victims do you need so that 30+ of the 700 members of parliament are in that set? Answer: the number is huge. In the case of a targeted phishing attack, where did you get the private email addresses of so many politicians from different parties? (maybe from an attack like the one in 2015, where attackers have been inside a network with all the victims) And how does a targeted phishing attack on so many politicians stay unnoticed = uninvestigated = untreated. It don’t say that this can’t be the result of a phishing attack, but I doubt the scenario in which a German hacktivist group carried out a phishing attack against so many MoPs without having external help in form of private email address lists of parliament members.
“The FDP was also not represented in the Parliament in 2017”
Yes, correct. But they had been part of the Bundestag and the regional parliaments for many decades. It is not unusual that they visit the parliament frequently for meetups, conferences, coffee with other representatives and friends. Only a few (2–4) FDP politicians were directly affected. All the others had “only” their private contact data leaked.
Update 2–06.01.2018 / 2:45pm
After having talked to someone that has reviewed the leaked data, it seems that all the mentioned documents could have been extracted from the victims email boxes. The fully compromised accounts that had personal data like passport scans, private contracts, credit card data and bank account information leaked had all this information in their clear text email messages.
This means that the extent of the breach could have been more limited and didn’t necessarily involve Dropbox or OwnCloud accounts of the victims.
In the case of a Hacktivism & Phishing scenario I have to admit that the amount of effort and the level of skill is unprecedented for a German actor. We always made jokes that we would name our first relevant German actor “Devious Dachshund”.
Links
News Links (English)
News Links (German)
