Enlarge image
Who is behind the phishing emails to German MPs?
Mandiant speaks of "recently obtained technical evidence" (symbol image)
Photo: Kacper Pempel / REUTERS
It was an unusually clear statement from the Foreign Office: In September, a few weeks before the federal election, the ministry explicitly blamed the Russian military intelligence service GRU for a hacker campaign against German MPs. Unknown people tried to use phishing emails to gain access to the private email accounts of members of the Bundestag and Landtag.
"The German government urges the Russian government to stop these illegal cyber activities with immediate effect," said a spokeswoman at the time.
The Federal Public Prosecutor began investigations, and a little later the EU member states explicitly backed the federal government.
The process was remarkable because it is fundamentally difficult to attribute such hacking attempts so clearly to someone.
The German authorities must therefore have had reliable evidence.
It is all the more astonishing that the American IT security company Mandiant is now locating the backers elsewhere: in Belarus.
"Technical evidence from sensitive sources"
Mandiant, which was still part of the FireEye company in the summer, discovered the hacking and disinformation campaign in 2020 and called it "ghostwriter". At that time, the experts themselves still wrote that "ghostwriters" were "in line with Russian security interests". The campaign should therefore primarily spread anti-NATO stories, primarily in Lithuania, Latvia and Poland. Among other things, the perpetrators hacked reputable websites and uploaded invented content there. In Poland, however, they also hijacked the Twitter account of a leading politician in the ruling conservatives and posted photos of a party friend in underwear - whose account or cell phone they had apparently also hacked.
In April of this year, Mandiant's security experts took a step further. "Recently obtained technical evidence" led to the conclusion, the company wrote, that "behind at least some parts of the ghostwriting activities" was a group called UNC1151 - "an allegedly state-supported espionage group." Which state remained unclear.
What led the German authorities to conclude that it must be Russia is not publicly known. Why Mandiant is now betting on Belarus, but only in rudimentary form. In a blog post published on Tuesday, which SPIEGEL got to see in advance, the US company remains vague on one important point. She writes: "Technical evidence from sensitive sources suggests that the UNC1151 actors are likely to be in Minsk." Several sources linked the group's activity with people in Belarus, and further technical evidence suggested a link between UNC1151 and the Belarusian military. Mandiant was able to obtain this evidence directly, but it was also confirmed by an external party.
The company just doesn't reveal what evidence this should be, not even when asked.
Benjamin Read, head of cyber espionage analysis at Mandiant, only told SPIEGEL that they matched what the political analysis had revealed.
Let everyone draw their own conclusions from this.
It is understandable that intelligence services do not disclose their methods of obtaining information, after all, nobody should receive any information on counter-espionage.
The fact that an IT security company remains so nebulous in this case, on the one hand, suggests extraordinary sources and methods that may need to be protected.
On the other hand, one must now believe Mandiant's alleged evidence unseen or not.
As for the political level, Mandiant is more open.
A whole series of indications speak in favor of the Belarus thesis, including this: Most of the targets of the "ghostwriter" campaign - which also included Belarusian oppositionists and journalists - had strained relations with the government in Minsk.
Most of the countries in which the "ghostwriter" campaign was registered are in the immediate vicinity of Belarus.
There are no government goals within the country, but not within Russia either.
The state television in Belarus would also noticeably often take over the narratives that are known from the disinformation campaign, sometimes it also falls back on sources that are counted in the environment of "ghostwriters".
German authorities are unimpressed
Not everything that is known about the campaign fits this picture perfectly.
The phishing attempts against German politicians, for example.
“We saw attempts to obtain access data from German parliamentarians.
But unlike in Poland, for example, we did not
observe
any open
information operation
in Germany
, "admits Read, no dissemination of manipulative content.
Nevertheless, since one has been convinced that UNC1151 is also behind the hacking attempts in Germany.
He also attaches importance to the statement that he “cannot rule out Russian involvement”.
It is "plausible" that both states are involved.
But you want to ensure that your own findings become part of the debate.
The Federal Government has "taken note of" the analysis, but apparently nothing has changed in its own assessment.
She continues to believe that Russia is primarily responsible for the hacking campaign.
According to the German government, this allocation "expressly does not exclude the possibility of other actors participating in the campaign."