Building of the Federal Office for the Protection of the Constitution in Cologne: »Cyber espionage campaign by the cyber attack group APT 27«
Photo: Oliver Berg/ dpa
The Federal Office for the Protection of the Constitution warns of a new wave of hacker attacks from China on German companies.
According to a circular from the Office for the Protection of the Constitution, which is available to SPIEGEL, the agency has "findings about an ongoing cyber espionage campaign by the cyber attack group APT 27."
The German services are convinced that the abbreviation APT 27 hides a Chinese hacker group, also known as "Emissary Panda".
In the past, it has already been held responsible for attacks on Western government agencies.
The Office for the Protection of the Constitution warns that the hacker group is currently observing an “increase in attacks against German targets”.
According to SPIEGEL information, the attackers are targeting companies from the pharmaceutical and technology sectors, among others.
In individual cases, the attacks are said to have already been successful and data leaked.
According to the Office for the Protection of the Constitution, it cannot be ruled out that the perpetrators "in addition to stealing business secrets and intellectual property" could also try to penetrate the networks of customers and service providers of the company.
Such so-called supply chain attacks can be used to infiltrate several downstream companies with one attack.
more on the subject
“Malicious cyber activities”: US and EU accuse China of hacker attacks
Targeting politics and the Bundeswehr: the Office for the Protection of the Constitution warns of hacker attacks from China
According to the Office for the Protection of the Constitution, the perpetrators use malware called "Hyperbro" for their attacks, including exploiting gaps in software called AdSelfService Plus from the Indian manufacturer Zoho.
Companies can use this to manage and reset access to important company accounts and cloud services.
The attackers also attempted to gain access to their victims' systems using a vulnerability in Microsoft Exchange.
German authorities have repeatedly warned of this massive security gap, which has been known since March 2021.
Nevertheless, months later, apparently not all companies have reacted and closed the gap.
With its circular, the German Office for the Protection of the Constitution also published numerous technical details, including a list of IP addresses that are said to belong to the control servers for the malware and a list of indicators that point to an infection.
On the one hand, publishing such information should help IT experts to detect and ward off attacks.
On the other hand, authorities often associate this with the strategic message to the attackers that their methods are being tracked down.
The Office for the Protection of the Constitution has been warning of attacks from China for some time
Last year, the Office for the Protection of the Constitution warned of an increase in China's hacker attacks on German politicians and parties.
"Reconnaissance activities by Chinese cyber attack groups in political offices in Germany are currently increasing," said a confidential report by the authority for the conference of interior ministers.
These attempts to attack were directed "against members of parliament and private e-mail accounts of political groups".
E-mail accounts and websites of parties are also affected, as well as the e-mail addresses of employees of the federal administration and the armed forces.