Enlarge image
BSI in Bonn: »A special IT threat situation«
Photo: Andreas Rentz/ Getty Images
In view of the war in Ukraine, German security authorities are fearing further cyber attacks that could also affect German targets.
The Federal Office for Information Security sent the third warning letter to companies and authorities on Thursday - it rates the current IT threat situation in the country with the second highest warning level "orange".
The specific reason was the Russian invasion and previous cyber attacks on Ukrainian targets.
The day before the invasion, there were new overload attacks (»Distributed Denial of Service«, DDoS for short) on the websites of two Ukrainian banks as well as ministries and parliament.
As with previous DDoS attacks on Ukraine, so-called wipers were also found on Ukrainian computers at the same time - these are malicious programs that delete data and can thus render computers unusable.
As with a wave of wiper attacks in January, the malware is probably not in a position to spread itself any further - this was still the case with NotPetya in 2017, which spread globally from the actual target of the attack, Ukraine, and caused billions in damage.
However, the new wiper was found not only in the systems of Ukrainian banks, but also in service providers of the Ukrainian government in Lithuania and Latvia.
According to the German experts, the attackers used access that they already had: The perpetrators "must have had the appropriate administrator rights and access to central servers," according to the four-page paper.
Apparently there have also been new activities beyond Ukraine since the beginning of the war: "Several NATO partners have seen increased aggressive scanning activities in their networks since today".
These can be preparatory actions for later attacks.
To date, the BSI has not found any abnormalities in Germany and none have been reported to it.
In this respect, the authority “currently sees no changed threat to German bodies”.
»Collateral damage cannot be ruled out«
The first corresponding BSI warning dates from February 4th and was still assigned the warning level "yellow".
The BSI does not anticipate "notable targeted cyber sabotage attacks on targets in Germany," it said, "but from the BSI's point of view, collateral damage outside of Ukraine cannot be ruled out."
As possible scenarios, the authority considered, among other things, self-spreading computer worms such as WannaCry and NotPetya, or attacks on supply chains, which can also be dangerous beyond Ukraine if there are corresponding dependencies.
This is “particularly relevant for companies and organizations that have IT network relationships or communication traffic with Ukrainian authorities”.
Ten days later, the agency raised the alert level to "orange."
There is now "a special IT threat situation" that could intensify in the short term.
The risk of a worm (“self-replicating malware that spreads by exploiting new vulnerabilities in internal networks”), for example, increases if a company or organization uses software “that is common in Ukraine or even of Ukrainian origin”.
In particular, the BSI advised operators of critical infrastructures to ensure that their IT specialists are available in the event of an attack - if necessary also by blocking vacations.
Contingency plans should be reviewed and software updated.
In addition, backup copies of all relevant systems should be created.
At the behest of the Federal Ministry of the Interior, the Federal Office in Bonn has compiled a list of possible support services for Ukraine - from the technical analysis of the malicious code to the development of secure infrastructures.
Federal Foreign Minister Annalena Baerbock (Greens) offered Ukraine help with cyber defense during her first visit there.
Federal Interior Minister Nancy Faeser (SPD) said on Thursday: "We know that cyber attacks are now a common means of conflict situations.
We therefore assume that there is an increased risk of cyber attacks for German bodies as well.
There are currently no concrete indications of cyber attacks against German authorities."
Meanwhile, the hacktivist group Anonymous intervened in the conflict, announcing a “cyber war” and hacks against Russian targets via Twitter.
On the night of Friday, they apparently managed to make the website of the Russian state broadcaster RT News temporarily unavailable.
"The Anonymous collective has shut down the website of the Russian propaganda channel RT News," one of the hacktivist Twitter accounts said.
