DOCUMENTING HYBRID WARFARE / — incidents / UPDATED LATEST: 
Sabotage Watch SABOTAGEWATCHHybrid Threat Monitor
Cyber

APT28 compromises Germany’s SPD (and other targets)

January 2023 · Berlin, Germany
Satellite Imagery © Esri

What happened

In January 2023, email accounts of the executive committee of Germany's Social Democratic Party (SPD) were compromised in a cyberattack. The SPD disclosed the breach publicly in June 2023, attributing it to exploitation of a previously unknown vulnerability in Microsoft Outlook. According to German government and Federal Office for Information Security (BSI) reporting, the attackers abused the Outlook flaw tracked as CVE-2023-23397, which allowed hashed Windows credentials to be captured without user interaction and reused to access mailboxes. The intrusion against the SPD headquarters formed part of a wider campaign that the German Federal Ministry of the Interior says had been running since at least March 2022, with SPD emails accessed from around December 2022.

On 3 May 2024, following a formal attribution process led by the Federal Foreign Office and involving Germany's intelligence services, Foreign Minister Annalena Baerbock said the government could 'attribute this cyberattack to a group called APT28, which is steered by the military intelligence service of Russia,' calling it 'absolutely intolerable and unacceptable.' The Federal Ministry of the Interior traced the activity to APT28 and the Russian military intelligence agency GRU. Germany said the same campaign also targeted German companies in the logistics, defence, aerospace and IT sectors, as well as entities linked to Russia's war in Ukraine. APT28 was previously held responsible for the 2015 cyberattack on the German Bundestag.

Germany summoned the acting Russian chargé d'affaires in Berlin and later recalled its ambassador to Moscow for consultations. The European Union, NATO and partners condemned the campaign. NATO noted that the same actor had also targeted government entities and critical infrastructure in Lithuania, Poland, Slovakia and Sweden, and that Czechia had been targeted in parallel. Russia rejected the accusations as unsubstantiated.

Assessment

The attribution rests on an official German state assessment, publicly endorsed by the EU and NATO, rather than independently adjudicated evidence; Russia denies involvement. Even so, the multilateral backing and APT28's documented history of targeting Western political institutions lend it credibility. The case fits a recognised pattern of GRU cyber-espionage against democratic parties and defence-related industry, timed around the 2024 European elections. The compromise of a governing party's leadership communications, and the diplomatic recall that followed, mark a notable hardening of Germany's posture toward Russian hybrid operations.

This dossier summarises open-source reporting and is updated as the investigation develops. Read the original report via the source link.