in Sonstiges

Digital Attack on German Parliament

A short overview of the cyber-attack on the German Bundestag based on leaked documents by netzpolitik.org

Bundestag Dome

Bundestag Dome (Photo credit: marfis75 via Foter.com / CC BY-SA)

In May 2015 the German press reported about a cyber-attack on the IT infrastructure of the German Bundestag. A year later, in spring 2016, internal documents were published by netzpolitik.org which gave an impression of how the IT infrastructure was compromised. This blog post sums up the methods of the attackers, the initiated countermeasures, and gives a short summary of the event. As well, it gives a brief overview about the relevant departments in the German Bundestag involved in regards with the attack.

The German Bundestag

The German Bundestag is the national Parliament of Germany. Within the German Bundestag there are many departments with different responsibilities. One of these departments is the council of elders (“Ältestenrat”) which forms five commissions for the current election period. One commission named “IuK” is responsible for information and communications technologies within the Bundestag and advises the members of parliament. Most of the information given in this blog post has been discussed by members of the IuK commission in six different sessions from May until December 2015.

German Bundestag

Overview about the relevant departments in the German Bundestag involved in regards with the attack.

Independent from the council of elders are five IT departments responsible for different tasks such as offering client hard- and software support, IT security, or network technologies within the Bundestag. All IT services are part of the Bundestag administration which is separated by responsibility into different services. The administration employs about 2700 people and is responsible for any important decisions that concern the Bundestag.
Beyond the German Bundestag there are other high federal authorities like the German Chancellery which are connected through a network named IVBB (“Informationsverbund Berlin-Bonn”). This network is administrated by the Federal Office for Information Security (BSI) and some external companies commissioned by the BSI. Due to the separation of powers, the BSI (Executive) has no power within the German Bundestag (Legislature) and vice versa.

Technical infrastructure

It should be noted that all members of parliament are under indemnity – that means they have the rights to organize themselves and build their own administration and IT structures. At the same time the IT department is not allowed to access their clients or any data without permission. One could say the members of parliament act like an independent company within the German Bundestag. At the time of attack, the German Bundestag had an Active-Directory domain with about 20,000 clients. Nearly every client in the “Parlakom” network was running Windows administrated by the IT department.

Attack

In preparation for the attack, the attackers compromised different servers from around the world to use them as command and control servers at a later state of the attack. In parallel they observed user behaviour from different users from the Bundestag network to carry out a watering hole attack against them. With the information gathered the attackers started to compromise regularly visited websites and developed malicious code to compromise the clients. After successfully compromising several clients they started to scale horizontally within the Parlakom network by compromising about 25 systems in 16 offices in total by using RDP (Remote Desktop Protocol). Because the members of parliament didn’t have local system administrator’s rights the attackers used the open source tool “mimikatz” to extract the password from a local administrator account that was used for software distribution. To make sure the malicious code couldn’t be easily removed from the compromised clients the attackers recompiled a process named “svchost.exe”. This process is responsible for processing different operating system tasks for Windows and is a vital component that can’t be removed easily.

The attackers created a solid basis to start from as they were aware that they couldn’t be locked out again easily. So they started to scale vertically (from less important to critical systems) and attacked the Active Directory Server using a “Kerberos Silver/Golden Ticket Attack”. Some sources also claim that users from compromised clients already had full administration rights in the Active Directory Domain.

Independent of the attack on the domain service, the attackers managed to compromise five out of six administration accounts in the Active Directory. They used the accounts to create more administrator accounts to make sure they couldn’t be locked out again.
From then on the attackers didn’t need to be afraid of being caught. They started to search for email archives (“.pst” and “.ost” filename extensions) and documents (“.doc” and “.docx” filename extensions) and transferred 16 GB of data to nine different command and control servers worldwide.

Countermeasures

The attack was recognized by a British company wondering why there was private data from the German Bundestag on their webserver and informed the Federal Office for Information Security (BSI). The BSI and some external companies gave advice to the internal IT department and the IuK commission. The IT department increased the log level and tried to find anomalies within the network to identify compromised systems. They detected an overloaded server with uncommon connections to clients from different offices and started to take a closer look at those clients.

At the same time the German press published information about a cyber-attack on the German Bundestag. Surely by then the attackers were aware that they have been recognized. To avoid spoofing measures by the attackers, all compromised clients were disconnected from the network and most of the network traffic was forwarded through the IVBB network to block all known command and control servers. In addition all 20,000 clients were shutdown to perform a better analysis and remove infected objects from the Active Directory Domain.

In the medium term the BSI and the internal IT department decided to create a new Active Directory Domain and to move all objects there after a security check. During the summer break an external company charged to create a new Active Directory Domain in accordance with the Microsoft Enterprise Architecture guidelines. Furthermore a malware prevention system was launched to block known websites with malware and command and control servers.

In the long term different actions were discussed in the IuK commission to make the network more secure (e.g. network segmentation into different security zones, software white listing, log and patch management systems and many more).

Conclusion

Konstantin von Notz is a member of the German Bundestag and summed up the attack pretty accurately:

The German Bundestag was extremely overwhelmed while fending off the attack and had to rely on third parties to do so.

translated from German into English

In January 2016 the Federal Prosecutor General initiated investigations because of suspicions that a secret agency from a foreign government was responsible for the attack. Claudio Guarnieri, independent security expert, studied some of the compromised clients and found hints pointing to a cyber espionage group named Sofacy Group. It is believed to have ties to the Russian government.

Looking back on the attack with the question on how to prevent future reoccurrences of such a harmful attack against the German Bundestag leads to the following questions:

  • Should the IT structure of the members of parliament be managed by the internal IT department completely? If yes, is there a legal way to restrict the indemnity to avoid members of parliament to build their own IT structure? Or should the focus be placed on protecting important domain services (like Microsoft Enterprise Architecture does) in the knowledge that user data on compromised clients can be accessed easily?
  • How to build the new IT infrastructure in a sustainable and resilient way to avoid losing the whole domain in a worst case scenario again?
  • Because of the separation of powers the BSI had no power within the German Bundestag and was not allowed to initiate countermeasures itself. There is no legal way to suspend the separation of powers but how can an efficient cooperation be realized without violating the law and what are the legal ramifications?
  • The German Bundestag engaged external companies for support. A close cooperation for information exchange with external companies is already state of the art when defending critical infrastructures (CERT). What advantages and disadvantages arise and how to deal with them?
  • The new security measures are mainly addressed by monitoring and black listing known and suspected security threats. But how can the German Bundestag increase the probability of successfully defending itself in case perpetrators employ unknown attack patterns and unknown compromised servers?

Sources

Schreibe einen Kommentar

Kommentar