January 4 2019. Germany awoke to a media storm. Personal data, emails, phone numbers, private, financial and even family information of a litany of public figures suddenly appeared online. Among those affected were hundreds of politicians (including Angela Merkel and President Frank-Walter Steinmeier), journalists (Hajo Seppelt), comedians (Jan Bohmermann), and even representatives of NGOs. Only one group was excluded from the leak: the German extreme right.
For the Federal Criminal Police Office (BKA), one thing was quite clear: not only had the cyberattack been deliberately prepared, but it was also a group effort. A data leak of such magnitude could only be the work of a large group of cybercriminals. Something like this couldn’t be pulled off by an amateur; it had to be someone with intricate knowledge of engineering, IT, hacking and cyberwar.
A 20 year old: the brains behind the attack
Nevertheless, the BKA’s investigation led them to a somewhat more surprising conclusion: the person arrested for leaking all this data wasn’t the head of some international organization, or a world expert. Nor was he known to police before this incident. The person taken into custody was “GOd”, a 20 year old student who still lives with his parents.
His is a striking tale: GOd (his user name on Twitter) had no academic training in IT or cybersecurity. In fact, he was practically self-taught, an amateur cybercriminal who had never tried something on such a level before. Moreover, he claims to have acted entirely alone, with no outside help whatsoever.
All of which leaves many questions unanswered: How was an unknown young man able to pull off an operation like this? How could the German government be outsmarted by an amateur? How is it that a country so preoccupied with privacy was so easily embarrassed by this cybercriminal, who was able to pull off one of the greatest cyberattacks in the country’s history?
A country with cybersecurity problems
The attack carried out by GOd exposed some of the conspicuous cybersecurity problems that afflict Germany. The intrusion suffered by its federal government is particularly striking if we bear in mind the fact that the Bundestag’s is protected with far better security than the average citizen and even many private companies.
The cybercriminal’s method of choice was email, using it to get his hands on the private, personal data of around 1000 well-known individuals. Using a range of phishing techniques, emails sent to leading members of parliament and influential people were infected so that GOd could access all their information.
This situation spotlights the shortcomings of the German parliament with regards to its institutional cybersecurity. In fact, at the start of the year, it was criticized from several sides for its slow handling of the cyberattack. And the worst thing is that this is not the first time that something of this kind has happened: Germany has been suffering serious cyberattacks since 2015. These have mainly occurred through emails and, even though the government has changed its cybersecurity strategy, adapting it to the American model, the number of incidents continues to rise.
How to combat cyberwar
If we look beyond the ‘GOd’ incident, several of the recent attacks suffered by Germany originated outside the country. This evidences a rising trend: cyberwar and cyber espionage between countries. This is something that may already have been seen in the US and the UK as well as countries in Central Asia and the Middle East.
This is why cybersecurity needs to be an absolute priority for governments in developed countries. They also need to carry out several prevention and reaction measures:
1.- Endpoint protection. In corporate cybersecurity, we usually say that the weakest link in a company is its employees. It therefore stands to reason that in national cybersecurity, politicians and civil servants are the weak point; the endpoints that they use must have appropriate IT security measures, and the staff themselves need to be cautious when sending emails or exchanging any kind of information.
2.- Distributed networks All sensitive government information can’t be stored on the same servers. Otherwise, if an intrusion were to occur, the consequences could be catastrophic. As well as diversifying where information is stored, part of it should be kept, wherever possible, on platforms that have no Internet access.
3.- Real time monitoring During a cyberattack, each passing second is more costly than the last. Cybersecurity agencies must control and monitor in real time all processes running on their IT systems. This is something that is made much simpler with an advanced cybersecurity solution such as Panda Adaptive Defense. The best way to counter a threat to national cybersecurity is to know exactly what is happening, and how it is happening. This way, in case of a possible cyberattack, it will be possible to react as quickly as possible, and thus minimize any damage.
The fact is that for some time now, wars have ceased to be waged with conventional weapons alone. Therefore, governments that wish to protect against external intrusions must have their own institutional cybersecurity in place. Javier Candau (Head of the Spanish CCN-CERT) explained the keys for a nation to combat cyberwar in this blog: improving detection capabilities; exchanging information between the public and private sector; agile, 24/7 response; and deterrents.