View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
January 4, 2019updated 08 Jan 2019 8:43am

5 Things We Know about the German Hack, from Porn to Mirrors

A long-running campaign...

By CBR Staff Writer

Today’s revelation of a huge data breach in Germany that exposed the details of nearly 1,000 politicians, including Chancellor Angela Merkel, as well as that of celebrities and journalists, has resulted in a swirl of speculation about the methods and culprits.

Here’s what we know thus far about the German data leaks.

1: Lots of Mirrors

1: The leak was made with strenuous effort to ensure that the leaked documents can’t easily be taken down. There there over 70 mirrors of the initial download link alone, while each of the 40 download links has another 3-5 mirrors each.

Each of the tens of thousands of files uploaded appears to have its own or indeed multiple mirrors; something that would have taken a huge amount of manpower.

Security researcher “The Grugq” speculated a large team may have been involved: “I’d say that the leak files were not produced at the same time. The changes in layout and naming suggest that it wasn’t one person in one marathon session creating these. There is variation in the archive passwords too: 123, abbreviations, variations…”

2: It’s Not All New …

Some of the stolen data sets data back to 2009 and some of the image files linked to in Pastebin were uploaded in 2017. The cache was released one batch at a time from December 1 to December 24 but only got noticed when the culprits hacked the social network of popular German Youtuber unge and spread the documents there.

Many are new however: a sample reviewed by Computer Business Review included recent ministerial-level letters to colleagues; others we saw included private letters dating back to 2013. They have been painstakingly organised.

Read this: The NSA to Release a Free Software Reverse Engineering Toolkit

The data looks initially to largely be from private cloud storage and social media accounts than a particular official server.

The leaks show extensive data about some politicians, including photos and chat logs, but little on others bar private addresses, phone numbers, skype and mail addresses as well as semi-public information (eg. names of relatives); much apparently painstakingly compiled. Outlook accounts, Twitter and Facebook accounts were all hacked.

(Germany’s intelligence services say they only found out on Jan 3 2019.)

3: It’s Bad and About to Get Worse… 

German magazine reporter Julian Ropcke, of the BILD, reported that German MPs have begun to receive threatening messages saying their pornography choices were also stolen and they should “come clean” about their sexual preferences…

He added that perusal of “3 percent” of the data had already revealed “cases of corruption and bad political scandals”. 4chan users were already revelling in some of the scandals today, from sexual proclivities to Wikipedia edits by politicians.

4: Two Twitter Accounts Used

Two Twitter accounts @_0rbit and @_0rbiter were used to distribute the material.

@_0rbit was created in February 2015 and had over 18k followers and had previously made 2.7k Tweets but deleted them all in June 2017, researcher Luca Hammer noted.

The account owner said they were in Hamburg, but the culprits now claim to be based in Luxembourg… Their likes suggest right-wing sympathies.

5:  Someone Got Left Out…

The leak includes data on 405 CDU-CSU politicians, 294 SPD politicians, 105 Greens, at least 82 Left party members and 28 FDP MPs, with nearly 1,000 local, national and European level lawmakers exposed. Notably absent: right wing AfD members.

Caitlin Huey, senior threat intelligence analyst at EclecticIQ told Computer Business Review in an emailed statement: The evidence suggests that an organisation with far-right leaning may have the strongest motivation for the leak. It could also be speculated that this was a response to the explosive that was detonated in front of one of the AfD offices yesterday. However, there is nothing conclusive at this time, and even obvious evidence can sometimes point towards a false-flag campaign.”

Our prediction: the culprit is going to get caught, fast.


Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.