IntSights' Blog

IntSights’ Findings on the German Government’s Data Breach

by Andrey Yakovlev / January 8, 2019

Last week, German media, including newspaper Bild and broadcasting company RBB, reported on a breach in German Parliament, which resulted in the exposure of thousands of private and confidential files to the general public. Here is our summary of the breach, including details about the attacker and a first-hand look at the data that was stolen.

Breach Timeline

Details of the breach began to unfold in early December 2018. At this time, Twitter account G0d (@_0rbit) published, in a daily manner, links containing sensitive documents, personal information of politicians and media figures. The information was also posted to a personal blog belonging to @_0rbit.

German-Government-Breach-Twitter-ProfileFigure 1: G0d (@_0rbit) Twitter Profile

The severity of leaked information gradually increased, beginning with private information of celebrities and media figures, but later scaled to the personal data of members of political parties. Affected parties included Christian Democrats, Christian Social Union, Social Democrats, Free Democratic party, Bavarian sister party, the Left party and Greens.

Since publishing the leaked information, Twitter has taken down the posts and the profile, however, the IntSights platform scraped the data prior– enabling us to obtain the original files before they were taken down.

German-Government-Breach-Attacker-BlogFigure 2: @_0rbit Blog

As soon as the leaked files were obtained, our team began to analyze the compromised data, which varies from mere names and phone numbers, to full PII dumps including IDs, email contents, Facebook contents, phone activity, accounting information etc.

The documents also vary from publicly available to confidential, but a majority of the information is of private nature, years old and does not contain details of political agendas. This likely means that the data was gathered from several sources and not from one big database.



German-Government-Breach-Leaked-Document3Figures 3-5: Leaked Documents

Who Was Behind the Attack?

While there is currently no proof of who planned and performed the hack, some of the files in the leak reference @NfoR00t – a hacker with a history of doxing and defacing. Knowing this, it is likely that @NfoR00t  is the same person behind @_0rbit. Additional aliases could include:

  • G0d@_0rbit
  • 'r00t OF 0rbit'
  • nullr0uter
  • r00taccess
  • NFOr00t
  • jitachi
  • dennis567
  • p0wer

German-Government-Breach-Attacker-SignatureFigure 6: Hacker's Signature from Leaked Files

Figure 7: NfoR00t AKA Nullr0uter

The first evidence of the hacker’s activities dates back to the summer 2015 when he published DOXing of well-known YouTube personalities.

At this time, it is still unclear as to how the hacks have been made, but the IntSights team will continue to investigate the situation and publish further results accordingly.

UPDATE: Suspect Arrested in Germany Data Leak
A 20-year-old man has been arrested on suspicion of being responsible for the German government data breach. Read more here

Subscribe to the IntSights blog to stay up to date on the latest news and best practices!

Tags: Cyber Crime Data breach Industry News

previous post Our Top Blog Posts of 2018
Next Post The Dark Side of Acquisitions: How Marriott May Have Avoided Their Data Breach
Andrey Yakovlev

Andrey Yakovlev

Andrey Yakovlev is a Security Researcher at IntSights, focused on intelligence hunting from the Russian Dark Web. He is an experienced professional with over 6 years of experience in the cyber security field. Andrey specializes in threat discovery, computer forensics and behavioral analysis of Trojans.