Last week, German media, including newspaper Bild and broadcasting company RBB, reported on a breach in German Parliament, which resulted in the exposure of thousands of private and confidential files to the general public. Here is our summary of the breach, including details about the attacker and a first-hand look at the data that was stolen.
Details of the breach began to unfold in early December 2018. At this time, Twitter account G0d (@_0rbit) published, in a daily manner, links containing sensitive documents, personal information of politicians and media figures. The information was also posted to a personal blog belonging to @_0rbit.
Figure 1: G0d (@_0rbit) Twitter Profile
The severity of leaked information gradually increased, beginning with private information of celebrities and media figures, but later scaled to the personal data of members of political parties. Affected parties included Christian Democrats, Christian Social Union, Social Democrats, Free Democratic party, Bavarian sister party, the Left party and Greens.
Since publishing the leaked information, Twitter has taken down the posts and the profile, however, the IntSights platform scraped the data prior– enabling us to obtain the original files before they were taken down.
Figure 2: @_0rbit Blog
As soon as the leaked files were obtained, our team began to analyze the compromised data, which varies from mere names and phone numbers, to full PII dumps including IDs, email contents, Facebook contents, phone activity, accounting information etc.
The documents also vary from publicly available to confidential, but a majority of the information is of private nature, years old and does not contain details of political agendas. This likely means that the data was gathered from several sources and not from one big database.
Figures 3-5: Leaked Documents
Who Was Behind the Attack?
While there is currently no proof of who planned and performed the hack, some of the files in the leak reference @NfoR00t – a hacker with a history of doxing and defacing. Knowing this, it is likely that @NfoR00t is the same person behind @_0rbit. Additional aliases could include:
- 'r00t OF 0rbit'
Figure 6: Hacker's Signature from Leaked Files
Figure 7: NfoR00t AKA Nullr0uter
The first evidence of the hacker’s activities dates back to the summer 2015 when he published DOXing of well-known YouTube personalities.
At this time, it is still unclear as to how the hacks have been made, but the IntSights team will continue to investigate the situation and publish further results accordingly.
UPDATE: Suspect Arrested in Germany Data Leak
A 20-year-old man has been arrested on suspicion of being responsible for the German government data breach. Read more here.