On January 3, German media, including newspaper Bild and broadcasting company RBB, reported on a breach in German Parliament, which resulted in the exposure of thousands of private and confidential files to the general public.
On January 8, we published our summary of the breach, including details about the attacker and a first-hand look at the data that was stolen. On the same day, German police arrested a 20-year old man they say was responsible for the massive data leak. The IntSights Threat Research team has continued to research the leak with a focus on determining whether the hacker acted alone or used an accomplice to gather the data.
Based on our analysis, we believe that the hacker likely paid an accomplice to obtain the data for him, or gained assistance from like-minded, technically-inclined individuals.
Analyzing the timestamp data in the breach shows that the data in the breach was collected and gathered throughout 2018. Diving into the files themselves, however, shows that the data was gathered over a much longer period of time. For example, some folders in the breach came from smartphone galleries or cloud accounts that date back to circa 2013.
The leak itself started on December 1, 2018, when a username named G0d (Twitter handle “@_orbit”) started to tweet sensitive details and links to download sites containing sensitive data regarding German celebrities and parliament members. These tweets continued on a daily basis and went mostly unnoticed until the 24th of December 2018. In parallel, these links were also published on a Wordpress blog bearing the same name (G0d / @_orbit).
Around January 3, 2019, the leaked data started to grab attention from mass media outlets such as Reuters after the German “RBB Inforadio” radio station reported the story. From that point public and police interest rose quickly.
On January 4th a friend of the hacker named Jan Schürlein (Twitter handle @janomine) published an email correspondence with the hacker in which he told him that he is going to close his telegram account and destroy his computer.
While the German police responded slowly to the case, the hacker moved quickly to upload the data to as many media outlets as he could, thus ensuring that the breached data will be available for download even if he were arrested.
The German police arrested the suspected hacker on Sunday, January 6, 2019, at which point it systematically started removing the links the hacker posted (some links to the data were still available until Tuesday, January 8).
Threat Actor & Motive
The apprehended hacker was a 19-year-old man from Homberg, in the Central Hesse district of Germany named Johannes S., the son of a local doctor. He used the following aliases in his different publications:
- 'r00t OF 0rbit'
Dennis567 Profile picture. Possibly Johannes S. true identity.
Before leaking the private details of German government officials, Johannes S. was known for doxxing several YouTubers in 2016 with his NFOr00t alias.
The Email correspondence with Janomine also exposes his alias “Ther00t” as it points to another email address: Ther00t@portonmail.com. This address is also associated with prior doxing operations as is evident in the following screenshots (note the Ther00t@protomail.com address in the upper right corner).
The initial publications from police investigation showed that he acted alone and was motivated by a right wing political agenda (advent by the lack of leaked “AfD” documents). He stated that he leaked the information of figures that “annoyed him.” Some of this statement seemed to be revoked later on, as it was publicized that he didn’t act alone and had accomplices to the crime.
According to our findings, we support this assumption as some of the data in the leak required highly technical skills to obtain and he could not have achieved it on his own. It is more likely that he paid an accomplice to obtain the data for him, or gained assistance from like-minded but technically-inclined individuals.
As the hacker is in custody, we can only draw conclusions to the attack vectors from the data in the breach itself. The data is a composition of freely obtainable materials, including personal email correspondence and personal photos and documents most likely obtained directly from phone hacks/malware (SMS correspondence) or cloud backup hacks (cloud backup storage).
As the documents were collected across many years and from various sources, it cannot be attributed to one specific source. It is highly likely that it came from multiple different hacks that were initiated across the years by different threat actors, and aggregated to this database by Johannes S.
Special Thanks: I'd like to thank Andrey Yakovlev, Security Researcher at IntSights, and Matan Zerchia, Senior Threat Intelligence Analyst at IntSights, who helped contribute to this research and blog post.