IntSights’ Findings on the German Government’s Data Breach

Last week, German media, including newspaper Bild and broadcasting company RBB, reported on a breach in German Parliament, which resulted in the exposure of thousands of private and confidential files to the general public. Here is our summary of the breach, including details about the attacker and a first-hand look at the data that was stolen.

Breach Timeline

Details of the breach began to unfold in early December 2018. At this time, Twitter account G0d (@_0rbit) published, in a daily manner, links containing sensitive documents, personal information of politicians and media figures. The information was also posted to a personal blog belonging to @_0rbit.

German-Government-Breach-Twitter-Profile

Figure 1: G0d (@_0rbit) Twitter Profile

The severity of leaked information gradually increased, beginning with private information of celebrities and media figures, but later scaled to the personal data of members of political parties. Affected parties included Christian Democrats, Christian Social Union, Social Democrats, Free Democratic party, Bavarian sister party, the Left party and Greens.

Since publishing the leaked information, Twitter has taken down the posts and the profile, however, the IntSights platform scraped the data prior– enabling us to obtain the original files before they were taken down.

German-Government-Breach-Attacker-Blog

Figure 2: @_0rbit Blog

As soon as the leaked files were obtained, our team began to analyze the compromised data, which varies from mere names and phone numbers, to full PII dumps including IDs, email contents, Facebook contents, phone activity, accounting information etc.

The documents also vary from publicly available to confidential, but a majority of the information is of private nature, years old and does not contain details of political agendas. This likely means that the data was gathered from several sources and not from one big database.

German-Government-Breach-Leaked-Document1
German-Government-Breach-Leaked-Document2
German-Government-Breach-Leaked-Document3

Figures 3-5: Leaked Documents

Who Was Behind the Attack?

While there is currently no proof of who planned and performed the hack, some of the files in the leak reference @NfoR00t – a hacker with a history of doxing and defacing. Knowing this, it is likely that @NfoR00t is the same person behind @_0rbit. Additional aliases could include:

German-Government-Breach-Attacker-Signature

Figure 6: Hacker's Signature from Leaked Files

German-Government-Breach-Attacker-Signature2


Figure 7: NfoR00t AKA Nullr0uter

The first evidence of the hacker’s activities dates back to the summer 2015 when he published DOXing of well-known YouTube personalities.

At this time, it is still unclear as to how the hacks have been made, but the IntSights team will continue to investigate the situation and publish further results accordingly.

UPDATE: Suspect Arrested in Germany Data Leak
A 20-year-old man has been arrested on suspicion of being responsible for the German government data breach. Read more here.

Subscribe to the IntSights blog to stay up to date on the latest news and best practices!

Stay up to Date!

Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.