The Bundestag, the lower house of the German congress, conducted a secret penetration test (pen test) against members of parliament by sending phishing emails that supposedly came from the Bundestag administration. While many MPs and their staff members passed the test, Spiegel (machine translated) says that several fell for the faked email and disclosed sensitive information like usernames and passwords.
All representatives and their staff eventually received a letter explaining the penetration test, saying, “This is absolutely necessary for an effective defense against real phishing campaigns.” However, it also added, “I would like to ask all those who have clicked on the links in the e-mails and, if necessary, entered login credentials and passwords to change their password as a precautionary measure.”
As one of the leading government bodies in Germany, the Bundestag is a prime target of both state and non-state actors for hacking, and phishing is one of the techniques bad actors use to gain access to restricted systems. This actually isn’t the first time that the German lower house has been attacked, with the most serious incident occurring in 2015, when its IT infrastructure was left in complete disarray while the attackers made off with at least 16GB of data.
Spiegel says that hackers related to the GRU — Russia’s military intelligence service — were behind the 2015 attack and that phishing was one of the techniques that it used to gain access to the Bundestag’s systems. As the global political situation is becoming more heated, governments must focus on protecting their secrets. More recently, Germany accused China of a cyberattack against its primary mapping agency.
And because these cybersecurity protections are only as strong as their weakest link, it makes sense that the Bundestag makes all its people aware of phishing attacks and reminds them to be aware of it. This is especially important as not everyone is tech or internet-savvy, and just a single person on the staff of a key MP could potentially compromise confidential projects and operations. This isn’t exactly a new practice, as practically every government has been trying to gather intelligence by compromising key persons; the internet age has just made that far easier than ever before.