Emotet: Attackers wanted to blackmail the Bundeswehr fleet service

It was recently announced that strangers had attacked the IT network of the Bundeswehr fleet service provider. The company offers transport services not only for the Bundeswehr, but also for the Ministry of Defense and the members of the Bundestag. As is now apparent from an investigation report, the attackers aimed at extortion.

Don’t miss any news! With our daily newsletter you will receive all the news from heise online for the past 24 hours every morning.

  • Subscribe to the newsletter now

The editorial network Germany (RND) claims to have a “report on the current state of affairs”, which the management of the Bundeswehr subsidiary BwFuhrparkService GmbH had drawn up. According to RND, it said that the “Emotet” blackmail trojan infected the company’s IT network. The ransomware got into the house by email. Another blackmail Trojan (“QakBot”) and then the malware “Cobalt Strike”, which the report describes as a “toolkit for manual attacks”, were then downloaded.

The report does not name possible perpetrators. The malware was only active on August 12th, the next day the network connections – including to the company’s customers – were cut and the incident was reported to the Ministry of Defense.

Windows systems were affected, including those on which personal data for the German Bundestag’s driving service is stored. At the moment, no data leak has been determined, but the attackers could have done so until the network connections were disconnected. However, the scope and pattern of the attack suggested that the attackers were not interested in the data of the members of the Bundestag. Rather, they would have made preparations to blackmail the Bundeswehr fleet service. Apparently the IT network was supposed to be paralyzed first, then ransom would have been demanded for reactivation.

The Bundestag Vice-President Petra Pau (Die Linke) told the RND that the Bundestag was affected by the incident, as the data of the members of the Bundestag could have been accessed by the attackers. However, this was not the aim of the action, but the blackmailing of the Bundeswehr. According to Ms. Pau, who also chairs the Bundestag Commission for Information and Communication Technology (IuK), the investigation is still in progress. The driving service is guaranteed, it is now a matter of avoiding repetitions.


To home page