German government: China responsible for attack on federal agency in 2021
A digital espionage case at the Federal Agency for Cartography and Geodesy from 2021 has now led to the summoning of the Chinese ambassador.
The German government has officially held state agencies in the People's Republic of China responsible for the intrusion into the networks of the Federal Agency for Cartography and Geodesy (BKG) in 2021. It speaks of a "serious cyber incident". The Chinese ambassador was summoned to the Federal Foreign Office for the first time since the massacre in Tiananmen Square in 1989. This was announced by a spokesperson for the Foreign Office on Wednesday afternoon in Berlin. The incident first became known to the wider public in 2023, after which the official apportionment of blame dragged on.
In 2021, attackers had managed to penetrate the networks of the Federal Office responsible for geodata and reference data. The Federal Ministry of the Interior (BMI) says that the attackers' goal was espionage against public authorities. In Germany, the Federal Office for the Protection of the Constitution (BfV) and the Federal Office for Information Security (BSI) were involved in the formal attribution of the perpetrators.
Attackers used small devices for concealment
The 400 employees of the BKG are responsible for creating and providing geodata of all kinds within the remit of the Federal Ministry of the Interior. They are responsible for surveying the Federal Republic of Germany in the form of coordinates, coordinating data from the federal states and providing GIS data and 3D terrain models. The BKG is also the operator of geoportal.de, the official geodata portal of the Federal Republic of Germany. The BKG also performs an important function for many private sector bodies in the area of critical infrastructure, explained Foreign Office spokesperson Sebastian Fischer.
According to the BMI, the attackers used end devices for home use (SOHO) to access the networks via obfuscation mechanisms and compromised a wide range of end devices. This should make it clear that the attacker group was APT 15: This group, also known as Vixen Panda, Mirage, Playful Dargon or Nylon Typhoon, is credited with precisely this approach; the BfV had already issued extensive warnings about this actor and its approach in 2023.
Federal government now names those responsible more frequently
Attributing responsibility for cyberattacks is politically and diplomatically delicate. The current German government now appears to be increasingly using them as a means of exerting public pressure on state or state-tolerated actors and their supporters. Just a few weeks ago, the Federal Foreign Office officially attributed an attack on the SPD and various KRITIS operators in 2022 to state-affiliated actors from the Russian Federation.
Today's attribution is special because it is the first time that official Chinese authorities have been held directly responsible. And in a case in which a state agency was attacked. While espionage, as in the case now made public, is generally not prohibited under international law, a case of sabotage by state actors could cross the threshold of the United Nations Charter's prohibition on the use of force.
The formal protest that the Foreign Ministry has now addressed to the ambassador of the People's Republic in Berlin is also reflected in a statement by Nancy Faeser (SPD), the Federal Minister of the Interior responsible for counterintelligence: "We call on China to refrain from and prevent such cyberattacks. These cyberattacks threaten the digital sovereignty of Germany and Europe." The German government is resolutely opposing these threats and has greatly increased protection. In this context, Faeser referred to the NIS2 Implementation Act, which passed the cabinet last week after more than a year of internal government discussion.
(vbr)