German Bundestag intrusion (APT28)

In May 2015, the German Bundestag — the federal parliament of Germany — discovered that operators from APT28 / Fancy Bear had compromised its parliamentary network. By the time German cyber-defence services responded, the operators had harvested approximately 16 GB of email and document data including correspondence from Chancellor Angela Merkel's parliamentary office, opposition leaders, and parliamentary committee staff.

The operation forced a complete rebuild of the Bundestag's IT estate at a cost of ~€17 million. It is the most-cited European state cyberespionage incident of the 2010s and a defining moment in Germany's cyber-defence posture.

What happened

APT28 operators — assessed by German, U.S., and U.K. intelligence services as Russian GRU Unit 26165 (distinct from the Sandworm Unit 74455 that ran NotPetya and Olympic destructor operations) — launched a spearphishing campaign against Bundestag staff in late April 2015. The lures referenced UN sanctions topics of contemporary interest, with malicious Word document attachments containing Sofacy / X-Agent payloads.

At least one Bundestag staff member opened the attachment, dropping a Sofacy implant on their workstation. From there the operators:

• Harvested domain credentials using standard Mimikatz-style tooling adapted to the GRU APT28 toolkit.
• Escalated to domain administrator on the Bundestag's parliamentary network within days.
• Established persistent access across approximately 14 servers including email and document infrastructure.
• Exfiltrated approximately 16 GB of data over several weeks, with primary focus on the email archives of senior parliamentarians and committee staff.

The data included:

• Email correspondence from Chancellor Angela Merkel's parliamentary office (distinct from her Chancellor's office IT, but containing significant intersecting material).
• Communications from opposition leaders including SPD and Linke caucus correspondence.
• Parliamentary committee documents including foreign policy and intelligence-oversight materials.
• Working notes and draft positions from 5,500+ parliamentarians and staff.

Detection and rebuild

Bundestag IT staff detected anomalous traffic on 8 May 2015 but underestimated the scope. By 12 May, Germany's Federal Office for Information Security (BSI) and Federal Office for the Protection of the Constitution (BfV) had engaged and recognised the full extent of the compromise.

The German response decision was unusual in scope: rather than attempt to evict the operators while maintaining operational continuity, the Bundestag elected to rebuild the entire parliamentary IT estate from scratch. Over the summer of 2015:

• All workstations rotated through forensic imaging and rebuild.
• All servers replaced or fully wiped and reinstalled.
• Network architecture redesigned with segmentation and stricter access controls.
• Credentials rotated comprehensively.

The cost: approximately €17 million. The rebuild was completed by autumn 2015, with the parliamentary network returning to full service in October.

Attribution and indictment

In May 2020 — five years after the operation — Germany's Federal Criminal Police Office (BKA) issued an arrest warrant for Dmitri Sergeyevich Badin, a Russian national identified as an officer of GRU Unit 26165. The warrant was the first ever issued by German authorities for a state cyberespionage operation.

In October 2020, the EU Council adopted cyber sanctions on Badin and two additional GRU officers (Aleksey Morenets, Yevgeniy Serebriakov) under the EU cyber sanctions regime. The same Russian officers had been previously named in the 2018 U.S. Mueller indictment for the DNC hack and in Dutch intelligence's 2018 disclosure of an attempted GRU intrusion against the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague.

The GRU Unit 26165 attribution is operationally significant: it places the Bundestag operation within the same APT28 / Fancy Bear cluster responsible for:

• DNC and DCCC intrusions (2016, U.S.)
• TV5Monde attack (2015, France, masquerading as Islamic State)
• OPCW spearphishing attempt (2018, Netherlands)
• Anti-Doping Agency leaks (2016, WADA)

Impact

• ~16 GB of email and document data exfiltrated, including senior parliamentarian correspondence.
• €17 million remediation cost for full IT estate rebuild.
• No public dump of the exfiltrated data — distinguishing the Bundestag operation from the DNC operation that followed, where leaked data was selectively published via WikiLeaks during the 2016 U.S. campaign.
• Subsequent German cybersecurity investment dramatically expanded; the BSI's budget and authority expanded materially in the 2016–2018 federal cybersecurity reform.

Why it matters

The Bundestag operation is the canonical European state cyberespionage case and the most-cited example of GRU operations against EU democratic institutions. It established:

• That EU parliamentary networks were attractive targets for Russian state cyberespionage. Bundestag was followed by similar operations against the French legislative election (2017), Italian Senate (suspected, undisclosed), and OSCE staff networks.
• That full network rebuild is a viable remediation strategy for major state-cyberespionage compromises, given political and budgetary support. The Bundestag rebuild precedent has been cited in subsequent decisions at the Norwegian Storting (2020) and elsewhere.
• That EU coordinated cyber sanctions are a credible policy tool. The 2020 EU designations of Badin and colleagues were the first EU cyber sanctions ever issued and established the template for subsequent EU action.
• That German federal cybersecurity capability has expanded substantially since 2015. The Bundestag operation is the most-cited motivating event in the establishment of the BSI's federal cybersecurity coordination role and the subsequent Federal Office for Information Security expansion.