Such an astonishingly broad hack of hundreds of German officials and celebrities would normally indicate a state actor with significant technical capability. But the fact that the contacts and messages of those targeted were not held by German government servers means that we cannot take state actor involvement for granted. As I see it, considering capability and intent, five possible culprits stand out as most likely here. Note that, as of 18 hours since the publication of the attack, the five-eye alliance of Western intelligence services has not yet identified a culprit.
Let’s start with China. Through various organs of China’s Ministry of State Security and the People’s Liberation armed forces, China retains an exceptional cyberwarfare capability. Broad in reach, and possessing of boutique instruments that would normally only be expected with the world leaders in cyber-strike, the U.S. National Security Agency and Britain’s GCHQ, China is certainly capable of this attack. But why would Beijing choose this course of action? That’s much harder to answer. One possibility, however, is Germany’s growing frustration with those same concerns that motivate America’s present anger toward China: namely, its legal and illegal usurpation of intellectual property and its capricous disdain for global trade rules. This could be a Chinese warning shot off Berlin’s bow in the assessment that Germany is unlikely to retaliate. My likelihood rating of Chinese culpability: fifth most likely.
Next up, let’s consider North Korea. Effectively under the control of Kim Jong Un’s right-hand man, Kim Yong Chol, North Korea’s cyber-strike forces serve a strategic doctrine of hyper-aggressive attacks against variable targets across the world. The apparent motivation here is twofold: to steal foreign financial capital and to reinforce the notion that Kim Jong Un’s regime is a rogue state capable of doing anything, however irrational or risky. In turn, Pyongyang hopes that the international community will be more predisposed toward appeasement in return for a more docile North Korean foreign policy. Why would North Korea target Germany? Well, for the aforementioned reason of strategy. But alongside its growing anger, it also might also be lashing out against Germany’s support for the U.S. sanctions regime on Pyongyang. My likelihood rating: fourth most likely.
Now on to Iran. Although not as strong as China or Russia, Iran possesses an advanced cyberwarfare intelligence capacity. In Iran’s sustained willingness to utilize this capability with aggression, it has proven a tolerance for significant risk of retaliation. This comports with Iran’s risk-comfortable assessment of conventional terrorist attack plotting. But why would Iran attack Germany? Perhaps because the German government has supported increased sanction penalties on Iran under Trump administration pressure. This has included preventing Iran from recovering foreign capital reserves, something the Iranian hardliners care greatly about. Why would Iran leave out the Alternative for Germany in its attack? Perhaps so as to lead others into the wilderness of mirrors: making them assume that an actor with a more specific interest in the AfD is to blame here. Of course, this distraction factor could apply to each possible culprit here. In contrast, the argument against Iranian involvement is that this action would risk detection and thus motivate a harsher German government approach toward Tehran. My likelihood of Iranian responsibility: third most likely.
Then there’s (yes, you guessed it) Russia. The Russians have the means, track record, and motive for an attack such as this one. But if Russia is to blame here, it is almost certainly through intermediaries. While Russia always has an interest in disrupting German politics, especially in the context of upcoming German elections next year, the broad brush of this attack is odd. After all, the German conservative parties are far more skeptical of Russian foreign policy priorities than the center-left and left-wing parties. In that regard, if Russia assumed (as it would) that it was ultimately at risk of being blamed, one would think it would seek to maximize the damage to those more hostile toward it and mitigate the damage to those more sympathetic to it. It also seems too basic that the AfD has been left out here. While elements of the AfD are strongly sympathetic to Russia, others are less so. The AfD is not so simple a pro-Russian Western European party as France’s National Rally party, for example. Indeed, the AfD’s manifesto is overtly supportive of NATO and of greater German defense spending. These are hardly things that Russia supports. It’s also unclear as to what Russia would gain from this attack beyond fostering a culture of fear in absent privacy among German politicians. And with final German affirmation for Russia’s high-priority Nord Stream II pipeline still in question, identified Russian culpability here, even through a cutout, would be very risky for President Vladimir Putin. Still, because of the sheer scale of the data released here, and considering Russia’s penchant for absurdity and extreme aggression in intelligence operations, my likelihood of Russian responsibility is second most likely.
Finally, there’s the possibility of a group of nonstate hackers aligned with the German far-right. The most obvious indicator here is the exclusion of the AfD from the attack. In addition, we must not discount the hatred with which the most virulent far-right activists view other German political parties. Their passion for embarrassing or otherwise hurting these parties would be motive enough for an attack that blatantly avoided the AfD. There is also the consideration here of the attack delivery server apparently being in Hamburg rather than a foreign location (although this could be mimicked). It is also interesting that the data was seized from private online sources rather than government servers. That would mean easier hacker access, making the attack more feasible for a nonstate actor. Yet what stands against the notion of a nonstate hacker or hacker group is the same that gives indication toward Russia or another state actor: the fact that this data is so varied it would have taken a lot of scaled-up activity to seize. Still, my likelihood of nonstate hackers being responsible is most likely.
Hopefully the above gives you a bit of insight into the big cyber-antagonists against the West. But ultimately, we’re just going to have to wait and see.
