Did you know?

The ViOffice Cloud is now GRATIS for up to 3GB storage space. Register now!
Skip to content
Startseite » Blog » Cyberattacks on democracy

Cyberattacks on democracy

For years now, democratic Western states have been repeatedly exposed to cyber attacks that are apparently or even demonstrably coordinated and carried out by other states.

In principle, cyberattacks can pursue very different goals. As can be seen in the past decade, attacks on the public’s opinion are also becoming established by flooding social media with bots and other “classical” propaganda techniques. Influencing news outlets, journalists, or politicians is also an increasingly common means. Last but not least, Russia in particular is using its influence on populist groups and politicians throughout Europe, as well as its connections to the conspiracy ideology and right-wing extremist milieu. [1, 2]

However, the main focus of this blog post will be the direct cyberattack on government agencies, state authorities and democracy or its actors.

Just a few days ago, it became known that hackers targeted the Social Democratic Party of Germany (SPD) and presumably tapped into the information and email traffic of parliamentarians. The security authorities and the German government suspect the same group behind the hack that was already active during the “Bundestag hack” in 2014/2015, which is associated with the Russian Secret Service. [3, 4]

Although North Korean and Chinese actors are also repeatedly suspected of being behind a wide variety of cyberattacks, the vast majority of known attacks in Europe can be attributed to Russian intelligence services.

Russian Bears

A wide variety of attacks over the past two decades have largely been attributed to just five groups close to the Russian secret services, which journalists refer to collectively as “Putin’s bears”. [5, 6]

The bear has been used as a symbol for Russia since the 16th century and for the Russian state since the early twentieth century at the latest. Especially in political caricatures of Western states, Russia is often depicted by the bear as large, brutal and clumsy.

In the context of reporting on the five hacker groups, the bear symbol emphasises their dangerous nature and unscrupulous approach.

Fancy Bear

The group known as “Fancy Bear” is known by many other names as well, such as “Advanced Persistent Threat 28” (APT28), STRONTIUM or Pawn Storm, after the group’s debut of the same name in 2014. In the course of the investigation into Russian interference in the 2016 US election campaign, the Special Investigation Commission under Robert Mueller designated the group as “GRU Unit 26165”, thus assigning it directly to the Russian military intelligence service GRU. [5, 6, 7, 8]

Fancy Bear operates worldwide, particularly in former Eastern Bloc countries, Ukraine, the USA, France, the Netherlands, and Germany. The cyberattack on the German Bundestag from the end of 2014 to the beginning of 2015 paralysed the entire IT infrastructure of the German parliament for days. Extensive restructuring was necessary to finally fend off the attack weeks later. Several gigabytes of data and confidential information were presumably passed on to Russian intelligence services. Most of the cyberattacks attributed to Fancy Bear involve phishing and spear phishing attacks on email accounts and web-based systems. [5, 6, 7, 8, 9, 10, 11]

Cozy Bear

Cozy Bear is another hacker group from the Russian intelligence services that is often mentioned in connection with Fancy Bear. Other names of the “Advanced Persistent Threat 29” (APT29) group, which has been active since at least 2010, include CozyDuke and Midnight Blizzard. [5]

Cozy Bear operates in particular by means of Trojans. Similar to Fancy Bear, they infiltrate the IT infrastructure of western, democratic countries in particular in order to pass on information. In the course of investigations, security experts frequently found traces of both Fancy and Cozy Bear in the same systems. [5, 6, 8, 9, 10]

The case of the hack attack on the US Democratic National Committee stands out in particular. Although both groups probably infiltrated the committee’s IT infrastructure at the same time, security authorities believe that both were working independently of each other and may not even have known that they were attacking the same target at the same time. [12]

A bugging operation carried out by the Dutch intelligence service AIVD, in which surveillance cameras in the hacker group’s offices were hijacked, made it possible to attribute the group to Russian intelligence services. The Dutch Secret Service, which literally watched the group through cameras for weeks, attributes Cozy Bear to the Russian foreign intelligence service SVR. [5]

Berserk Bear

The hacker group Berserk Bear, which has been assigned to the Russian Secret Service FSB by US intelligence services and is also known by the synonyms BROMINE, Energetic Bear or Ghost Blizzard, specialises in particular in the infiltration of critical infrastructure. [5, 6, 13, 14]

Beserk Bear has been operating in the USA and Germany since at least 2018, where it has penetrated the systems of companies in the energy and water supply sector for espionage purposes. [5, 13, 14]

Voodoo Bear

The hacker group known primarily as “Sandworm” is attributed to the Russian Secret Service GRU and is said to have been responsible for various large-scale attacks on Ukrainian infrastructure and energy supply from 2015 onwards. Among other things, the cyberattack on the control systems of the damaged Ukrainian nuclear power plant in Chernobyl in 2017 using the NotPetya malware is said to be attributable to the group. The malware targets Windows systems, infiltrates them and encrypts all data stored on them. [5, 15]

In the course of Russia’s war of aggression against Ukraine from 2022 onwards, Voodoo Bear is repeatedly appearing with further cyberattacks on Ukraine’s critical infrastructure and energy supply. The hacker group, which belongs to the Russian military, is thus actively involved in the Russian war through cyberwarfare. [16]

Venomous Bear

The hacker group, originally named after the Trojan “Turla”, has been operating since at least 2008 and is primarily active within and in the immediate vicinity of Russia. Security experts believe that the group may even have been active since 1996. In particular, it infiltrates the systems of governments and the military of various countries. GNU+Linux systems can also be attacked with the Turla Trojan. [17, 18]

The German Parliament Hack

In December 2014, a large-scale phishing attack on members of the German Bundestag began. The Federal Office for Information Security (BSI) suspects that the group Fancy Bear was behind the attack. [5, 6, 19, 20]

The hackers managed to infiltrate the Bundestag’s IT systems unnoticed and spread there. By March 2015, over 16 gigabytes of data, mainly emails and attached documents, had been leaked and presumably handed over to Russian intelligence services. [5, 6, 19, 20, 21]

The attack remains one of the largest cyberattacks in Germany to date. What’s more, it directly targeted the democratic structures of the Federal Republic of Germany. When security authorities realised the incident, they took the entire IT infrastructure offline and rebuilt it piece by piece over several weeks. [5, 19, 20, 21]

Even though none of the sensitive data captured has been published to date, the incident is considered one of the biggest foreign policy scandals in reunified Germany. [5, 19, 20, 21, 22]


  1. Zimmermann, N. (2024): Wie ein prorussisches Portal Stimmung gegen Deutschland macht. URL: https://www.faz.net/aktuell/politik/ausland/voice-of-europe-wie-propaganda-fuer-russland-funktioniert-19618660.html
  2. Jones, M. G. (2024): Belgium investigating Russian influence network suspected of paying EU lawmakers. URL: https://www.euronews.com/my-europe/2024/04/12/belgium-investigating-russian-influence-network-suspected-of-paying-eu-lawmakers
  3. Daniel, I. (2024): Bundesregierung macht Russland für Cyberangriff auf SPD verantwortlich. URL: https://www.zeit.de/politik/ausland/2024-05/spd-cyberangriff-russland-geheimdienst-gru-bundesregierung
  4. Schwarte, G. (2024): Russland steckt “eindeutig” hinter Cyberangriff auf SPD. URL: https://www.tagesschau.de/inland/spd-cyberangriff-russland-100.html
  5. SWR (2024): Putins Bären – Die gefährlichsten Hacker der Welt. URL: https://www.ardmediathek.de/video/putins-baeren/putins-baeren-die-gefaehrlichsten-hacker-der-welt/swr/Y3JpZDovL3N3ci5kZS9hZXgvbzIwMDQ0NjI
  6. Taube, B. (2024): Putins Bären – die gefährlichsten Hacker der Welt? URL: https://www.br.de/mediathek/podcast/br24-thema-des-tages/putins-baeren-die-gefaehrlichsten-hacker-der-welt/2093032
  7. Richter, S. & Kireev, M. (2024): Was über das russische Hackerkollektiv APT28 bekannt ist. URL: https://www.zeit.de/politik/ausland/2024-05/russische-hackerangriffe-apt28-cyberkriminalitaet-faq
  8. Spiegel (2021): Russische Gruppe »Ghostwriter« attackiert offenbar Parlamentarier. URL: https://www.spiegel.de/politik/deutschland/russischer-hack-erneute-attacke-hack-auf-bundestag-sieben-abgeordnete-betroffen-a-75e1adbe-4462-4e30-bd94-96796aed6b8a
  9. Scherschel, F. (2018): Bundeshack: Daten sollen über Outlook ausgeleitet worden sein. URL: https://www.heise.de/news/Bundeshack-Daten-sollen-ueber-Outlook-ausgeleitet-worden-sein-3987759.html
  10. Krempl, S. (2018): Bundeshack: Angreifer kompromittierten 17 Rechner im Auswärtigen Amt. URL: https://www.heise.de/news/Bundeshack-Angreifer-kompromittierten-17-Rechner-im-Auswaertigen-Amt-3985590.html
  11. Holland, M. (2016): Angeblich versuchter Hackerangriff auf Bundestag und Parteien. URL: https://www.heise.de/news/Angeblich-versuchter-Hackerangriff-auf-Bundestag-und-Parteien-3328265.html
  12. The Economist (2016): Bear on bear. URL: https://www.economist.com/united-states/2016/09/22/bear-on-bear
  13. Greenberg, A. (2020): The Russian Hackers Playing ‘Chekhov’s Gun’ With US Infrastructure. URL: https://www.wired.com/story/berserk-bear-russia-infrastructure-hacking/
  14. Reuters (2016): German intelligence sees Russia behind hack of energy firms – media report. URL: https://www.reuters.com/article/us-germany-cyber-russia/german-intelligence-sees-russia-behind-hack-of-energy-firms-media-report-idUSKBN1JG2X2/
  15. Holland, M. (2018): Russische Hacker: Angeblich neue Angriffe auf Bundestagsabgeordnete. URL: https://www.heise.de/news/Russische-Hacker-Angeblich-neue-Angriffe-auf-Bundestagsabgeordnete-4235782.html
  16. Greenberg, A. (2022): The Case for War Crimes Charges Against Russia’s Sandworm Hackers. URL: https://www.wired.com/story/cyber-war-crimes-sandworm-russia-ukraine/
  17. Flade, F., Frey, L. & Tanriverdi, H. (2022): Spuren führen zum Geheimdienst FSB. URL: https://www.tagesschau.de/investigativ/br-recherche/russische-hacker-103.html
  18. Cimpanu, C. (2017): 21 Years Later, Experts Connect the Dots on One of the First Cyber-Espionage Groups. URL: https://www.bleepingcomputer.com/news/security/21-years-later-experts-connect-the-dots-on-one-of-the-first-cyber-espionage-groups/
  19. Holland, M. (2015): Bundestags-Hack: Zehntausende Internetseiten für Abgeordnete gesperrt. URL: https://www.heise.de/news/Bundestags-Hack-Zehntausende-Internetseiten-fuer-Abgeordnete-gesperrt-2730126.html
  20. Holland, M. (2015): Nach Bundestags-Hack: Parlament bekommt neue IT-Sicherheitsstruktur. URL: https://www.heise.de/news/Nach-Bundestags-Hack-Parlament-bekommt-neue-IT-Sicherheitsstruktur-2810587.html
  21. Heise (2015): Bundestag-Hack war ein Phishing-Angriff über un.org. URL: https://www.heise.de/news/Bundestag-Hack-war-ein-Phishing-Angriff-ueber-un-org-2811847.html
  22. Stöber, S. (2017): Warten auf das Leak. URL: https://www.tagesschau.de/faktenfinder/bundestagswahl-warten-leak-101.html
Website | + posts

Jan is co-founder of ViOffice. He is responsible for the technical implementation and maintenance of the software. His interests lie in particular in the areas of security, data protection and encryption.

In addition to his studies in economics, later in applied statistics and his subsequent doctorate, he has years of experience in software development, open source and server administration.