German Government Accuses Russia of Cyberattack and Election Disinformation
Germany publicly accused Russia of orchestrating a cyberattack against Deutsche Flugsicherung, the state-owned air traffic control authority, and conducting a coordinated disinformation campaign aimed at influencing the upcoming federal election. The German Foreign Ministry stated it had clear evidence linking the August 2024 cyberattack to APT28 (Fancy Bear), a group associated with Russia’s GRU military intelligence, and attributed the election interference to the Storm 1516 threat actor. In response, Germany summoned the Russian ambassador, announced plans for countermeasures in coordination with EU partners, and supported new sanctions targeting those involved in hybrid attacks. The Russian embassy has denied the allegations, while European officials have warned of a broader campaign of Russian cyber operations targeting critical infrastructure and political processes across the continent.
These developments come amid heightened concern over nation-state cyber threats in Europe, with both France and Germany reporting recent attacks attributed to foreign actors. The French Ministry of Interior is investigating a suspected nation-state breach of its email servers, though details remain limited. European authorities have documented a surge in nation-state-backed cyberattacks, with the EU Agency for Cybersecurity reporting 46 such incidents between July 2024 and July 2025. Officials across Europe have condemned Russia’s use of hybrid tactics, including cyberattacks and disinformation, as part of a broader strategy to destabilize Western democracies.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Germany summons Russian ambassador and announces EU-coordinated response
Following the attributions, Germany summoned the Russian ambassador in Berlin and said it would coordinate countermeasures with EU partners. Officials also backed sanctions and other punitive steps such as travel bans and asset freezes against those responsible.
Germany links election disinformation to Storm-1516 and Russia
Germany also publicly identified Storm-1516 as the operation behind election-related disinformation and tied it to Russian hybrid activity. Officials said the campaign was part of a broader effort to destabilize democratic processes.
Germany attributes DFS cyberattack to APT28/Fancy Bear
In December 2025, the German government publicly attributed the August 2024 attack on Deutsche Flugsicherung to APT28, also known as Fancy Bear, a threat group linked to Russia's GRU military intelligence. German officials said they had clear evidence supporting the attribution.
ENISA reports 46 nation-state-backed attacks in the EU over the prior year
The European Union Agency for Cybersecurity reported that 46 nation-state-backed attacks affected the EU between July 2024 and July 2025. Officials cited the figure as evidence of a broader rise in hybrid threats across Europe.
Storm-1516 disinformation campaign targets Germany's federal election
Ahead of Germany's February 2025 general election, authorities say the Storm-1516 influence operation sought to interfere in the vote using disinformation, including deepfake media and covert websites. Germany later linked the campaign to Russian state activity.
Cyberattack hits Deutsche Flugsicherung internal IT and communications
In August 2024, Germany's air traffic control authority Deutsche Flugsicherung was hit by a cyberattack affecting internal IT and communications systems. Reporting indicates flight operations were not disrupted.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Germany summons Russian ambassador over GRU-linked cyberattacks — air traffic control and elections systems targeted
tomshardware.com
Open sourceGermany calls in Russian Ambassador over air traffic control hack claims
securityaffairs.com
Open sourceGermany summons Russian ambassador over cyberattack, election disinformation
therecord.media
Open sourceFrance and Germany Grappling With Nation-State Hacks
bankinfosecurity.com
Open sourceFrance and Germany Grappling With Nation-State Hacks
govinfosecurity.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
EU Leadership Warns of Russian Hybrid Warfare Campaign Targeting Europe
European Commission President Ursula von der Leyen publicly warned that Russia is conducting a coordinated hybrid warfare campaign against Europe, combining cyberattacks, sabotage, and disinformation to destabilize the European Union and weaken its support for Ukraine. In a speech before the European Parliament in Strasbourg, von der Leyen cited a surge in security incidents attributed to Russian state-backed actors, including the violation of Estonian airspace by Russian MiG jets and the appearance of drones over critical infrastructure in Belgium, Poland, Romania, Denmark, and Germany. The United Kingdom, though not an EU member, also reported drone incidents near civilian and military sites, prompting the deployment of a counter-drone unit to Denmark during major European summits. Von der Leyen highlighted that these incidents are not isolated but part of a deliberate and escalating campaign designed to test the EU’s resolve and unity. She referenced specific examples such as undersea cable cuts, cyberattacks that paralyzed airports and logistics hubs, and malign influence campaigns targeting European elections. The European Commission president emphasized that these actions are calculated to remain in a "grey zone" of deniability, making attribution and response more complex. She called for urgent action, urging EU leaders to develop a strategic plan in close coordination with NATO to counter these threats. The blueprint for a pan-European security response was presented to EU leaders at a recent summit in Copenhagen. Von der Leyen stressed the need for greater vigilance, technological readiness, and unity among EU member states to deter further aggression and protect European sovereignty. The campaign is seen as a direct attempt to divide the EU and undermine its support for Ukraine amid ongoing conflict. The speech marked a significant escalation in the EU’s public stance on Russian hybrid threats, moving from isolated incident response to recognizing a systematic and strategic campaign. The European Commission’s warning comes amid increasing evidence of Russia’s use of both physical and cyber means to disrupt European stability. The call to action includes enhancing countermeasures against cyberattacks, protecting critical infrastructure, and strengthening information resilience against disinformation campaigns. The EU’s response is expected to involve both defensive and offensive cyber capabilities, as well as closer intelligence sharing with NATO allies. Von der Leyen’s remarks underscore the seriousness with which European leadership now views the hybrid threat landscape, and the necessity for a unified and robust response.
Mar 21, 2026
German Government Pushes More Offensive Cyber Response Amid Ongoing Public-Sector Disruptions
Germany’s federal government signaled a shift toward a more **offensive posture** in response to cyberattacks. Interior Minister **Alexander Dobrindt** said Germany intends to “strike back,” including actions abroad to disrupt attackers and destroy their infrastructure, with operations to be carried out jointly by intelligence services and the **Bundeskriminalamt (BKA)**. The Interior Ministry also plans a new defense center for **hybrid threats**, prepared by the domestic intelligence service, to improve coordination across government levels; Dobrindt framed the move as a response to persistent attacks on institutions, critical infrastructure, and companies, often attributed to groups linked to state services (including Russia). Separately, the **Staatliche Kunstsammlungen Dresden** (a network of 15 museums) reported continued operational impacts from a **cyberattack**, with museums remaining open but key services still impaired, including `online ticketing`, card payments on-site, the online shop, and visitor services. Police and the state criminal office initiated investigations, and the Dresden public prosecutor indicated the case may be handled by Saxony’s specialized cybercrime unit (ZCS). The UK government’s discussion of building a **digital ID** system in-house is policy/technology governance reporting and does not describe a specific cyber incident or vulnerability tied to the German developments.
Mar 21, 2026
Doppelgänger Disinformation Network Targeted German Audiences
Researchers reported that the suspected Russia-aligned **Doppelgänger** influence operation ran a coordinated propaganda campaign against German audiences from at least late 2023, using a large network of coordinated X accounts, impersonated media brands, and custom-built websites to push anti-government and anti-Ukraine narratives. The messaging focused on politically sensitive issues including strikes, immigration, inflation, and elections, with the activity assessed as part of a broader effort to shape public opinion in Germany. The operation relied on multi-stage redirection infrastructure and evasive technical measures, including Base64-obfuscated JavaScript, tracking identifiers, rotating first-stage and second-stage domains, geofencing on destination sites, and infrastructure linked to **Keitaro** traffic distribution systems. SentinelLABS and ClearSky said the campaign’s tactics and infrastructure overlap with findings previously reported by the German Ministry of Foreign Affairs, *Der Spiegel*, Recorded Future, and Meta, underscoring a persistent influence effort tied to upcoming European, municipal, state, and federal elections in Germany.
Apr 11, 2025