German and Ukrainian actions expand cyber operations: BND surveillance powers and a ransomware disruption
German lawmakers are advancing draft legislation to significantly expand the Bundesnachrichtendienst’s (BND) hacking and surveillance authorities, including intercepting full internet communications (not just metadata), retaining collected data for up to six months, and extending the agency’s offensive mandate to hack foreign internet service providers to obtain target information when companies do not cooperate. Reporting indicates the proposal is partly aimed at reducing reliance on the US NSA for threat intelligence and bringing Germany’s capabilities in line with other European services; it would also broaden who can be surveilled, including foreigners inside Germany and certain journalists tied to foreign state-run media, and would enable intrusive operations such as deploying a “federal trojan.”
Separately, Ukrainian and German law enforcement reported disrupting a Russian-affiliated ransomware operation, identifying and searching two suspects in Ukraine alleged to have served as “hash cracker” specialists who extracted/cracked password hashes, used stolen credentials for lateral movement and privilege escalation, and supported ransomware deployment and data exfiltration for extortion. Authorities seized digital devices and cryptocurrency assets and said an alleged Russian organizer has been identified, with foreign partners suggesting possible links to the Conti ransomware ecosystem. A third item—a Citizen Lab job posting—does not report a specific incident and is primarily recruitment content, despite referencing prior research on targeted phishing and spyware threats.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Authorities identify alleged organizer and seek Interpol listing
Investigators identified a Russian citizen suspected of creating and leading the ransomware group, with possible ties to the Conti operation. At Germany's initiative, the suspect was placed on an Interpol international wanted list as part of the multinational investigation.
Ukraine and Germany disrupt ransomware group and search suspects
Ukrainian Cyber Police and National Police, working with Germany's BKA, disrupted the ransomware group and searched two suspected members in the Ivano-Frankivsk and Lviv regions. Authorities seized digital media, devices, and cryptocurrency assets during the operation.
German draft law proposes major expansion of BND hacking powers
A draft German law reported in January 2026 would significantly expand the Bundesnachrichtendienst's surveillance and offensive cyber authorities. The proposal would allow interception of full internet communications, retention of collected data for up to six months, hacking of foreign ISPs, and broader surveillance of foreigners in Germany and some foreign state-run media journalists.
Ransomware group begins targeting organizations worldwide
Investigators said the Russian-affiliated ransomware group conducted attacks against Western companies, institutions, and government bodies from 2022 through 2025, causing losses estimated in the hundreds of millions of euros. The group allegedly used stolen or cracked credentials to gain access, move laterally, escalate privileges, encrypt systems, and extort victims.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
German Government Pushes More Offensive Cyber Response Amid Ongoing Public-Sector Disruptions
Germany’s federal government signaled a shift toward a more **offensive posture** in response to cyberattacks. Interior Minister **Alexander Dobrindt** said Germany intends to “strike back,” including actions abroad to disrupt attackers and destroy their infrastructure, with operations to be carried out jointly by intelligence services and the **Bundeskriminalamt (BKA)**. The Interior Ministry also plans a new defense center for **hybrid threats**, prepared by the domestic intelligence service, to improve coordination across government levels; Dobrindt framed the move as a response to persistent attacks on institutions, critical infrastructure, and companies, often attributed to groups linked to state services (including Russia). Separately, the **Staatliche Kunstsammlungen Dresden** (a network of 15 museums) reported continued operational impacts from a **cyberattack**, with museums remaining open but key services still impaired, including `online ticketing`, card payments on-site, the online shop, and visitor services. Police and the state criminal office initiated investigations, and the Dresden public prosecutor indicated the case may be handled by Saxony’s specialized cybercrime unit (ZCS). The UK government’s discussion of building a **digital ID** system in-house is policy/technology governance reporting and does not describe a specific cyber incident or vulnerability tied to the German developments.
Mar 21, 2026
Hacktivist Cyber Operations Escalate Amid Geopolitical Tensions
A newly formed Russian-aligned hacktivist coalition calling itself **Russian Legion** (reportedly comprising Cardinal, The White Pulse, Russian Partizan, and Inteid) announced “**OpDenmark**,” a campaign of **DDoS attacks** intended to disrupt Danish government services and critical infrastructure and pressure Denmark to reverse military support for Ukraine. Reporting indicates the group issued an ultimatum tied to Denmark’s planned **1.5 billion DKK** aid package, followed by service disruptions across multiple Danish organizations, including repeated targeting of the **energy sector**; analysts characterized the actor as *state-aligned but not state-funded*, using disruption and psychological pressure rather than confirmed destructive intrusions. Separately, a new hacktivist group, **Punishing Owl**, claimed a breach of a Russian government security agency, publishing stolen documents and using DNS manipulation to redirect traffic to attacker-controlled infrastructure hosting the leak and a manifesto. The operation reportedly expanded into **business email compromise** against partners/contractors and included tooling such as the **ZipWhisper PowerShell stealer**, with lures using password-protected ZIPs and disguised LNK files to execute PowerShell downloaders. An additional opinion piece highlighted a broader rise in **energy infrastructure** cyber operations (including referenced events affecting Poland and Venezuela) but did not provide corroboration or direct linkage to the Denmark DDoS campaign or the Punishing Owl intrusion.
Mar 21, 2026
Russian Cyber Operations Hit Ukraine and Expand to Allied Governments
Ukraine has remained a primary target and proving ground for Russian-linked cyber operations, from the **Petya/NotPetya** outbreak that began via Ukrainian networks and crippled government agencies, banks, transport systems, industrial firms, and Chernobyl monitoring systems, to later destructive malware planted in dozens of Ukrainian government and private-sector networks. Microsoft said the 2022 malware was discovered alongside website defacements affecting Ukrainian entities and appeared designed for later activation, while officials warned such activity could accompany broader military escalation. Earlier attacks on Ukraine’s power grid, election systems, and software supply chain underscored how repeated intrusions against the country have had consequences far beyond its borders. The campaign has also extended well outside Ukraine through espionage and supply-chain compromises attributed by officials and researchers to Russian state actors. Microsoft reported that hackers aligned with Russia targeted organizations in **42 countries** supporting Ukraine, with nearly two-thirds of espionage victims in NATO states and successful intrusions resulting in data theft in at least a quarter of cases. Separately, suspected **S.V.R.** operators were tied to a broad intrusion set affecting at least 40 organizations, including U.S. government agencies, technology firms, and cybersecurity companies, reinforcing warnings that attacks first seen in Ukraine can evolve into wider operations against allied governments and critical sectors.
May 25, 2026