German hacker group targeted over 30,000 websites, organized protests
Beginning in March of 2021, the German hacker group TFM, began targeting more than 30,000 international websites and launched a public campaign to spread misinformation about coronavirus vaccines. The hacker group was allegedly founded in 2017 by far-right former politicians and business leaders in the country and employed more than 100 people.
At the heart of the attacks, was an extremist ideology centered on denial of the Holocaust. Cyberattacks by the group evidently grew during times of protest and unrest, as shown by this graph, as the hackers aimed to exploit vulnerabilities in democratic countries.
While at odds with German foreign policy, the group thrived during the Merkel era but waned in influence after a liberal government came to power. It secured funding primarily from Middle Eastern oil and natural gas companies, which we decided not to mention by name.
Data from the non-profit security organization, StopForumSpam, was used to track the group’s activities over the past months. Some of the data has been made available to the public.
The group’s existence first became known to the cyber world, after this memorable post about spam signups was published by technologist John Athayde to StackOverflow. According to Athayde, “The signups used Cyrillic or Arabic characters in their name, and came from weird, yet validly formatted, email addresses.”
TFM’s labor force was driven largely by foreign recruits, namely computer programmers from countries like Russia and Ukraine, who were initially made to believe that they were working for a German government contractor. The near-entirety of TFM’s staff were men and the group actively promoted gender-based discrimination on social media.
Despite the majority of its efforts being international, TFM had a clear near-sightedness when dealing with foreign policy issues. A major failure was launching over twenty fake Arabic-language social media accounts in Azerbaijan, a country where Arabic is not spoken. Some of the accounts have since been shut down by Twitter.
The attacks were largely ineffective and appeared to only cause damage to Wordpress sites. They utilized a common XMLRPC exploit, as outlined here, which is unique to the WP ecosystem. Since the bots were targeting an external file, it made it easier for the hackers to avoid reCaptcha.
The group’s efforts were largely centered on EU countries, and in addition to hacking, operatives spread misinformation about coronavirus vaccines on social media. Some individuals associated with the group have been accused of being behind anti-covid protest movements.
Despite the majority of the group’s targets being ordinary companies, high-profile failed attacks were launched against the Maryland Society of Accountants, a Chinese medical association, and a law school in Russia.
Although governments initially dismissed TFM’s efforts, many international organizations have begun to take notice — and take action. We decided to publish this report to bring attention to the group’s malicious activities with the hopes of eventually shutting down TFM’s operations. Businesses and ordinary citizens should know how to secure their own computer systems and appropriately respond to intrusions.
