German Election: Waiting For Leaks

Assessing online conversations about document dumps

Timeline of tweets posted on the various leak-related hashtags on Twitter, from November 2016 to July 2017.

Hackers already targeted elections in the United States and France. Are they building the infrastructure to attempt the same in Germany?

Germans go to the polls in September to elect a new parliament, the Bundestag. Chancellor Angela Merkel, running for a fourth term, and her conservative Christian Democratic Union (CDU) party, enjoy a comfortable lead over their main rival, Martin Schulz of the Social Democratic Party (SPD).

Opinion poll from Emnid / Bild am Sonntag, July 23, 2017, showing the CDU and its Bavarian sister party, the CSU, at 38 percent, well ahead of the SPD, at 25 percent. (Source: wahlumfrage.de)

But ahead of the poll, concerns have arisen that hackers may attempt to influence the vote by leaking stolen emails, as in the United States in 2016 and France in 2017.

Hackers are known to have raided Bundestag accounts in 2015, reportedly stealing 16-gigabytes (GB) of data; the CDU was targeted in 2016; at least ten members of parliament were reportedly targeted in March 2017. German intelligence has repeatedly spoken of a hacking campaign “directed from Russia” — also a parallel to the hacks in the United States and France.

Since the emails were stolen, attention turned to the question of where, and how, the emails might be leaked.

Particular concern has focused on a website, btleaks.com, and an associated Facebook page, @BTLeaks. @DFRLab analyzed these pages. We also analyzed online traffic around nascent hashtags including #BTleaks (short for Bundestagleaks), #Merkelleaks, #Schulzleaks, #CDUleaks, and #SPDleaks on Facebook, Twitter, VKontakte, and elsewhere online. (We analyzed traffic on #AfDleaks, a hashtag associated with leaks regarding the far-right Alternative für Deutschland party, in a separate study here.)

These analyses show that assorted “BTleaks” sites are probably not related to the German election.

They further show that traffic on the various “-leaks” hashtags listed above is low, and not uniform. Traffic on #CDUleaks, #SPDleaks, and #Schulzleaks is largely been satirical.

The odd one out is #Merkelleaks, which enjoyed a spike in traffic in mid-March following a suggestive tweet from WikiLeaks, which was largely amplified by accounts with a pro-AfD stance, a pro-Russian stance, or both.

BTleaks: An unlikely connection

In Germany, the bulk of media attention has focused on the phrase “BTleaks.” As both Die Zeit and Der Tagesspiegel reported, a website called btleaks.com was created in January, but not populated.

The status of the btleaks.com page as of July 25. Archived on July 25, 2017. (Source: btleaks.com)

Die Zeit wrote on May 10 that the URL “could” stand for Bundestagleaks; a month later, Der Tagesspiegel quoted CDU parliamentarian Thomas Jarzombek, the party’s spokesman for internet policy, predicting that btleaks.com would be used to drop the stolen emails before the election.

On June 24, the German online magazine Focus quoted intelligence sources saying that btleaks.com, as well as another site, btleaks.org, and a Facebook page, BT Leaks, had been set up by the Russian hacker group known as Fancy Bear or APT28.

The BT Leaks page on Facebook. Archived on July 25, 2017. (Source: facebook.com)

In fact, three websites with the phrase “BTleaks” were registered on January 13, using popular online service GoDaddy, which provides user anonymity: these were btleaks.com, btleaks.org, and btleaks.net.

Whois record for btleaks.com, with the date of creation highlighted. (Source: whois.domaintools.org)

Whois record for btleaks.net. Note the same creation date. (Source: whois.domaintools.org)

Whois record for btleaks.org — again, with the same creation date. (Source: whois.domaintools.org)

The sites were updated in March; however, as of July 21, no content had been posted on any of them.

It is, in theory, possible that these sites were set up to host leaks from the Bundestag; however, this seems unlikely.

First, the page was created in 2014, well before the Bundestag hacks.

The BTleaks “about” page, showing its start date.

The page’s latest post — on January 25 — promises “everything you wanted to know from #infringement to #fraud #BTleaks #billettechnology #deepthroat.”

Archived on July 25, 2017. (Source: BT Leaks / facebook.com)

A Google search for the phrase “Billet technology,” as mentioned in the hashtag, leads to two Florida-based online stores for auto parts, billettechnology.net and custombilletstore.net, with identical headers and content.

(Source: billettechnology.net)

(Source: custombilletstore.net )

A further search reveals the URLs billettechnology.com and custombilletstore.com, both of which have been seized by the U.S. Immigration and Customs Enforcement (ICE) agency in a case linked to copyright infringement.

(Source: custombilletstore.com)

The ICE website announced in April 2016 that it had seized the sites after inspectors acquired “multiple brand-infringing auto parts” there. This announcement matches two of the hashtags on the BT Leaks Facebook page — #infringement and #billettechnology.

(Source: ICE.gov)

A further indication that the BT Leaks page may be linked to this infringement case, not to the German election, emerges from a Facebook post from a user in Lake Worth, Florida. The image shows a truck advertizing the site largeunmarkedtruckracinggroup.com; the accompanying comment calls it “part of the BTLeaks.com group.”

@DFRLab has chosen not to disclose this Facebook post in the interests of privacy. (Source: facebook.com)

A Whois search for this site shows that it, too, was registered via GoDaddy on January 13, and was updated in mid-March. The name of the registrant organization is also available via the Whois record. No content has been posted on the site.

Whois record for largeunmarkedtruckracinggroup.com. @DFRLab has chosen not to disclose the name of the registrant organization, in the interests of privacy. (Source: whois.domaintools.org)

It is noteworthy that the four accounts — the three BTLeaks sites and the one LargeUnmarkedTruckRacingGroup site — were registered on the same day, which was also the date when the Facebook post featuring the truck was made.

Taken together, these factors suggest that the BTleaks set of websites and the BT Leaks Facebook page are connected to the automotive world in Florida (with “BTleaks” presumably referring to “Billet technology leaks,”) not the German elections (in which “BTleaks” refers to “Bundestagleaks”) — despite speculation to the contrary.

Neither the Florida-based Facebook account holder that posted about btleaks.com nor the registrant organization behind the site largeunmarkedtruckracinggroup.com appears to have any connection with German politics.

Traffic on Twitter

Instances of the various leak-related hashtags can be found across social media. The highest volume of traffic — although still low — was on Twitter.

According to a machine search for the terms #Merkelleaks, #Schulzleaks, #CDUleaks, #CSUleaks, #SPDleaks, and #BTleaks from July 2016 to July 2017, they were used 515 times in total, starting on November 7, 2016.

#Merkelleaks accounted for almost half the uses (247), followed by #CDUleaks (127), #SPDleaks (49), #Schulzleaks (17), and #BTleaks (15).

The number of tweets posted on the various leak-associated hashtags from November 2016 to July 2017. (Source: @DFRLab machine scan)

Traffic on these hashtags was not uniform. Twitter use of #SPDleaks spiked in January; of #Merkelleaks, in March. #BTleaks enjoyed some traffic in May, while #CDUleaks popped up in June, with a secondary surge in July.

Timeline of tweets posted on the various leak-associated hashtags, from November 2016 to July 2017.

In each case, the traffic was driven by a specific media article or tweet. The January spike on #SPDleaks, for example, followed a tweet on January 4 from the user @faz_donalphonso, who blogs for the daily Frankfurter Allgemeine Zeitung (FAZ).

The tweet was cryptic — “‘He won’t be with us any more’ #spdleaks #sozisunter4 #bittehauunsnicht” — but appears to have referred to a minor political scandal, in which a member of the SPD, Christopher Lauer, published a critical email from an AfD supporter who worked at the state-run savings bank Sparkasse. The move to expose the name of the emailer provoked some criticism and led to reports that the emailer had been fired.

The same day, @faz_donalphonso joined a conversation between Lauer, the Sparkasse employee’s daughter, and the Sparkasse press office (@kskgg). This supports the notion that this was likely the subject of his #SPDleaks tweet.

Over the following 24 hours, the #SPDleaks tweet was retweeted 31 times, and received a number of replies. However, the traffic quickly died off, and did not create a trend.

The same can be said of the other incidents. Twitter traffic on #CDUleaks, for example, kicked off on June 22, when the youth wing of the SPD — @Jusos — posted a satirical tweet lampooning what it portrayed as the CDU’s election posters, all of them plastered with images of Merkel:

“In an hour’s time, the @CDU will present their election campaign. We’ve got the motif already!”

This triggered a brief spike in the hashtag’s use and a combination of retweets and humorous comments, not to mention a good-humored conversation with the official CDU account.

CDU: Not a bad idea. We’ll take it on board. Jusos: With pleasure! Do you want another election suggestion? Content. You can try it too. CDU: Spoiler: On July 3, the joint CDU-CSU program will be launched.

Again, it did not last.

The traffic on #BTleaks in May, meanwhile, was driven by the aforementioned article in Die Zeit about the creation of the site btleaks.com. Use of the hashtag was associated with references to the site as a possible place for dumping leaked information:

“Summing up #BTleaks: 16GB of leaked data, at least 16 MPs probed, a week of unprotocolled activity….”

Those who shared the article included analyst Martin Fuchs, who pointed out correctly that the BT Leaks Facebook page pre-dated the website:

“The #btleaks website was registered in January 2017, the Facebook page in April 2014.”

Traffic on the most popular of the hashtags, #Merkelleaks, was driven by two linked tweets on March 13. The first came from the controversial site WikiLeaks, which leaked hacked materials targeting U.S. presidential candidate Hillary Clinton in 2016:

Archived on March 13, 2017.

The tweet was picked up by a Twitter feed called @OnlineMagazin, which attached to it the hashtag #Merkelleaks:

Archived on July 21, 2017.

The @OnlineMagazin post was retweeted over 100 times, and led to a slew of excited comments, such as this:

“Yeeeeeeeeeeeeeeees Gool cool cool”

The hashtag traffic continued sporadically into July, including in replies to WikiLeaks founder Julian Assange:

Archived on July 25, 2017.

The @OnlineMagazin Twitter account is an unusual one. Its posts are primarily in English, although the phrasing appears to be either non-native or machine-translated; many contain anti-migrant sentiment:

The account links to a German-language website called artikelmagazin.de, registered at an address in the town of Haigerloch in south-western Germany. However, the most recent post on the website was made on April 24, 2015; it has been silent since, unlike the Twitter feed.

Some of the accounts that retweeted the @OnlineMagazin post on #Merkelleaks belong in a clearly German political setting. These include, for example, @46616C7365, which posts in German and English, largely from a right-wing, anti-Islam viewpoint, and which has posted six tweets on #Merkelleaks:

“Anatomy of a SJW.” SJW is an abbreviation for “social justice warrior,” often used in far-right circles as a pejorative for liberal activists. Archived on July 31, 2017.

“You can generalize here without a bad conscience: Islam, of whatever sort, means problems and stress.” Archived on July 31, 2017.

The account is functionally anonymous: its handle is an alphanumeric scramble, and its avatar picture is an image of actress Patricia Arquette from the 1997 David Lynch movie Lost Highway. A high proportion of its posts — 75 percent — in the month from June 24 to July 24 were retweets.

Left: Twitter page for @46616C7365. Right: Still of Patricia Arquette in Lost Highway. (Source: cinelists.blogspot.co.uk)

These features are characteristic of semi-automated “cyborg” accounts used to amplify specific political positions.

The same applies to another account that posted repeatedly on #Merkelleaks, @Nis1010101. This account posts mostly in German, and appears to be a supporter of the anti-migrant AfD party.

@Nis1010101 was created on June 5, 2011, but only posted 71 times that year, and 87 times in 2012. Since January 1, 2017, however, it has posted almost 21,000 tweets, at an average rate of just over 100 posts a day.

Table showing tweets from @Nis1010101 by year, from machine scan.

In the month leading up to July 24, it posted 2,616 tweets; of those, 2,245 were retweets, a rate of 85 percent. Like @46616C7365, it is functionally anonymous, providing no verifiable information about the user. It appears to be a political influence account, probably set up with some degree of automation.

These accounts are focused on German politics; as such, their amplification of the #Merkelleaks hashtag is understandable. More striking is the attention paid to the hashtag by a cluster of pro-Kremlin accounts, which largely post in English or Russian, and which focus on other areas, notably the United States and Ukraine.

One of these pro-Kremlin accounts, called @MPreobrazenskij, for example, retweeted 14 posts with the #Merkelleaks hashtag in the space of just over four minutes, from 23:35:18 to 23:39:22 UTC (01:35:18 to 01:39:22 Berlin time).

Some of the retweets posted by @MPreobrazenskij using the hashtag #Merkelleaks on March 13 (times in UTC).

This account retweets — in Russian, English, or German — a mixture of anti-migrant, anti-Merkel, pro-Russian, and anti-Ukrainian tweets.

Other accounts that retweeted @OnlineMagazin’s post include @StormBringer15 and @wavetossed, both of which are pro-Kremlin, tweet primarily in English, and exhibit highly suspect behavior.

Machine scan showing the retweets of @OnlineMagazin’s post by @StormBringer15 and @wavetossed.

@StormBringer15 was created on July 1, 2014. By July 24, 2017, it had posted 242,000 tweets, at an average rate of 216 per day. As of July 24, over 90 percent of its most recent posts were retweets, although, strangely, the only posts it made since April 18 were automated posts about its Twitter following:

(Source: Twitter / Stormbringer15)

@wavetossed joined Twitter in February 2011, but only began tweeting on a large scale in February 2014. It posted a total of 255 tweets between 2011 and the end of January 2014. By July 24, 2017, it had posted 298,000 tweets, at an average rate of 240 per day; every one of its most recent 200 posts was a retweet.

Twitter traffic from @wavetossed, from a @DFRLab machine scan.

Both @StormBringer15 and @wavetossed appear to be largely automated; both are strongly pro-Russian. In a machine scan @DFRLab conducted for November 2016, they were among the most active German-language amplifiers of Kremlin broadcasters RT and Sputnik.

The #Merkelleaks hashtag was thus boosted by a combination of largely German-focused political accounts, and by a number of accounts whose main activity appears to be amplifying pro-Kremlin messaging.

One other account stands out: an account called @equitsia, which tweeted twice on #Merkelleaks:

Archived on July 21, 2017.

Archived on July 21, 2017.

@equitsia (SIA equitsia) is listed as a Latvian-based wealth management company, headed by a German called Bruck M. Kimmerle. The same name is linked to a Twitter feed handled @widerstandsnetz (“resistance net”), which gives a location in Berlin, but whose tweets are protected.

(Source: @widerstandsnetz / Twitter)

Facebook and VK

The leak-related hashtags also had some limited traffic on Facebook and VK. The pattern was similar to that on Twitter: #Merkelleaks was chiefly used by far-right accounts, while #Schulzleaks and #CDUleaks were used for humor.

The SPD youth wing was involved, this time on #Schulzleaks, posting a mock CDU campaign leak claiming that if Schulz won, baby seals and unicorns would die out, among other catastrophes:

The second bullet reads, “If Martin Schulz wins the vote, all the baby seals will die (and unicorns)!” The fourth from the bottom claims that he is the daughter of former chancellor Helmut Kohl. (Source: JusosTuebingen / facebook.com)

The same humorists also drove traffic on #CDUleaks:

(Source: Jusos in der SPD — Youth in the SPD / facebook.com)

#Merkelleaks was the only hashtag used in anger. On March 18, a Facebook user called Widerstand.berlin shared a post headlined, “Merkel is dead,” using the WikiLeaks tweet and Merkel’s first awkward meeting with U.S. President Donald Trump to predict her political collapse.

The Widerstand account uses the same avatar image — a hand in the colors of the German flag — as @widerstandsnetz on Twitter.

The same account shared, in January, an article from the notorious fake-news site anonymous.ru (which the @DFRLab analyzed here) claiming that Merkel’s doctorate degree is a fake. Again, it used the hashtag #Merkelleaks:

(Source: Widerstand.Berlin / facebook.com)

Bruck M Kimmerle — the man who is listed as the head of SIA equitsia, who is therefore associated with the #Merkelleaks hashtag on Twitter as mentioned above, and whose name is the screen name of the @widerstandsnetz Twitter account — also shared these posts. Kimmerle is active both on Facebook and VK, where he calls on users to “kill Facebook.”

Source: Bruck.Kimmerle / VK.

Other posts by Kimmerle on VK were anti-Merkel and anti-migrant — and also critical of the AfD, portrayed as a “traitor” to the “anti Regime resistance movements.”

The use of #Merkelleaks on Facebook and VK therefore appears centered on a small community of accounts that includes Kimmerle, who has crossover reach onto Twitter via the @widerstandsnetz and @equitsia handles.

Conclusion

A number of conclusions can be drawn from this analysis. First, the cluster of BTleaks websites appears unrelated to German politics. The association with those web addresses is likely to be coincidental; it is more likely that these sites are connected to the automotive world in Florida.

Second, WikiLeaks remains a key, and keenly-watched, influencer. It played a significant and controversial role in the U.S. election, targeting Clinton with a sustained flow of leaks; its influence, especially among far-right and pro-Kremlin users, is significant.

Finally, only the #Merkelleaks hashtag has elicited genuine interest so far, and primarily in far-right and/or pro-Kremlin circles. These appear to be the constituencies that are keenest on propagating any leaks; they can be expected to drive traffic on any genuine leaks that can be portrayed as harmful to Merkel. Nevertheless, their reach is small.

Ben Nimmo is Senior Fellow for Information Defense at the Atlantic Council’s Digital Forensic Research Lab (@DFRLab).

Follow along for more in-depth analysis from our #DigitalSherlocks.