Berlin’s high court should rebuild computer system after Emotet infection, report finds

The court handles criminal and terrorism cases with sensitive witness lists.

Berlin’s highest court should completely rebuild its computer infrastructure after hackers ran roughshod through the network and likely stole data in the process, according to a forensic report released Monday.

Poor security controls allowed the attackers to install two types of information-stealing malware last fall, said the study conducted by an IT subsidiary of Deutsche Telekom and released by German lawmakers investigating the incident.

“A motivated attacker would have been able to use this network structure to infect almost every device,” the report states.

The court, known as the Kammergericht in German, is the highest court for the city-state of Berlin. It handles criminal and terrorism cases with sensitive witness lists, which could be valuable data in the hands of a profit-seeking attacker.


Sven Herpig, a cybersecurity expert with the German think tank SNV, pointed out that attackers are increasingly using data exfiltration as a means of holding victims hostage. Stolen data could be used to blackmail the court, he said.

The report “shows how fragile and insecure the [agency’s] entire infrastructure support was,” added Herpig, a former official at Germany’s Federal Office of Information Security (BSI).

While the end goal of the hackers is unclear, the report outlines how they were able to gain broad access to the court’s data by burrowing into the network using an infected computer. An unspecified amount of data very likely left the court’s computer system after the Emotet malware was installed in September, followed by the Trickbot malware, investigators said. The Trickbot code stole passwords saved on the computer system, as well as those entered into online backing sites, the report found.

Security researchers track online spikes in spam emails that come with Emotet, which has been around since at least 2014, as possible precursors to other malware infections. Criminal hackers have in the last two years used Emotet and Trickbot in tandem, the former as a foothold into the network and the latter to move within it.

Germany is by no means the only country to grapple with Emotet infections, but authorities there have had their hands full.


The BSI last month warned the public about the spread of Emotet through malicious email attachments purporting to be sent from German federal agencies. That same week, officials in the City of Frankfurt had to take their computer networks offline after Emotet struck.

For its part, the U.S. Department of Homeland Security last week reported on a recent increase in Emotet attacks.

The forensic report on the Berlin court computer network said the hack was an opportunity to rebuild.

The court “can use the current situation to construct a powerful and secure new network and to limit the damage in future incidents,” the report states.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts