Bundeswehr espionage
No hack, just sitting at the table: Russia listened to the Taurus talks in such a spectacularly unspectacular manner
The Taurus in action: Ukraine would like to have such cruise missiles from Germany, but Olaf Scholz stands by his no.
© South Korea Defense Ministry / AP / DPA
The fact that Russia intercepted the Bundeswehr’s Taurus conversations shocked the public at the weekend. What’s even more frightening, however, is how little espionage skills were required.
Imagine you are about to have a discreet business conversation, a confidential family discussion or a salary negotiation. Would you sit on the subway, go to a café or perhaps go to the market square? And how would you react if someone just stood there and listened with undisguised curiosity? Exactly. And yet in the case of the Taurus conversations that were intercepted, this is apparently how it happened: the secret group met in public, so to speak.
This has become increasingly clear since the Russian wiretapping operation became known. After excerpts from the secret conversations were published on Russian television last week, the Military Intelligence Service (MAD) is urgently investigating how this could have happened. According to the findings so far, not much espionage activity was necessary on the Russian side: The The Bundeswehr apparently did not even comply with the minimum standards for protected communication.
Secret conversations over open lines
This starts with the choice of platform: The conversations took place via the US service Webex, which is also used by many companies for business conversations. The deputy head of the parliamentary control committee, Roderich Kiesewetter (CDU), confirmed this to ARD. Basically, Webex is not insecure. Set up correctly, the platform offers an encrypted connection that is decrypted for each participant. The provider itself cannot then listen to the conversations.
However, this was obviously not the case with the Bundeswehr: the encryption only works if all participants also use the Webex app. If someone logs in via the browser or dials in via telephone, the protective measure is automatically switched off. According to information from “Bild am Sonntag”, that was exactly the case. According to the newspaper, the conversation was not conducted via an app, but was set up as a telephone conference in which individual participants’ cell phones were called from a Bundeswehr landline telephone. Then you could have done without Webex – it was an unencrypted telephone conversation.
Access via the router
But something that would be even easier to intercept via Webex in such a case, because: Instead of specifically tapping into individual telephone lines, general access to one of the Internet lines in use would be sufficient. This is easier than you might think: While the lines of authorities or the Bundeswehr are usually well protected, things are different when one of the participants dials in from their home office via their private connection – or, as in the case of the Taurus -Conversations, from a hotel in Singapore. If the line is only tapped at one point, the entire conversation is no longer secure. It is not yet known whether the conversation partner in Singapore took part via a hotel connection or a classic telephone connection.
In the case of the Taurus talks, things could actually be worse. “Unfortunately, there are increasing indications that a Russian participant has obviously dialed into the WebEx. And it was obviously not noticed that there was another dial-in number there,” explained Kiesewetter in an interview with the ARD program “Report from Berlin”. In plain language, that would mean that the Russian secret service did not even secretly tap the line. Rather, as an official participant, he would have been visible to the others.
Just like sitting down at the table in a café. And no one protests.
Defense Minister Boris Pistorius emphasized in a short statement on Sunday whether that was really the case has not yet been proven. The exact technical process of the espionage is still being investigated; he expects “complete clarification.” The general suitability of Webex is now being tested, said the minister. In his opinion, the software has protective measures and, if used correctly, can also be used for secret conversations “up to a certain level of trust and secrecy.”
Security is also a matter of application
However, this only applies if all participants actually know the requirements – and also observe them. All participants must be aware that an individual participant switches off encryption via telephone. And then be avoided.
The Bundestag’s military commissioner, SPD MP Eva Högl, also sees a need for training among personnel in addition to the search for safe technology. “Firstly, all those responsible at all levels of the Bundeswehr must immediately receive comprehensive training on protected communications,” she told several newspapers. “Secondly, it must be ensured that secure and secret information and communication is possible in a stable manner.” If this is not the case, adjustments must be made quickly, for example by providing the German military intelligence service MAD with additional resources.
Kiesewetter suspects that a few more revelations about recorded conversations can be expected by then. “I think this is widespread,” he told Die Welt. “This is just the tip of the iceberg.”
Sources: Picture on Sunday, Heise, World, Report from Berlin