German and Ukrainian actions expand cyber operations: BND surveillance powers and a ransomware disruption
German lawmakers are advancing draft legislation to significantly expand the Bundesnachrichtendienst’s (BND) hacking and surveillance authorities, including intercepting full internet communications (not just metadata), retaining collected data for up to six months, and extending the agency’s offensive mandate to hack foreign internet service providers to obtain target information when companies do not cooperate. Reporting indicates the proposal is partly aimed at reducing reliance on the US NSA for threat intelligence and bringing Germany’s capabilities in line with other European services; it would also broaden who can be surveilled, including foreigners inside Germany and certain journalists tied to foreign state-run media, and would enable intrusive operations such as deploying a “federal trojan.”
Separately, Ukrainian and German law enforcement reported disrupting a Russian-affiliated ransomware operation, identifying and searching two suspects in Ukraine alleged to have served as “hash cracker” specialists who extracted/cracked password hashes, used stolen credentials for lateral movement and privilege escalation, and supported ransomware deployment and data exfiltration for extortion. Authorities seized digital devices and cryptocurrency assets and said an alleged Russian organizer has been identified, with foreign partners suggesting possible links to the Conti ransomware ecosystem. A third item—a Citizen Lab job posting—does not report a specific incident and is primarily recruitment content, despite referencing prior research on targeted phishing and spyware threats.
Timeline
Jan 19, 2026
Authorities identify alleged organizer and seek Interpol listing
Investigators identified a Russian citizen suspected of creating and leading the ransomware group, with possible ties to the Conti operation. At Germany's initiative, the suspect was placed on an Interpol international wanted list as part of the multinational investigation.
Jan 19, 2026
Ukraine and Germany disrupt ransomware group and search suspects
Ukrainian Cyber Police and National Police, working with Germany's BKA, disrupted the ransomware group and searched two suspected members in the Ivano-Frankivsk and Lviv regions. Authorities seized digital media, devices, and cryptocurrency assets during the operation.
Jan 18, 2026
German draft law proposes major expansion of BND hacking powers
A draft German law reported in January 2026 would significantly expand the Bundesnachrichtendienst's surveillance and offensive cyber authorities. The proposal would allow interception of full internet communications, retention of collected data for up to six months, hacking of foreign ISPs, and broader surveillance of foreigners in Germany and some foreign state-run media journalists.
Jan 1, 2022
Ransomware group begins targeting organizations worldwide
Investigators said the Russian-affiliated ransomware group conducted attacks against Western companies, institutions, and government bodies from 2022 through 2025, causing losses estimated in the hundreds of millions of euros. The group allegedly used stolen or cracked credentials to gain access, move laterally, escalate privileges, encrypt systems, and extort victims.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
German Government Pushes More Offensive Cyber Response Amid Ongoing Public-Sector Disruptions
Germany’s federal government signaled a shift toward a more **offensive posture** in response to cyberattacks. Interior Minister **Alexander Dobrindt** said Germany intends to “strike back,” including actions abroad to disrupt attackers and destroy their infrastructure, with operations to be carried out jointly by intelligence services and the **Bundeskriminalamt (BKA)**. The Interior Ministry also plans a new defense center for **hybrid threats**, prepared by the domestic intelligence service, to improve coordination across government levels; Dobrindt framed the move as a response to persistent attacks on institutions, critical infrastructure, and companies, often attributed to groups linked to state services (including Russia). Separately, the **Staatliche Kunstsammlungen Dresden** (a network of 15 museums) reported continued operational impacts from a **cyberattack**, with museums remaining open but key services still impaired, including `online ticketing`, card payments on-site, the online shop, and visitor services. Police and the state criminal office initiated investigations, and the Dresden public prosecutor indicated the case may be handled by Saxony’s specialized cybercrime unit (ZCS). The UK government’s discussion of building a **digital ID** system in-house is policy/technology governance reporting and does not describe a specific cyber incident or vulnerability tied to the German developments.
1 months ago
Hacktivist Cyber Operations Escalate Amid Geopolitical Tensions
A newly formed Russian-aligned hacktivist coalition calling itself **Russian Legion** (reportedly comprising Cardinal, The White Pulse, Russian Partizan, and Inteid) announced “**OpDenmark**,” a campaign of **DDoS attacks** intended to disrupt Danish government services and critical infrastructure and pressure Denmark to reverse military support for Ukraine. Reporting indicates the group issued an ultimatum tied to Denmark’s planned **1.5 billion DKK** aid package, followed by service disruptions across multiple Danish organizations, including repeated targeting of the **energy sector**; analysts characterized the actor as *state-aligned but not state-funded*, using disruption and psychological pressure rather than confirmed destructive intrusions. Separately, a new hacktivist group, **Punishing Owl**, claimed a breach of a Russian government security agency, publishing stolen documents and using DNS manipulation to redirect traffic to attacker-controlled infrastructure hosting the leak and a manifesto. The operation reportedly expanded into **business email compromise** against partners/contractors and included tooling such as the **ZipWhisper PowerShell stealer**, with lures using password-protected ZIPs and disguised LNK files to execute PowerShell downloaders. An additional opinion piece highlighted a broader rise in **energy infrastructure** cyber operations (including referenced events affecting Poland and Venezuela) but did not provide corroboration or direct linkage to the Denmark DDoS campaign or the Punishing Owl intrusion.
1 months ago
Germany Identifies Alleged REvil and GandCrab Leader Behind 130 Ransomware Attacks
Germany's Federal Criminal Police Office (**BKA**) identified 31-year-old Russian national **Daniil Maksimovich Shchukin** as `UNKN`/`UNKNOWN`, the alleged leader and public face of the **GandCrab** and **REvil** ransomware operations, and named **Anatoly Sergeevitsch Kravchuk**, 43, as an alleged developer. Authorities said the pair were involved in ransomware activity from early 2019 through at least July 2021 and linked them to **130 attacks in Germany**, including about **25 cases** that generated roughly **€1.9 million** in ransom payments and caused more than **€35 million** in economic damage. German investigators described GandCrab and REvil as highly organized **ransomware-as-a-service** enterprises that helped popularize **double extortion** and relied on affiliates, access brokers, malware obfuscation providers, and money-laundering support. REvil was among the most prolific ransomware groups, hitting major victims including **JBS** and **Kaseya**, before collapsing under mounting law-enforcement pressure after the FBI infiltrated its infrastructure; the gang briefly resurfaced before disappearing in late 2021, followed by affiliate arrests in Romania and a broader disruption announced by Russia's **FSB** in 2022.
1 months ago