BRUSSELS — Huawei was rushed back into the EU’s most influential solar panel lobby after threatening legal action in reaction to its earlier expulsion over its alleged involvement in a bribery and corruption scandal.   That’s outraging other solar power companies, worried that creating a special membership category for Huawei could undermine the ability of SolarPower Europe to effectively represent the industry in Brussels.  “The conduct reported … specifically the handling of Huawei’s membership has seriously undermined both my personal confidence and that of our organization in the governance of SPE,” Elisabeth Engelbrechtsmüller-Strauß, CEO of Austrian company Fronius, wrote in a letter to SPE, which was obtained by POLITICO.  Lawyers for Huawei and SolarPower Europe met at the end of May for negotiations, an industry insider told POLITICO, which culminated in SPE sending a final agreement to the Chinese company at the beginning of September.   Huawei argued that the European Commission’s decision to ban its lobbyists from any meetings with the executive or the European Parliament was unlawful and did not warrant a full expulsion from SPE, said the insider, who spoke on condition of being granted anonymity over fears of retaliation for speaking out.  The ban on Huawei lobbyists was put in place in March after Belgian authorities accused the company of conducting a cash-for-influence scheme and bribing MEPs to ensure their support of Huawei’s interests.  At the time, Huawei maintained it has a “zero-tolerance stance against corruption.”  During the Sept. 29 meeting to reinstate Huawei’s membership, SPE told its board of directors that the organization wanted to avoid a lawsuit and a potentially costly trial.  Instead, SPE proposed making Huawei a passive member that would not actively participate in the group’s workstreams — an option the board accepted, POLITICO reported earlier this month.   Huawei did not respond to a request for comment about its legal threat.  SPE acknowledged the threat in a letter to Fronius, one of its board members, on Thursday. “Based on legal advice and with the assistance of external lawyers, SolarPower Europe held discussions with Huawei with a view to avoiding litigation and protracted legal uncertainty regarding Huawei’s membership status, while preserving SolarPower Europe’s uninterrupted and unrestricted access to the EU Institutions and other relevant stakeholders,” reads the letter obtained by POLITICO.  The SPE’s letter was a response to an Oct. 20 letter from the Austrian solar panel manufacturer sent to the lobby after POLITICO’s story was published on Oct. 9. Fronius called for full transparency over the reinstatement of Huawei and action against any appearance of corruption.  The Austrian company’s concern is that SPE will be “unable to effectively represent” the sector given the EU’s ban on direct contact with Huawei or groups that lobby on its behalf, Engelbrechtsmüller-Strauß told POLITICO in an email.   Fronius is also raising questions about whether SPE can designate a company as a passive member — a status that does not exist in the organization’s bylaws.  “To our knowledge, SPE’s status do not include such a membership category,” Fronius’s letter to SPE reads. “We request a clear explanation of what this form of membership is based on.”  SPE did not raise the issue of member status in its response to Fronius.   The lobbying practices of Huawei and other Chinese companies are under a microscope over concerns around the influence they wield over crucial technologies, including renewable energy and 5G mobile data networks.  While it is better known as a telecom giant, Huawei is also a leader in manufacturing inverters, which turn solar panels’ electricity into current that flows into the energy grid.  Cybersecurity experts warn inverters offer a back door for bad actors to hack into the grid and tamper with or shut it down through remote access.  Two members of the European Parliament sent a letter to the European Commission earlier this month warning of such risks and urging the executive to restrict high-risk vendors like Huawei from investing in Europe’s critical infrastructure.  “Inverters are the brain of a [solar panel] system, connected to the internet and must be remotely controllable for updates. This applies regardless of who the manufacturer is,” Engelbrechtsmüller-Strauß said. “If European legislation does not address the ‘manufacturer risk,’ then energy security in Europe will be jeopardized, which I consider critical.” 

PARIS  — French authorities on Tuesday accused Russia’s most high-profile hacking group of orchestrating cyberattacks on President Emmanuel Macron’s 2017 election campaign. This is the first time France has publicly accused Moscow of being behind the affair known as “Macron leaks,” which resulted in the disclosure of thousands of documents that belonged to the then-candidate’s campaign team. A statement from the French Ministry of Foreign Affairs said Russia’s intelligence service, the GRU, has been carrying out attacks for several years against French interests. The unit accused of carrying out the attacks was the infamous APT28, also known as Fancy Bear. That group has previously been sanctioned by the EU for hacking the German Bundestag in 2015. It has also been tied to the hack of the U.S. Democratic National Committee in 2016 and email accounts belonging to Chancellor Olaf Scholz’s Social Democratic Party in 2022 and 2023. The French ministry said that the hacking group was used “to target or compromize a dozen French entities” since 2021, and was also being used to put pressure on Ukraine’s infrastructure. France’s cybersecurity agency said in a paper that French ministerial agencies were targeted as well as various private sector actors, including in the finance and aerospace sectors. France’s Foreign Minister Jean-Noël Barrot posted a message on X saying France “observes, blocks and fights its adversaries,” along with a video about the “silent war” waged by Russia against France. It is rare for the French government to call out perpetrators of cyberattacks on its territory by name. In recent weeks, though, Macron has upped the rhetoric against Russian President Vladimir Putin, in a bid to pile the pressure on ceasefire talks between the U.S and Russia. Last week, Macron called on Putin to “stop lying” on his desire to peacefully end the war in Ukraine in an impassioned exchange with reporters. Previously, the French president also warned U.S. President Donald Trump that Putin was playing games at the end of an international summit in Paris.

A prominent European Parliament member was the victim of what is believed to be a cyber-espionage operation tied to her role as chair of the chamber’s Iran delegation, she told POLITICO. The office of Hannah Neumann, a member of the German Greens and head of the delegation spearheading work on European Union-Iran relations, was targeted by a hacking campaign that started in January, she said. Her staff was contacted with messages, phone calls and emails by hackers impersonating a legitimate contact. They eventually managed to target a laptop with malicious software. “It was a very sophisticated attempt using various ways to manage that someone accidentally opens a link, including putting personal pressure on them,” Neumann said. Neumann was made aware of the ongoing ploy four weeks ago by the German domestic intelligence service, she said. The group thought to be behind the attack is a hacking collective associated with the Iranian Revolutionary Guard, known as APT42, according to a report by the Parliament’s in-house IT service DG ITEC and seen by POLITICO. Another Iranian hacking group, called APT35 or Charming Kitten, was initially considered a culprit too. The two Iranian threat groups are closely related. Hackers as part of these groups were behind the operation that stole internal communication of Donald Trump’s presidential election campaign last year, leaking it to media including POLITICO. The Trump campaign later confirmed it was hacked, blaming Iran. Neumann’s office laptop was targeted by the hackers earlier this year, she said. Parliament’s IT services carried out an investigation and said in their report that no sensitive information was taken since “all attempts were blocked by EP defenses” and it had been an “incomplete infection chain.” Neumann said the Iranian regime “tried in many different ways to make me shut up and they haven’t succeeded. By infiltrating my office they hoped to get material they could use to [compromise] me.” INFECT, COLLECT DATA Google’s Mandiant Threat Intelligence service has previously found APT42 posing as journalists and event organizers to build trust with victims through ongoing correspondence, and to deliver invitations to conferences or legitimate documents, as a way to steal credentials and use them to gain access to cloud servers. According to DG ITEC’s report, the so-called spear-phishing attack on Neumann was an attempt to infect the laptop and collect credentials, “with the likely intent of exfiltrating sensitive information or executing further espionage actions.”  The specific fraudulent identity that was used to establish contact with Neumann’s office was that of Matthew Levitt, a former United States FBI and government official who had had several exchanges with Neumann before. The fake Levitt email asked for the German lawmaker to speak at a conference as part of his role at the Washington Institute for Near East Policy. It attached a link to download an alleged “highly confidential and thus encrypted” note. As chair of the Parliament delegation for relations with Iran, Neumann regularly engages with trade unions, civil society organizations, human rights lawyers and activists fighting for democracy in the country. Neumann previously sat on the Parliament’s special inquiry committee into the use of Pegasus and other spyware in Europe. “I work on spyware. I work with a lot of diaspora communities. So on a theoretical level I am always ready for something like this to happen. I check my phone regularly,” she said. The attacks were “another way to further intimidate me and show me how powerful they are,” she said. “It was clearly a message coming from the [Iranian] Revolutionary Guards to make me shut up, which they have tried in different ways before. The right answer is to speak up … I have a duty to speak up,” she said. Parliament spokesperson Delphine Colard said in a statement that the chamber’s services “constantly monitor cybersecurity threats as well as potential cyberattacks against its working environment and quickly deploy the necessary measures to prevent them or support the users. Due the sensitive nature of the activity, we do not provide further comment on [European Parliament] security or cybersecurity matters.”

BRUSSELS — Russian hackers sure know their target audience. A hacking group previously linked to Russian intelligence services has in past months targeted European diplomats with invitations to fake wine-tasting events from a European foreign affairs ministry, new research released Tuesday showed. Cybersecurity firm Check Point said the Russia-linked group known as Cozy Bear had targeted European diplomatic entities with emails bearing subject lines like “Wine Testing [sic] Event” and “Diplomatic Dinner.” The emails contained malicious software to compromise victims’ security. Cozy Bear is one of Russia’s most notorious hacking groups. It is believed to have conducted major hacks like the intrusion into the United States Democratic National Committee in the run-up to the 2016 presidential election, as well as the recent massive hack of software firm SolarWinds, described as the largest attack ever. Western security services have previously linked Cozy Bear, also known as APT29 and Midnight Blizzard, to Russia’s SVR foreign intelligence service. The hackers behind the new campaign posed as a “major” European foreign affairs ministry, sending the fake invitations to targets, particularly foreign ministries, as well as to the embassies of non-EU countries located in Europe. The hackers behind the new campaign posed as a “major” European foreign affairs ministry, sending the fake invitations to targets, particularly foreign ministries, as well as to the embassies of non-EU countries located in Europe. | Tomohiro Ohsumi/Getty Images Rather than being steered to a full-bodied red or a crisp white, diplomats who opened the attachment in the emails would inadvertently download the malicious software. Check Point has been tracking the campaign since January. Sergey Shykevich, a researcher at the firm, declined to say which foreign affairs ministry the hackers had impersonated, saying only that it was “one of the big ones” in the European Union. Commenting on the choice of wine as a lure, Shykevich said: “Someone on the attacker side had a good idea.” Shykevich added that Check Point had not established whether the hacking attempts were successful. The firm said in its research that it had found indications that diplomats in the Middle East were also targeted. Two European diplomats told POLITICO they regularly get warnings about phishing attempts, but haven’t received one about this specific campaign. The attack is an updated version of a similar campaign previously identified by Google.

Russian intelligence agencies are relying more on cybercriminal groups loyal to the Kremlin to support the country’s disruption campaigns in Ukraine, Google said in a new report. “Russian intelligence services have increasingly leveraged pre-existing or new relationships with cybercriminal groups to advance national objectives and augment intelligence collection,” the researchers said in the report published Wednesday. Criminal tools are often easily available on the dark web at a low cost, and thus much cheaper and faster-developing than malware and tools designed by intelligence services’ hacking groups themselves, the researchers at Google’s Threat Intelligence group said. The report comes on the eve of the Munich Security Conference later this week, where cybersecurity officials will gather to discuss international efforts to defend countries against the growing barrage of cyberattacks, among other security issues. The new research showed an increasingly blurred line between state-to-state cyber aggressions on the one hand and defending governments and industry organizations against cybercrime on the other. The latter has traditionally been seen as more financially motivated. Other benefits are that it obfuscates who is behind a hack and that, if an operation using certain malware is discovered, the cost of developing a new tool does not fall with the intelligence agency, researchers said. As an example, Russia’s notorious military intelligence hacking unit APT44 (also called Sandworm) has used tools acquired from cybercrime gangs to conduct espionage and disrupt Ukrainian war efforts since the beginning of the war in 2022, researchers said. Crime gangs like CIGAR (also known as RomCom) were found to deploy ransomware to carry out undercover operations against the Ukrainian government, they added.

BUCHAREST — Romania’s top national security officials said today they had found cyberattacks intended to influence the fairness of the country’s first presidential election round on Sunday. They didn’t say when the cyberattacks took place or what exactly they targeted, but the officials suggested Russia might have been involved. “Romania, together with other countries on NATO’s Eastern Flank, has become a priority for the hostile actions of some state and non-state actors, particularly the Russian Federation, which has a growing interest to influence Romanian society’s public agenda and social cohesion,” the Supreme Council of Defense of the Country said in a statement.  It wasn’t immediately clear what kind of information had become available since Monday, when President Klaus Iohannis’ office said he hadn’t received any intelligence about potential foreign election interference. The Supreme Council — chaired by Iohannis, the outgoing president — includes the prime minister, the defense minister and the leaders of the intelligence services. Iohannis called a meeting Wednesday following stunning results in the first round of the presidential election, which saw little-known independent ultranationalist Călin Georgescu win, edging out Prime Minister Marcel Ciolacu, who didn’t make it to the Dec. 8 runoff. The Supreme Council also called out the video-sharing platform TikTok, which it said gave preferential treatment to one candidate.  While the Supreme Council didn’t name Georgescu, its statement clearly referred to him. TikTok didn’t identify Georgescu as a political candidate and didn’t mark his content with a specific election code, as required by Romanian law, the Supreme Council said. While the other candidates were marked as such and their videos filtered, the same didn’t happen for Georgescu, which significantly increased his visibility, it said. The Supreme Council asked law enforcement authorities to further investigate TikTok for violating Romanian election law. The statement adds to a tense political situation in Romania and might add reasons to a demand in front of the Constitutional Court to nullify Sunday’s election.  The Constitutional Court demanded a ballot recount earlier today and will meet again Friday to consider the request to cancel the first presidential election round.