The Qilin ransomware group has stolen data from Die Linke, a German democratic socialist political party, and is threatening to leak it.

On March 27, a day after the threat actor compromised its network, the party disclosed a cyber incident but stopped short of confirming a data breach.

Founded in 2007, the Die Linke (Left Party) is currently represented in the German parliament (Bundestag) through 64 members. It has 123,000 registered members and participates in several state governments, especially in eastern Germany.

“According to current findings, the attackers aim to publish sensitive data from the internal areas of the party organization as well as personal information of employees at the party headquarters,” Die Linke says.

“It is currently unclear whether and to what extent this has succeeded or has already occurred. However, such a risk exists.”

The party clarified that its membership database wasn’t impacted, specifically stating that the attackers failed in their effort to obtain member data.

Die Linke said that it received information that behind the attack is the Qilin ransomware group, describing the threat actor as Russian-speaking cybercriminals that are both financially and politically motivated. The German party also said that the attack on its systems “does not appear to be coincidental in this context.”

“Such digital attacks, and ransomware use in particular, are often part of hybrid warfare and constitute an attack on critical infrastructure,” commented the party.

On April 1st, Qilin claimed the attack on Die Link publicly, adding it to the list of victims on its data leak site without publishing any data samples.

Threatening to publish stolen data is a standard pressure tactic to coerce victims into paying a ransom.

Die Linke has notified the German authorities and filed a criminal complaint with the police. Additionally, the party is working with independent IT experts to help them safely restore impacted systems.

Russia-linked threat actors have targeted political parties in Germany in the past. In 2024, Mandiant uncovered a campaign from APT29 targeting CDU, a major political party in the country, with a backdoor named WineLoader.