The group, dubbed “Pawn Storm” by security firm Trend Micro, used email phishing tricks and attempted to install malware at think tanks tied to Chancellor Angela Merkel’s Christian Democratic Union (CDU) party and coalition partner, the Social Democratic Party (SPD), Feike Hacquebord said.

Hacquebord and other experts said the attacks, which took place in March and April, suggest Pawn Storm is seeking to influence the national elections in the two European Union powerhouses.

“I am not sure whether those foundations are the actual target. It could be that they used it as a stepping stone to target, for example, the CDU or the SPD,” Hacquebord said.

The mysterious cyber spying group, also known as Fancy Bear and APT 28, was behind data breaches of U.S. Presidential candidate Hillary Clinton and Merkel’s party last year, Hacquebord said.

Other security experts and former U.S. government officials link it to the Russian military intelligence directorate GRU. Hacquebord and Trend Micro have stopped short of making that connection.

Russia has denied any involvement in the cyber attacks.

Since 2014, Merkel has pushed the European Union to maintain sanctions on Russia over its actions in eastern Ukraine and Crimea. Her coalition partners, the Social Democrats, back a more conciliatory stance towards Moscow.

“What we are seeing is kind of a replication of what happened in the United States,” David Grout, a Paris-based technical director of U.S. cyber security firm FireEye, said of technical attacks and efforts to spread fake news in Europe.

Hacquebord said on Monday he had found new evidence that Macron’s campaign was targeted by Pawn Storm.

FAKE SERVERS

German officials have told Reuters that politicians fear sensitive emails stolen from senior lawmakers by Russian hackers in 2015 could be released before the election to damage Merkel, who is seeking a fourth term, and her conservative party.

Trend Micro uncovered efforts to break into the accounts of CDU politicians in April and May 2016. The BSI, Germany’s federal cyber security agency confirmed these attempts but said they were unsuccessful. New attacks in 2017 suggest renewed efforts to gain comprising data is underway, Hacquebord said.

Pawn Storm set up a fake computer server located based in Germany at kasapp.de to mount email phishing attacks against the CDU party’s Konrad Adenauer Foundation (KAS) and a server located in the Ukraine at intern-fes.de to target the SPD’s Friedrich Ebert Foundation (FES).

A KAS spokesman said BSI warned KAS in early March of “peculiarities” but that a subsequent network scan by the government cyber security agency found “nothing suspicious.”

The BSI declined to comment, as did the Friedrich Ebert Foundation.

Kremlin spokesman Dmitry Peskov dismissed allegations of Russian involvement.

“We would be pleased if this investigative group sent us the information, and then we could check it,” Peskov told reporters on Tuesday. “Because for now it does not go beyond the boundaries of some anonymous people.”

Trend Micro published a 41-page report charting Pawn Storm attacks over the past two years, building on a dozen previous technical reports. A timeline can be downloaded here.