Angela Merkel is well-known for her sober-minded and rational style of government. But in a debate in the German parliament, the Bundestag, on May 13 this year the chancellor was unexpectedly emotional in her response to a question that had come from opposition ranks. What, she was asked, did the government know about the 2015 cyberattack on the Bundestag, during which data was stolen from Merkel's own parliamentary office?
Merkel said there was "hard evidence” that Russian intelligence was behind the hacker attack, in which an estimated 16 gigabytes of data, documents, and emails were siphoned off from the Bundestag's IT network – including thousands of emails from Merkel's Bundestag office. The chancellor clearly believes the cyberattack is linked with what she sees as Russia's "strategy of hybrid warfare including cyber disorientation and fact manipulation."
"I can honestly say, it pains me," said the chancellor, clearly referring to her efforts to bring about better bilateral relations with the Russians.
Attacks and counter-attacks
The chancellor's forthright comments marked a turning point in the public perception of the threat posed by Russian cyberattacks. A turning point that first became apparent a few days earlier when German Attorney General Peter Frank issued an arrest warrant against Dimitry Badin. Investigators are convinced that the 29-year-old Russian is behind the spectacular attack on the Bundestag in the spring of 2015. The attacker's malware had lodged itself so deeply in the network that it had to be completely shut down and rebuilt.
Read more: Six hack attacks that shook the world
EU cyber sanctions regime
The arrest warrant was followed by political measures. At the end of May, Russian Ambassador Sergei Nechayev was summoned to the German Foreign Ministry,where he was told that Berlin would: "press for action in Brussels for implementation of the EU cyber sanctions regime against those responsible for the hacking attack on the Bundestag, including Dimitry Badin."
It was agreed that if threatened with cyberattacks that would possibly have a "significant impact" the EU could respond with sanctions against individuals and institutions responsible for the aggression. In concrete terms, the measures included an entry ban into the EU plus the freezing of assets.
The potential sanctions were above all-important, says Julia Schütze, Project Manager at the Transatlantic Cyber Forum, because of the "political-strategic symbolism."
From July, Germany will be taking over the rotating presidency of the EU council and the foreign ministry has told DW that Berlin has, "put forward proposals for a list of sanctions" linked with the hack attacks and is cooperating closely with its EU partners." It is, though, a long process that begins at a European Council working group in Brussels: the "Horizontal Working Party on Cyber Issues."
But German diplomats insist that a list of proposed sanctions will be put forward in Brussels on 3 June.
The FBI has also been building a case against Dimitry Badin. He is believed to be among intelligence operatives involved in hacking into and stealing documents from the computers of Hillary Clinton and the Democratic Party— among others — during the 2016 presidential election campaign in the USA. The aim: to secure victory in the election for Donald Trump.
A report published by the investigative research platform Bellingcat also suggests that there are close ties between Badin and Russia's GRU military intelligence agency. Badin's address, for instance, is identical with the official address of the GRU unit 26165.
This unit operates under a number of other shady and controversial names, above all as Fancy Bear, but also Sofacy Group, Pawn Storm, and Sednit. Many IT experts and Germany's Office for the Protection of the Constitution prefer to use the technical term APT28, whereby APT stands for "advanced persistent threat."
And the threat really is persistent. Cybersecurity specialists FireEye, who have been monitoring the threat posed by Russian state-backed hackers since 2007, see a link between the Bundestag attacks, efforts to manipulate the outcome of the US election, and a long list of other attacks, such as those on the World Anti-Doping Agency (WADA), the Organization for Security and Co-operation in Europe (OSCE) or the North Atlantic Treaty Organization (NATO).
Help from the Netherlands
But investigations are not easy. Not least because of the problem of attribution: proving who did what and when. This is above all because in the often-murky world of virtual reality it is easy to set up false trails that put investigators on the wrong track. Just as easy: wiping away traces of one's own nefarious activities. There are enough technical and investigative sources that pick up on apparently criminal activity. But the information they gather is rarely concrete and watertight enough to stand up in a court of law.
All the more important, therefore, was support that German investigators got from colleagues in the Netherlands. In the spring of 2018, a Dutch counterintelligence team had thwarted aplanned attack on the headquarters of the Organization for the Prohibition of Chemical Weapons (OPCW).The Dutch probe came into the possession of a wide range of technical equipment. And it was this that, according to Julia Schütze at the Transatlantic Cyber Forum, made it possible to provide the attorney general with a clear trail leading to leading to Badin and GRU.
However, even a short visit to the attorney general's website clearly illustrates the huge diversity of the cyberthreat: "Among the best-known cases," the site claims, "is the attempt made by US intelligence services to spy on Chancellor Angela Merkel's mobile telephone." But: "The allegations could not be fully substantiated and taken to court. The case was closed in 2015."
It will be interesting to see whether Germany can, beginning in July, use its position as President of the European Council to make sure that the hack attack on the Bundestag does not go unpunished.