Cyber CSS Blog

Bundestag Hack Redux: More Smoke Than Mirrors

Print Friendly, PDF & Email

This article was originally published by the Council on Foreign Relations on 8 June 2020.

In early May, it was reported that Germany’s federal prosecutor issued an arrest warrant for Dmitriy Badin, the Russian hacker behind the 2015 cyberattacks targeting the Bundestag. Despite this, it is unclear what steps the German government has taken to pursue Badin internationally and how Germany and the United States will manage their separate efforts to arrest him.

On May 5, 2020, the Süddeutsche Zeitung reported that the German federal prosecutor issued an arrest warrant for Russian military intelligence officer Dmitriy Sergeyevich Badin for the Bundestag hack in May 2015. To secure the warrant, Germany’s federal police, the Bundeskriminalamt (BKA), worked tirelessly over the past five years with foreign partner agencies in the United States and the Netherlands to piece together a trail of evidence leading them to Badin and another yet unnamed co-conspirator.

Badin is well-known to the U.S. Department of Justice (DOJ). In July 2018, he and eleven other Russian intelligence officers were indicted by a grand jury in the District of Columbia for interfering with the 2016 U.S. presidential election by breaching the computer networks of the Democratic Congressional Campaign Committee (DCCC) and the Democratic National Committee (DNC). Three months later, Badin was again indicted, along with six other Russian intelligence officers, by a grand jury in the Western District of Pennsylvania for “computer hacking activity spanning from 2014 through May of 2018, including the computer intrusions of the United States Anti-Doping Agency (USADA), the World Anti-Doping Agency (WADA), and other victim entities during the 2016 Summer Olympics and Paralympics and afterward.” Officially, the group Badin is part of is known as the 85th Main Special Service Centre of the Main Intelligence Directorate of the General Staff (GRU). Unofficially, they have gained notoriety under CrowdStrike’s naming convention “Fancy Bear” and FireEye’s classification “APT28”.

The issuance of a sealed fifty-page arrest warrant for Badin by the German federal prosecutor was greeted by many observers as a major development, as it marks the first time that a country other than the United States has sought the arrest of an adversarial nation-state cyber operative. Notably, the DOJ has been going after nation-state cyber operators since May 2014, when a grand jury in the Western District of Pennsylvania indicted five Chinese military operatives for computer hacking and economic espionage against U.S. nuclear power, metals, and solar products industries.

But does the German arrest warrant mirror U.S. efforts on public attribution and hunting state-sponsored cyber actors across the globe? The answer is sadly no.

The first problem with the German move is that neither the BKA nor the federal prosecutor have made any public statements regarding the arrest warrant. According to the federal prosecutor’s press office, standing procedure is to not release any public information until Badin is indicted by a court—not merely sought with a warrant—or arrested. This approach stands in contrast to the U.S. approach, which first indicts a fugitive and then issues arrest warrants. Meaning, the public release of U.S. indictments goes hand-in-hand with DOJ statements, the issuance of FBI most wanted posters, and the publication of court documents that detail the offending charges.

Given this discrepancy, it should not come as a surprise that the German federal prosecutor has so far not contacted the Russian Ministry of Justice to request the extradition of Badin, and the German Ministry of Foreign Affairs only officially informed the Russian Ambassador about the warrant on May 28, 2020.

Notwithstanding the fact that Russia does not extradite its own citizens, it is unknown whether the German federal prosecutor actually approached Interpol to issue a red notice for Badin—the closest existing instrument to an international arrest warrant. Red notices [PDF] are notorious for their opaqueness because only the country that requests the issuance of a red notice can divulge its existence. In that way, fugitives are left guessing and have no idea whether they will be arrested when traveling abroad. It is also unknown whether the BKA bilaterally informed its partner agencies abroad to disseminate the warrant.

Furthermore, there is probably also no European Arrest Warrant (EAW) out for Badin. As Eurojust — the European Union’s (EU) judicial cooperation unit — explains, “following the [Court of the European Union] judgement of 27 May, German public prosecutors remain in charge of preparing the EAWs, but the German courts have the competence to issue them.” Given that Badin’s arrest warrant has not been assessed by a court, it is highly improbable that an EAW would have been issued. When asked via email, Eurojust merely noted that they “cannot provide further information on this particular case.”

In sum, at best, the federal prosecutor requested a red notice for Badin and the BKA bilaterally informed their counterparts abroad. At worst, the German arrest warrant has not been disseminated and only applies within German territory.

The second problem with the arrest warrant is that in the hypothetical event that Badin gets arrested outside of Russia, Germany will have to compete with the United States for his extradition. If Badin is extradited to the United States first, he will most likely spend decades in prison before the United States extradites him to Germany to stand trial. In contrast, if Badin is extradited to Germany first, he will probably face a lesser sentence before being extradited to the United States for the real deal.

Stefan Soesanto is a Senior Researcher in the Cyber Defense Team at the Center for Security Studies (CSS) at ETH Zurich.

For more information on issues and events that shape our world, please visit the CSS website.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.