Bundestag Hack Redux: More Smoke Than Mirrors
Stefan Soesanto is a senior researcher in the cyber defense team at the Center for Security Studies (CSS) at ETH Zurich. You can follow him @iiyonite.
On May 5, 2020, the Süddeutsche Zeitung reported that the German federal prosecutor issued an arrest warrant for Russian military intelligence officer Dmitriy Sergeyevich Badin for the Bundestag hack in May 2015. To secure the warrant, Germany’s federal police, the Bundeskriminalamt (BKA), worked tirelessly over the past five years with foreign partner agencies in the United States and the Netherlands to piece together a trail of evidence leading them to Badin and another yet unnamed co-conspirator.
Badin is well-known to the U.S. Department of Justice (DOJ). In July 2018, he and eleven other Russian intelligence officers were indicted [PDF] by a grand jury in the District of Columbia for interfering with the 2016 U.S. presidential election by breaching the computer networks of the Democratic Congressional Campaign Committee (DCCC) and the Democratic National Committee (DNC). Three months later, Badin was again indicted, along with six other Russian intelligence officers, by a grand jury in the Western District of Pennsylvania for “computer hacking activity spanning from 2014 through May of 2018, including the computer intrusions of the United States Anti-Doping Agency (USADA), the World Anti-Doping Agency (WADA), and other victim entities during the 2016 Summer Olympics and Paralympics and afterward.” Officially, the group Badin is part of is known as the 85th Main Special Service Centre of the Main Intelligence Directorate of the General Staff (GRU). Unofficially, they have gained notoriety under CrowdStrike’s naming convention “Fancy Bear” and FireEye’s classification “APT28” [PDF].
The issuance of a sealed fifty-page arrest warrant for Badin by the German federal prosecutor was greeted by many observers as a major development, as it marks the first time that a country other than the United States has sought the arrest of an adversarial nation-state cyber operative. Notably, the DOJ has been going after nation-state cyber operators since May 2014, when a grand jury in the Western District of Pennsylvania indicted five Chinese military operatives for computer hacking and economic espionage against U.S. nuclear power, metals, and solar products industries.
But does the German arrest warrant mirror U.S. efforts on public attribution and hunting state-sponsored cyber actors across the globe? The answer is sadly no.
The first problem with the German move is that neither the BKA nor the federal prosecutor have made any public statements regarding the arrest warrant. According to the federal prosecutor's press office, standing procedure is to not release any public information until Badin is indicted by a court—not merely sought with a warrant—or arrested. This approach stands in contrast to the U.S. approach, which first indicts a fugitive and then issues arrest warrants. Meaning, the public release of U.S. indictments goes hand-in-hand with DOJ statements, the issuance of FBI most wanted posters, and the publication of court documents that detail the offending charges.
Given this discrepancy, it should not come as a surprise that the German federal prosecutor has so far not contacted the Russian Ministry of Justice to request the extradition of Badin, and the German Ministry of Foreign Affairs only officially informed the Russian Ambassador about the warrant on May 28, 2020.
Notwithstanding the fact that Russia does not extradite its own citizens, it is unknown whether the German federal prosecutor actually approached Interpol to issue a red notice for Badin—the closest existing instrument to an international arrest warrant. Red notices [PDF] are notorious for their opaqueness because only the country that requests the issuance of a red notice can divulge its existence. In that way, fugitives are left guessing and have no idea whether they will be arrested when traveling abroad. It is also unknown whether the BKA bilaterally informed its partner agencies abroad to disseminate the warrant.
Furthermore, there is probably also no European Arrest Warrant (EAW) out for Badin. As Eurojust—the European Union’s (EU) judicial cooperation unit—explains, “following the [Court of the European Union] judgement of 27 May, German public prosecutors remain in charge of preparing the EAWs, but the German courts have the competence to issue them.” Given that Badin’s arrest warrant has not been assessed by a court, it is highly improbable that an EAW would have been issued. When asked via email, Eurojust merely noted that they “cannot provide further information on this particular case."
In sum, at best, the federal prosecutor requested a red notice for Badin and the BKA bilaterally informed their counterparts abroad. At worst, the German arrest warrant has not been disseminated and only applies within German territory.
The second problem with the arrest warrant is that in the hypothetical event that Badin gets arrested outside of Russia, Germany will have to compete with the United States for his extradition. If Badin is extradited to the United States first, he will most likely spend decades in prison before the United States extradites him to Germany to stand trial. In contrast, if Badin is extradited to Germany first, he will probably face a lesser sentence before being extradited to the United States for the real deal.
It remains to be seen how the federal prosecutor will move forward with the case and whether the German parliament is happy with the government’s current Russia policy. While German Chancellor Angela Merkel publicly revealed the existence of “hard evidence” in the case and noted that she took personal offense to Russia hacking the Bundestag, it is highly unlikely that this incident will push the German government to overhaul its Russia policy. While others have argued that the arrest warrant could lead to the implementation of EU cyber sanctions, it is more likely to open up future pathways for the German government to impose unilateral economic sanctions, expel Russian diplomats, and leverage other retortions under international law to change Moscow’s overall behavior toward Berlin.
From an investigative point-of-view, the cooperation between German agencies at home and partner agencies abroad clearly helped the BKA identify individual nation-state operators. This feat is the pinnacle of attributing computer network intrusions and shows the BKA’s growing capabilities. But whether the BKA’s investigative conduct will stand up to parliamentary scrutiny in the months ahead is currently unclear. Some parliamentarians might claim that the BKA’s investigation was too slow and took too long. Others could view the BKA’s cooperation with foreign intelligence services as problematic. And the majority might question why an arrest warrant was not issued for Badin’s yet unknown co-conspirator.
One thing though is for certain: No bread will be broken over this case. The United States and Germany are likely to compete, rather than collaborate in their pursuit of Badin, and Russia will never let him go.