European countries have weighed sanctioning foreign nationals and entities involved in hacking for months, but talks were mired in secrecy as governments weighed their options. That changed when Chancellor Angela Merkel — previously reluctant to chide Russia over hacking — said last month that Berlin could not "simply ignore" an "outrageous" attack, and her government called for an EU response.
"This is a violation of Germany's sovereignty. That's a big deal, and that's what they're signaling," said Chris Painter, former chief U.S. cybersecurity diplomat under President Barack Obama.
Berlin's embrace of sanctions is likely to convince other EU countries to move forward, experts said.
Capitals "may want to use this occasion to demonstrate that similar attacks against any member state are significant enough to merit sanctions," said Patryk Pawlak, executive officer at the EU Institute for Security Studies, the in-house think tank of the Council of the European Union.
"It would be a clear signal for others to stay away from our political institutions," he added.
The immediate target of Berlin’s ire is Dmitry Badin, a 29-year-old prolific hacker who is also on the U.S. Federal Bureau of Investigation's wanted list for his involvement in the hacking of the 2016 presidential election.
A spokesperson for the German foreign ministry said in a statement last week that Badin is "strongly suspected" of being behind the Bundestag hack, and German prosecutors have issued an arrest warrant for him.
"There are strong indications that he was a member of the [Russian] GRU military intelligence service at the time of the attack," the spokesperson added. The GRU intelligence service includes the notorious hacking group known variously as APT28, Sofacy and Fancy Bear that Badin is suspected to be part of.
When the attack took place in May 2015, the German parliament's computers went dark, and the chamber was later forced to rebuild its entire security system from scratch.
While it remains unclear what data was compromised, the brazenness of the attack and the symbolism of its target have made it a cause célèbre in Germany.
"This is something that's very dear to Merkel," said Julia Schuetze, a researcher at the Berlin-based think tank Stiftung Neue Verantwortung, said. "She herself was affected, and so were other members of parliament."
Berlin's effort to seek retribution follows years of frustration over Russian hacking as intelligence agencies and cybersecurity firms increasingly tied major attacks to the Kremlin.
In February, a group of European countries and members of the "Five Eyes" intelligence community called out Russia's intelligence service for launching a “totally unacceptable” cyberattack on networks of Georgia's government, courts and other organizations.
That same month, French President Emmanuel Macron told a crowd of security officials in Munich that Russia “will remain a country that tries to intervene” in European elections, and that EU nations "need to be quick in our reaction" and "agree on sanctions.”
Already in 2018, Western governments criticized Russia over a series of high-profile cyberattacks, including one on Dutch soil against the Organization for the Prohibition of Chemical Weapons, while the U.K. and the U.S. have said that Moscow was "almost certainly responsible" for the global outbreak of NotPetya ransomware that caused billions of euros in damages.
Germany's effort to bring a European response marks the first serious test of the bloc's sanctions regime, which entered into force in May 2019. So-called restrictive measures like asset freezes and travel bans require the unanimous consent of all EU countries — a difficult hurdle to overcome.
Talks about using the new sanctions against the Russian hacking group started months ago, with cyber diplomats close to agreeing on sanctions against Russian and Chinese entities just before the coronavirus outbreak in Europe, Bloomberg reported.
But the pandemic disrupted the process, three diplomats involved in the talks told POLITICO, as they were barred from meeting physically and the fight against the virus absorbed all political energy.
German diplomats were expected to present their proposal for sanctions against the Bundestag hackers at Wednesday's meeting, which is the first to be held in person since restrictions were enforced in March.
An official at the German foreign office said that "the Federal Government is strongly committed to the EU cyber sanctions regime ... Cyberattacks need to come with a price tag. We find the evidence to be sufficient, and we therefore propose the listing now."
Talks are expected to take weeks as one group of diplomats works on the political level and another works on drafting legal texts with the EU's diplomatic service.
It remains unclear whether diplomats will seek to sanction only those individuals that Germany identified as being behind the Bundestag hack, or whether they will agree on a package of sanctions affecting a larger entity like the GRU's Fancy Bear unit or the intelligence service as a whole.
The German foreign office official said its proposal "includes, but is not limited to Dmitry Badin," adding that, "as this will be subject to sensitive negotiations, we cannot provide more detailed information."
Want more analysis from POLITICO? POLITICO Pro is our premium intelligence service for professionals. From financial services to trade, technology, cybersecurity and more, Pro delivers real time intelligence, deep insight and breaking scoops you need to keep one step ahead. Email [email protected] to request a complimentary trial.