EU Sanctions 2 Russians for German Parliament HackEuropean Officials Say Suspected Hackers Worked for Russia's GRU Military Intelligence Unit
The European Union has issued sanctions against two Russian nationals alleged to have hacked Germany's lower house of parliament, or Bundestag, in 2015.
The two suspected hackers are part of Russia's Main Intelligence Directorate, commonly referred to as the GRU, which serves as the military intelligence division of Russia's armed forces, according to the European Council, which defines and enforces the EU's overall political direction and priorities.
The sanctions announced Thursday include travel bans and asset freezes against the two suspected hackers as well as Russia's 85th Main Special Service Center (GTsSS), which is also known as Military Unit 26165. Security researchers refer to this particular division of the GRU as APT28, Fancy Bear, Sofacy Group, Pawn Storm and Strontium (see: Hackers Leak Hundreds of German Politicians' Personal Data).
EU citizens and businesses are now forbidden to engage in any transactions with the individuals or entities named in the sanctions report, according to the European Council.
This is only the second time that the EU has issued sanctions over cyberattacks and hacking attempts aimed at member countries. In August, officials announced an initial round of sanctions against individuals and entities from Russia, China and North Korea over past security incidents (see: EU Issues First-Ever Sanctions for Cyberattacks).
Earlier this week, the U.S. Justice Department indicted six other Russian military officers who worked for a separate GRU unit and are alleged to have carried out a number of destructive cyberattacks, including the NotPetya malware attacks (see: 6 Russians Indicted for Destructive NotPeyta Attacks).
The two suspected Russian hackers listed in the latest round of EU sanctions are Dmitry Badin, 29, a military intelligence officer who is assigned to the GRU's Military Unit 26165, and Igor Kostyukov, 59, who is believed to be the first deputy head of the GRU and the leader of Unit 26165, according to the European Council.
"In this capacity, Igor Kostyukov is responsible for cyberattacks carried out by the GTsSS, including those with a significant effect constituting an external threat to the Union or its Member States," the council says.
In 2015, the two Russian men and their military unit caused a significant amount of damage to the IT network of Germany's parliament and stole data that belonged to Chancellor Angela Merkel and other lawmakers, according to the council.
The Russian hackers sent a phishing email in 2015 to several members of the German parliament with a malicious link portrayed as leading to a United Nations website, according to news reports. The attackers further impersonated the U.N. by using the domain "@un.org" to send the emails, which included subject lines such as: "Ukraine conflict with Russia leaves economy in ruins."
When a target of the phishing campaign clicked on the link, it installed malware on their device, enabling hackers to gain a foothold within the IT network of the German parliament. One malware strain used, called Mimikatz, can steal passwords (see: German Parliament Battles Active Hack).
In May, the German newspaper Suddeutsche Zeitung reported that prosecutors had obtained an international arrest warrant for Badin as part of the 2015 hack investigation (see: Russian a Suspect in German Parliament Hack: Report).
Badin, along with six other alleged GRU members, was indicted in 2018 by the U.S. Justice Department on various charges related to the interference in the U.S. 2016 U.S. presidential election. GRU members are also suspected of hacking the World Anti-Doping Agency in 2017 and then leaking stolen data (see: Feds Indict 7 Russians for Hacking and Disinformation).
Badin and other members of the GRU are believed to be living in Russia and are unlikely to be extradited to face charges in another country.
The European Council first adopted the legal framework to bring sanctions against individuals and organizations associated with nation-state cyberattacks in May 2019, but EU officials did not use the law until this year.
"Sanctions are one of the options available in the EU’s cyber diplomacy toolbox to prevent, deter and respond to malicious cyber activities directed against the EU or its member states, and today is the first time the EU has used this tool," according to the European Council.