[ad_1]
A blond boy looks at the camera. The hair is short, his expression is serious. It is not known when the blurred photo was taken. Dmitriy Sergeyevich (German: Dmitrij Sergejewitsch) Badin, but he looks very young. Today he is said to be 29 years old, born on November 15, 1990 in Kursk, Russia. So it is on the search poster of the US federal FBI. He is searching for Badin around the world, and all embassies in the United States also receive information. Strictly speaking, there are two posters on which his photo can be seen, because Badin considers himself a serial criminal.
The young Russian, who looks so harmless in the photo, is a soldier. He doesn’t drive a tank, he doesn’t fly a fighter jet, and he probably doesn’t even carry a gun. When Dmitrij Badin goes into battle, he does so on a keyboard. He is said to be a hacker in the civil service, a cyber soldier on behalf of Vladimir Putin. Badin is said to belong to a notorious Russian military secret service unit GRU, known by the name “Fancy Bear”, the “elegant bear”.
The FBI is looking for Badin for two spectacular hacking attacks. One was directed against the world anti-doping agency Wada, but in the United States that doesn’t make sense. Another case is much more important: it is about manipulating the 2016 US election, the election that made Donald Trump the winner and the 45th president of the United States. Badin is said to have been one of those men who helped Trump by stealing and targeting emails from his rival Hillary Clinton and the Democratic Party.
The search for Dmitrij Badin takes two years. Meanwhile, however, not only is the United States looking for the Russian, but also the Attorney General. Germany’s attorney general obtained an international arrest warrant against Badin this week. He is accused of “secret service activity” and “data espionage”. Investigators are certain that he was one of the leading minds behind the most spectacular cyberattack the Federal Republic has ever experienced and suffered: the attack by the German Bundestag. Bundestag President Wolfgang Schäuble has also been informed of the arrest warrant.
Five years of painstaking detail work have now also convinced the investigating judge of the Federal Court of Justice. The Federal Criminal Police Office (BKA) was involved, as was the federal police. There was help from the United States and the Netherlands. From the point of view of law enforcement, the order now issued against the hacker is a great success. Security authorities now have a relatively good view of the methods and tools of state-controlled cyber espionage, but it is often unclear who is sitting at the keyboard in Moscow, Beijing or Tehran. Identifying individual hackers like Dmitrij Badin (“naming and shaming” is often mentioned) is almost never successful.
The suspected hacker in Russia is unlikely to leave the country. Therefore, a quick process should not be expected. And even if it were captured anywhere in the world, it would be the United States first. With all due respect, American colleagues have already told German investigators that the Bundestag hack is a bad thing. But the manipulation of elections in the United States is now much worse.
Last but not least, it was the United States that helped with the investigation. One of the reasons for this was that the attack on the Bundestag in the spring of 2015 is considered the number one case in Washington, as the time when Russia, in what is now called hybrid warfare, begins in the great western democracies. For a long time, the intelligence circles of the United States believed that Vladimir Putin wanted nothing more than to get rid of Angela Merkel, for example, influencing the elections.
The intruders soon also controlled the administrator accounts
The attack on the Bundestag began on April 30, 2015. On this day, the hackers launched their bait, and the victims bit. Several Bundestag members received an email almost simultaneously, the sender’s address ending in “@ un.org”. It looked like a real United Nations mail, with the subject line: “Ukraine’s conflict with Russia leaves the economy in ruins.” The email contained a link to an alleged UN website. In fact, the site was prepared with malware that was installed on the computer undetected as soon as you clicked on it.
The attackers were now on the Bundestag network, at the time it had more than 5,600 computers and around 12,000 users were registered. Hackers opened step by step through the Bundestag network, using various malware programs, including “Mimikatz”, A powerful tool with which you can access extensive passwords. The intruders also soon controlled administrator accounts, giving them additional access rights.
The federal prosecutor is convinced that he can demonstrate to Dmitrij Badin that he was not only personally involved in the Bundestag attack, but also exactly when and how. Badin is said to have initially created a malware called “VSC.exe” on May 7, 2015 at 1:29 p.m., and then used and controlled it at 1:31 p.m. The access data should have been used with the program.
It was only on May 11, 2015, almost two weeks after the attack began, that an IT security company reported to the Federal Office for the Protection of the Constitution (BfV) with a clear warning. The company observes suspicious servers around the world that have been used to control cyber attacks. One of these servers suddenly communicated with two computers in Germany, and they were in the Bundestag.
Law enforcement officers reported to the Federal Office for Information Security (BSI) in Bonn. The BSI is charged with protecting government networks, parliament is not really part of the area of responsibility. However, a short time later, the BSI sent a team to Berlin to support the Bundestag administration.
It was a digital defense battle that Germany had never seen before. Meanwhile, the entire Bundestag computer system has been shut down. The attack only ended on May 20, 2015: At least 16 gigabytes of data are said to have been in circulation by then, including tens of thousands of emails from MPs.
The attack could be stopped. But who was responsible for the cyber attack in the Bundestag? Identifying the attackers, experts speak of “attribution”, is anything but easy. Often private IT security companies analyze the attack methods and malware used, and identify the handwriting of individual groups of hackers, so to speak. The particularly capable attackers that keep popping up are called Advanced persistent threat, APT for short, referred to as an “advanced continuous threat”. States and their secret services are suspected of being behind this.
The attack on the Bundestag will expire in a few weeks.
During the Bundestag attack, suspicions quickly fell on APT28, a group also known as “Fancy Bear,” who in the past had repeatedly targeted government targets in various countries. Security agencies assume that this is “Unit 26165” of the Russian Military Intelligence GRU. It is said to be based on the Komsomol prospectus 20 in Moscow. In a discreet building on a military site. During the Soviet era, the GRU unit responsible for cracking the codes resided here.
While the so-called “credible intelligence information” is often sufficient for the secret services, law enforcement officers need proof documents from the court. And so the federal prosecutor commissioned the BKA to investigate the Bundestag attack. Attackers must be identified and evidence of the virtual raid must be found. A challenge that BKA has rarely had before. The researchers first obtained the only available evidence, which was Bundestag system log files and server data. So you worked your way forward.
They called the federal police, whose specialists in Heimerzheim near Bonn had already listened to the agent’s radio. The files of the private security companies and the help of the foreign authorities were helpful. The servers were also monitored on which “Fancy Bear” was still active from time to time. A spectacular campaign in the Netherlands was also of great importance to BKA’s research.
In April 2018, the Dutch counterintelligence agency discovered a group of Russians believed to belong to the GRU unit “26165”, also known as “Fancy Bear”. The four men traveled to Amsterdam on diplomatic passports and then drove to The Hague in a rented car. They probably pointed to a striking round building: the headquarters of the Organization for the Prohibition of Chemical Weapons (OPCW).
A few weeks earlier, former Russian spy Sergei Skripal and his daughter had been poisoned with the Novichok neurotoxin in Britain: the British government blamed Moscow for the attack. The OPCW participated in the investigation, the laboratories examined the poison used. Dutch security authorities assume that the Russian hacking team was tasked with hacking into OPCW computers and stealing information.
On April 13, 2018, Dutch investigators intervened, removed the Russians from the car, and immediately expelled them from the country; Due to their diplomatic status, they could not be arrested. Her luggage, including laptops, cell phones, was confiscated. A real treasure chest, also for researchers in Germany. The material is said to have provided valuable information about Moscow’s cyber spies. To the “GRU 26165 unit” – and to Dmitrij Badin.
BKA investigators finally presented Karlsruhe prosecutors with the results of their years of work. Two Russian hackers had been identified and evidence of their involvement in cyber attacks in Germany could be shown. In the end, it was enough, at least for now, for just one: Dmitrij Badin. Time was of the essence. The attack on the Bundestag will expire in a few weeks.
