This week the media reported (1, 2) that the German prosecutor's office issued an arrest warrant for the 29-year-old Russian citizen Dmitry Sergeyevich Badin, who is accused of breaking the systems of the German parliament (Bundestag) in the spring of 2015.
German law enforcement officers believe that Badin is an officer of the GRU, and also a member of the “government” hack group ATP28 (she is Fancy Bear, Sofacy, Strontium, Grizzly Steppe and so on), where he was engaged in cyber espionage.
Local media say that between April and May 2015, APT28 entered the Bundestag’s internal network. To compromise, hackers used phishing emails allegedly sent to UN officials to trick parliament into opening a malicious file that allegedly told that Russia’s economy was in chaos in the Ukrainian conflict. This document infected the computers of the Bundestag’s employees with malware, which allowed attackers to penetrate the parliament’s network of more than 5,600 vehicles, including administrative systems.
Referring to unnamed sources, the German newspaper Sueddeutsche Zeitung reports that the German authorities were able to link the tools and the malware used in this attack, personally with Dmitry Badin, who was then in the ranks of APT28.
Interestingly, the U.S. authorities had previously linked Badin and another 11 alleged GRU officers with the 2016-2018 attacks on the U.S. Democratic National Committee, the U.S. Democratic Party Congressional Committee, individual members of the campaign headquarters of Hilary Clinton, WADA, and so on. Because of this, Badin is one of most wanted FBI cybercriminals. Currently, he is at large and, according to law enforcement officers, lives in Moscow.