By Catherine Stupp
Germany is urging its fellow European Union governments to impose the bloc's first-ever sanctions for hacking on a Russian suspect in the 2015 cyberattack on the German parliament.
An EU sanctions framework for cyberattacks took effect last year, allowing the imposition of travel bans to the EU and the freezing of bank accounts there. To impose sanctions, however, all governments in the 27-country union must agree to do so.
Germany had been building up to seeking sanctions in recent months. Chancellor Angela Merkel said in May there was hard evidence Russia was responsible for the 2015 hack. More than 16 gigabytes of data were stolen from the parliament's network, German media reported. In April, the federal public prosecutor issued an arrest warrant for Dmitri Badin, a Russian citizen, the foreign ministry said. Then on May 28, the ministry said it would seek EU sanctions against those responsible for the 2015 incident, only naming Mr. Badin.
The U.S. indicted Mr. Badin and other individuals in 2018 for interfering in the 2016 election and for hacking antidoping agencies between 2014 and 2018. The Federal Bureau of Investigation said Mr. Badin is believed to have been a Russian military intelligence officer.
What effect EU sanctions would have is unclear.
"I see the importance of this more in terms of political messaging than getting very practical effects of ending this activity," said Paul Ivan, a senior policy analyst at the European Policy Centre, a think tank in Brussels.
"We're talking about the parliament of the country, a massive hack in which a lot of information, private email accounts of members of parliament were stolen," Mr. Ivan said. "It's very politically sensitive."
In recent years, European countries have become more outspoken on publicly attributing large cyberattacks to foreign governments. In 2018, several EU countries, along with the U.S., Canada and others, said Russia was behind the 2017 NotPetya attack, which caused major disruptions to companies around the world such as Danish shipping firm A.P. Moeller-Maersk A/S and FedEx Corp. Later in 2018, the Netherlands, the U.K. and the U.S. accused Russia's military intelligence agency of a cyberattack on the Organization for the Prohibition of Chemical Weapons, which is headquartered in The Hague.
But without cooperation from the country to which the hacker is traced, these moves are largely symbolic, said Stefan Tanase, a cyber intelligence expert at the CSIS Security Group A/S, headquartered in Copenhagen.
"The operators of these attacks don't travel, they stay at home and enjoy the full protection of their country. Slapping them with sanctions is like receiving a medal," he said.
European investigators and law-enforcement officials have improved their forensic skills and become better at identifying perpetrators, he said. But they have had little success in stopping government-backed hackers, he added.
Germany's attempt to use sanctions to punish the 2015 cyberattack could motivate other EU countries to call for similar measures, said Stefan Soesanto, a senior researcher at the Center for Security Studies at the ETH Zurich university.
But the 2015 attack on the German parliament could be seen as political espionage, he said, and some EU countries might be hesitant to sanction it because it would draw attention to their own spying. "That will raise the possibility of a double standard," he said.
Estonia, which suffered a major cyberattack in 2007 that breached government, bank and corporate websites, has been particularly active in discussions about cybersecurity with EU countries and at the United Nations. The country will support Germany's bid for sanctions, said Heli Tiirma-Klaar, Estonia's ambassador-at-large for cyber diplomacy.
"Sanctions have a long-term effect of deterring such activities," she said in an email.
In the U.S., the government began a sanctions regime for cyber attacks in 2015 and has since used it against hackers in Iran, North Korea and Russia.
The European measures might also have consequences for companies attacked by hacker groups that have already been sanctioned.
For example, a company that suffers a ransomware attack might pay ransom to the perpetrators to retrieve their encrypted data. But doing so could violate EU sanctions if it turned out those hackers could be identified and had been sanctioned, said Charles-Albert Helleputte, a partner in the cybersecurity and data privacy practice of Mayer Brown LLP in Brussels.
People or organizations that provide financial support for cyberattacks can also face travel restrictions or have their funds frozen under the EU rules. That could include ransoms, Mr. Helleputte said. And companies may struggle to identify the group behind a cyberattack.
"The main consequences aren't really for the attackers themselves, but much more for all organizations who eventually will have to deal with them at some point," Mr. Helleputte said.
Write to Catherine Stupp at Catherine.Stupp@wsj.com