Taming the Problem Bear: "The Russian did it" is not enough
The federal government holds Russia responsible for cases of disinformation and cyberattacks. The attribution sometimes took a very long time.
(Image: Maxim Gaigul/Shutterstock.com)
The AI fake of a supposed schoolgirl, who describes alleged assaults by the then Green Chancellor candidate Robert Habeck, is probably the best-known example of the disinformation campaign for which the German government has now summoned the Russian ambassador. It was recognized as a problem case by authorities about a year ago, shortly after it appeared on X. But there was no specific public warning at first. Because the problem that authorities face with such influence operations: The vast majority achieve virtually no attention and vanish into digital nothingness if they are not picked up by the media.
If an official body somewhere in the depths of X discusses disinformation spread through the interaction of ten troll accounts, it amplifies their reach many times over and does the attacker's job. This is also repeatedly emphasized by government representatives, which is why they only warn publicly in rare cases. However, parts of the problems in clarification are self-inflicted. Because the changing federal governments of recent years have repeatedly pursued new approaches to detect attacks early and track down those responsible for operations.
Currently, there are three starting points: In cases of suspected political hacker attacks, the Federal Office for Information Security, the Federal Office for the Protection of the Constitution as intelligence defense, and the state criminal police offices as well as the BKA are involved. In the case of disinformation campaigns, it is more difficult, at least as long as they do not cross the threshold of criminal liability.
Separation between attribution and prosecution
Here, the focus is primarily on observing what happens on the platforms – but the "Central Office for the Detection of Foreign Influence and Information Manipulation" (ZEAM) is still "under construction" according to the Federal Ministry of the Interior, a year and a half after its founding. There, employees from various federal ministries and external service providers are trying to detect influence operations early. The Federal Intelligence Service is responsible for investigating leads abroad in both cases – and has known the relevant actors in Russia, China, and other states for years.
This is less about prosecution, which is hopeless with most countries of origin, but about clarity. First, to capture attack vectors and methods as precisely as possible: Were third parties instrumentalized in manipulation attempts? Were new technologies such as deepfake videos used? Was disinformation seeding carried out in language models? Affected parties should also be identified as precisely as possible.
The second task: To find out exactly what goals the attack pursued: is a hack about sabotage? Espionage? Procurement of material for disinformation campaigns? The third goal of the authorities: to determine as clearly as possible who is behind a campaign and thus which state bears responsibility for it. But who shares what information with whom afterwards, it is repeatedly said from government circles, is often left to individual assessment rather than a system.
Better discovered, worse hidden
However, in the case of Storm 1516, which the federal government now seems absolutely certain it can attribute to the "Doppelkopfadler" movement and the so-called "International Center for Political Expertise" in Moscow, the exchange between the authorities seems to have produced a clear result. Employees from the area of the authorities involved explain that attribution has recently even become easier: Yes, intelligence gathering has improved. But unlike in more peaceful times, Russian actors in particular are blurring their tracks less than before, as they feel more secure. And the probability that they will ever travel to the West and be arrested there for it has massively decreased.
Videos by heise
However, the intelligence attribution, i.e., an assignment by the Federal Office for the Protection of the Constitution and the Federal Intelligence Service, took a long time in this case. As early as May 2025, Viginium, an agency comparable to ZEAM in France, published a detailed report on the activities of Storm-1516, of which there is apparently also a classified version. When asked, the Federal Ministry of the Interior cannot explain exactly how the cooperation with the French side looked and why the German attribution took half a year longer. Due to the involvement of other countries in the campaign, it can only say: "We are in close exchange with our international partners on this matter." That this can still be improved, representatives of the Chancellery and the Federal Office for the Protection of the Constitution had pointed out at the beginning of the week.
Established procedures only in case of suspected IT compromise
The procedures are significantly more established in many areas when it comes to the identification and attribution of hacker attacks. That the group, known as Sofacy Group or Fancy Bear or simply Advanced Persistent Threat 28 (APT28), is responsible for the intrusion into the IT of the German Air Traffic Control in Langen in the summer of 2024, is no surprise. The not-so-cuddly bear, which has been attributed to the Russian military intelligence service GRU for years, has been linked to attacks on high-value targets in Germany for years – including the networks of the federal government in 2017 or the Bundestag in 2015.
The attack on the SPD in 2022 and other targets in the same year is also attributed to this professional actor – here, the Russian ambassador was also summoned. And the warning system is also more established: CVE classification, manufacturer warning, affected party warning, public warning with Indicators of Compromise, all of this exists at least, even if there is often still room for improvement in practice. For disinformation campaigns, however, there are still no established standard procedures to this day.
Federal government wants to be able to intervene earlier
The current attributions to Russia play against two political backgrounds: on the one hand, the consultations scheduled for Monday in Berlin regarding a possible ceasefire agreement between the aggressor Russia and Ukraine. On the other hand, changes to the legal framework for intelligence services are planned in the coming months. The black-red federal government wants to re-regulate the services' capabilities for detecting, preventing, and responding to attacks and significantly expand their powers.
What exactly this should entail is still being discussed. Federal Minister of the Interior Alexander Dobrindt, politically responsible for cyber and intelligence defense, had explained in November that it was about "taking the infrastructure of attackers offline, disrupting it, destroying it." In response to the disinformation and hacker attacks now attributed, targeted sanctions against responsible persons are being imposed in addition to diplomatic protests. In the past, actors identified as responsible have already been placed on EU sanctions lists.
(nen)
