Last updated 2 days ago. Our resources are updated regularly but please keep in mind that links, programs, policies, and contact information do change.
American companies. European servers. Russian-affiliated criminals, probably. And now a question that sounds simple but opens onto a maze of international law, diplomatic friction, and unclear rules about who has authority: Who investigates this?
The answer determines if the FBI can compel foreign governments to hand over evidence, if prosecutors can charge anyone, and if the companies whose secrets were exposed have any realistic shot at accountability, insurance claims, and legal recourse.
Most Americans assume the FBI only operates within U.S. borders. The FBI has specialized cyber attachés in major cities whose entire job is coordinating international hacking investigations. Under a law enacted in 1986 (building on earlier 1984 computer fraud provisions) that’s been amended repeatedly to extend its reach, the FBI has authority to investigate cyberattacks that happen anywhere on Earth if those attacks affect American companies or their data.
The Computer Fraud and Abuse Act and International Jurisdiction
The Computer Fraud and Abuse Act applies regardless of where a criminal is located. A federal prosecutor in Virginia can charge a criminal in Moscow if that person accessed systems containing American company data worth more than $5,000.
The ESA servers easily meet that threshold. SpaceX holds multiple contracts with the Space Force across different procurement phases and launch service lanes, including a National Security Space Launch Phase 2 contract awarded in 2020 with an initial value of approximately $3.34 billion that has grown to $4 billion through contract modifications (with potential value up to $5.9 billion depending on mission requirements), plus extensive NASA contracts for cargo and crew transport to the station. Its proprietary designs, even stored on foreign government servers, relate directly to interstate commerce. Same for Airbus and Thales Alenia, which maintain substantial U.S. operations and government contracts.
The Department of Justice doesn’t prosecute every case where it technically has authority. Internal guidelines require prosecutors to consult with the department’s cybercrime team before bringing CFAA charges. They must consider national security implications, victim impact, deterrence value, and prosecutorial resources.
DOJ decides to pursue the ESA breach based on factors the public never sees: How sensitive was the stolen data? Are the criminals connected to a foreign government? Can we identify and reach them? Is this worth the diplomatic capital it’ll cost to push allies for cooperation? These decisions are made privately within the Justice Department. The companies whose data was stolen don’t get a vote.
Attribution in Cybercrime
Attribution in cybercrime is never simple. Proving who did it requires analyzing malware code, tracing network infrastructure, examining server logs, and connecting digital evidence that sophisticated criminals deliberately hide. The FBI has gotten good at this. What they can do with that knowledge is another question.
International Evidence Requests and Delays
To require a foreign government or company to provide evidence—server logs, financial records, communications between criminals—the U.S. relies on formal agreements between countries to help with criminal investigations. These treaties establish formal legal procedures for requesting help.
The FBI files a formal request through the Justice Department’s Office of International Affairs. That request goes to the foreign country’s government office handling such requests—usually a justice ministry. The foreign country executes the request according to its own laws, which might require judicial approval, privacy protections, and procedural safeguards. Then, eventually, the evidence comes back.
For a cybercrime investigation where evidence might be deleted and criminals might move to new infrastructure, this timeline is problematic.
The U.S. and the EU have created faster procedures specifically for digital evidence, recognizing that digital investigations require faster access to data held by private companies. Even with these improvements, the process remains bureaucratic for investigators racing against time.
An international agreement signed by 81 countries to fight hacking, adopted in 2001, requires signatory states to criminalize hacking in their domestic laws and cooperate with each other through designated 24/7 contact points. Both the U.S. and EU are parties to the Convention. Countries can refuse to help if doing so would violate human rights or their national sovereignty.
Defense Contractors and Mandatory Reporting
SpaceX, Airbus, and Thales Alenia are private companies, but they also work as defense contractors, which means they operate under a separate regulatory framework that most businesses never encounter.
Since 2016, the Department of Defense has required all defense contractors to report cyber incidents within 72 hours of discovery. Pentagon rules apply to any contractor working on DOD contracts—and apply to subcontractors throughout the supply chain. Failure to report can result in contract penalties, termination, or suspension from future government work.
When SpaceX discovered its proprietary information was compromised in the ESA breach, it had a legal obligation to report that to the Department of Defense. These reporting requirements trigger investigation by the Defense Counterintelligence and Security Agency (DCSA). DCSA investigates to determine what damage was done to national security, whether classified information was exposed, and if the contractor should lose security clearances.
The contractors didn’t cause the ESA breach—they were victims of a third party’s breach. But it shows they’re vulnerable when they share sensitive information with foreign organizations. This affects future security reviews that determine if contractors can keep government contracts.
If a foreign government organization you share secrets with gets hacked, the law doesn’t clearly say who’s responsible. The contractors didn’t control ESA’s security practices. They trusted ESA to protect the information. But they chose to collaborate with a foreign entity. Collaboration inherently involves information sharing across borders. Too much security would make it impossible to work together on these missions. But weak security practices lead to exactly what happened here: sensitive technical data in the hands of cybercriminals.
When Criminals Are Beyond U.S. Reach
Assume the FBI’s cyber analysts determine with high confidence that criminals operate from Russia, China, Iran, or North Korea. Say they can identify specific individuals, trace their digital infrastructure, and identify the computers they use.
If the criminals are in a country that doesn’t cooperate with U.S. law enforcement, the FBI can identify them but can’t arrest, extradite, or prosecute them. The U.S. government can levy sanctions and issue indictments that can’t be enforced outside the U.S. But there’s no way to prosecute them.
In the 2014 Sony Pictures hack, U.S. authorities attributed the attack to North Korean state-sponsored operatives. The Justice Department indicted Park Jin-hyok in 2018 on CFAA charges. Park stayed in North Korea, beyond U.S. reach. No extradition treaty exists with North Korea. The indictment was mainly a public statement of blame, not a real prosecution.
In the 2015 Office of Personnel Management breach, which exposed security clearance information for 22.1 million people, U.S. authorities attributed the attack to Chinese government operatives. The primary perpetrators remained in China. The case resulted in diplomatic pressure and enhanced U.S. cybersecurity practices, not criminal trials.
The 2020 SolarWinds supply chain attack, attributed to Russia’s Foreign Intelligence Service, compromised the Justice Department, Homeland Security, Treasury, and other federal agencies. The U.S. issued formal attribution statements, imposed sanctions, and coordinated with allies. But investigation and prosecution of the Russian perpetrators proved impossible. They were in Russia, protected by the Russian government.
Reduced International Cooperation Capacity
In early 2026, the Trump administration eliminated the CISA team that worked with states, cities, businesses, and foreign countries on cybersecurity. This cuts the U.S. government’s ability to work with other countries.
Dr. David Mussington, former head of Infrastructure Security at CISA, warned that the cuts eliminated the team that trained foreign governments to defend against hacking—many emerging from diplomatic agreements signed by U.S. presidents and foreign heads of state. These projects built relationships that help law enforcement work together. When foreign governments have less training and fewer resources to secure their own systems, they become less effective partners in investigating cyberattacks affecting shared interests.
For cases like the ESA breach that need international cooperation, these cuts will slow things down at exactly the wrong time.
The Investigation Process and Its Limits
If the FBI opens a formal investigation, it will work on multiple fronts. Federal agents work through established channels to figure out what data was stolen, gather evidence, and find the criminals. FBI analysts study the attack’s technical details to determine who did it. Federal prosecutors join early to guide the investigation toward evidence that could support charges and request evidence from foreign countries.
The timeline extends months or years. Cyber investigations are harder than traditional crimes because criminals hide their tracks across multiple systems.
If perpetrators are in countries that don’t cooperate with the U.S., the investigation might help prevent future attacks but won’t lead to prosecution. If perpetrators are in allied countries, the U.S. has better tools to prosecute them through extradition or foreign prosecution.
For SpaceX, Airbus, and Thales Alenia, the likely outcome is insurance claims, security reviews, and Pentagon scrutiny. Who gets prosecuted depends on where the criminals are, if the U.S. has good relations with that country, and if the Justice Department thinks it’s worth the effort.
The FBI has jurisdiction. Whether that matters depends on where the criminals are. American companies store secrets on foreign servers and work with foreign governments, assuming those partnerships will keep their data safe. But when those partnerships fail and data is stolen, who investigates and who gets punished depends more on where the criminals are and politics than on the law.
Our articles make government information more accessible. Please consult a qualified professional for financial, legal, or health advice specific to your circumstances.