EU sanctions Russian espionage unit, Chinese and North Korean firms

Image: Guillaume Périgois

The Council of the European Union today announced sanctions imposed on a Russian military espionage unit, as well as on front companies for Chinese and North Korean threat groups involved in cyber-attacks targeting the EU and its member states.

EU's sanctions include asset freezes and travel bans, and forbid EU organizations and individuals from transferring to sanctioned people and entities.

"The Council today decided to impose restrictive measures against six individuals and three entities responsible for or involved in various cyber-attacks," a press release published today reads.

"These include the attempted cyber-attack against the OPCW (Organisation for the Prohibition of Chemical Weapons) and those publicly known as 'WannaCry', 'NotPetya', and 'Operation Cloud Hopper'."

Intelligence service members and front companies

The Council decision published today in the Official Journal of the European Union mentions Unit 74455 of Russia's foreign military intelligence service as one of the entities sanctioned today, an espionage unit whose members were also charged for hacking the Democratic Congressional Campaign Committee (DCCC) and the Democratic National Committee (DNC), in 2016, before the US Presidential Election.

This resolution was determined by Unit 74455's involvement as the threat actor tracked as 'Sandworm' in the June 2017NotPetya (EternalPetya) ransomware campaign and cyber-attacks against Ukraine's power grid in the winter of 2015 and 2016.

GRU members Alexey Valeryevich Mini, Aleksei Sergeyvich Morenets, Evgenii Mikhaylovich Serebriakov, and Oleg Mikhaylovich Sotnikov were also sanctioned for taking part in a failed attack against the Organisation for the Prohibition of Chemical Weapons (OPCW) in April 2018, in the Netherlands.

The attempted cyber-attack was aimed at hacking into the Wi-Fi network of the OPCW, which, if successful, would have compromised the security of the network and the OPCW’s ongoing investigatory work. The Netherlands Defence Intelligence and Security Service (DISS) (Militaire Inlichtingen- en Veiligheidsdienst – MIVD) disrupted the attempted cyber-attack, thereby preventing serious damage to the OPCW. — Council of the European Union

Chosun Expo, a front company for the North Korean APT38 hacking group (a subgroup of the Lazarus Group), was also sanctioned for providing technical, financial, and material support to the APT38 hackers.

The Council says that the threat group was behind cyber-attacks "publicly known as 'WannaCry' and cyber-attacks against the Polish Financial Supervision Authority and Sony Pictures Entertainment, as well as cyber-theft from the Bangladesh Bank and attempted cyber-theft from the Vietnam Tien Phong Bank."

Huaying Haitai, a company linked to the Chinese-backed APT10 threat group, was sanctioned for its involvement in the 'Operation Cloud Hopper' cyber-espionage campaign. Two of its employees, Gao Qiang and Zhang Shilong, were also sanctioned today for taking part in the same operation.

One-year-old framework used for the first time

The Council of the EU established the framework that allowed today's sanctions on May 17, 2019, allowing "the EU to impose targeted restrictive measures to deter and respond to cyber-attacks which constitute an external threat to the EU or its member states, including cyber-attacks against third States or international organisations where restricted measures are considered necessary to achieve the objectives of the Common Foreign and Security Policy (CFSP)."

This framework is specifically designed to allow the EU to sanction persons and entities responsible for both attempted and successful cyber-attacks if they are either involved or provide financial, technical, or material support to the individuals or groups behind the attacks.

"The EU recognizes that cyberspace offers significant opportunities, but also presents continuously evolving challenges," the Council said at the time.

"It is concerned at the rise of malicious behavior in cyberspace that aims at undermining the EU's integrity, security and economic competitiveness, with the eventual risk of conflict."