On July 30, 2020, the European Council announced sanctions against six individuals and three organizations for their involvement in a series of cyber-attacks that have caused significant damage in the EU and around the world over the last several years.
The announcement follows the EU’s adoption last year of Decision (CFSP) 2019/797, which established the EU Cyber Sanctions regime, recognizing targeted “restrictive measures,” including sanctions, as a vital tool for deterring and responding to cyber-attacks that constitute an external threat to the EU or its Member States.
Pursuant to Articles 4 and 5 of Decision 2019/797, the European Council established its authority to restrict the travel and freeze the funds and economic resources of any persons or entities that are responsible for cyber-attacks or attempted cyber-attacks, or that provide financial, technical, or material support for such cyber-attacks.
In the July 30 Decision, the EU imposed sanctions against six individuals and three entities from China, Russia, and North Korea, all linked to various significant cyber-attacks from the last decade, including the 2017 WannaCry ransomware attacks, the 2018 cyber-attack against the Organization for the Prohibition of Chemical Weapons, and a years-long hacking campaign known as “Operation Cloud Hopper,” which affected the information systems of companies on six continents. As noted below, many of the individuals and entities named in the Decision have also appeared in recent criminal indictments by the U.S. Department of Justice.
The EU imposed sanctions against the following individuals and entities:
- Two Chinese individuals and the entity Tianjin Huaying Haitai Science and Technology Development Co. Ltd for their involvement in “Operation Cloud Hopper”
Sanctions were imposed against Gao Qiang and Zhang Shilong for their alleged involvement in “Operation Cloud Hopper,” the name given to a series of cyber-attacks that targeted information systems and Managed Service Providers of multinational companies on six continents, resulting in the theft of sensitive information from companies and government agencies. Both individuals were employed by Huaying Haitai, which is also subject to sanctions for its financial, technical or material support for the cyber-attacks. Qiang and Shilong have also both been linked to the hacking group known as Advanced Persistent Threat 10 (APT10), which is associated with the Chinese Ministry of State Security.
Shilong was previously included in a December 2018 indictment by the U.S. Department of Justice for his involvement in the years-long global hacking campaign.
- Four Russian individuals for their involvement in an attempted cyber-attack against the Organization for the Prohibition of Chemical Weapons (OPCW)
Alexey Valeryevich Minin, Aleksei Sergeyvich Morenets, Evgenii Mikhaylovich Serebriakov, and Oleg Mikhaylovich Sotnikov are subject to sanctions for their alleged role in an attempted cyber-attack against the OPCW in 2018, which had been investigating Russia’s use of chemical weapons.
According to the Decision, the four individuals attempted to gain unauthorized access to the Wi-Fi network of the OPCW in the Netherlands, which, if successful, would have compromised the OPCW’s ongoing investigatory work.
All four individuals were also included in a 2018 indictment by the U.S. Attorney’s Office for the Western District of Pennsylvania and the National Security Division’s Counterintelligence and Export Control Section for the attempted attack on the OPCW, as well as a series of intrusions into the systems of anti-doping agencies around the world. These activities were allegedly provoked by anti-doping measures taken against Russian athletes following the 2014 Sochi Winter Olympics and before the 2016 Rio de Janeiro Summer Olympics. The hackers were alleged to have publicly released stolen data, including medical information on athletes and sensitive records and emails from anti-doping agencies, in some cases doctoring the records.
- The Main Centre for Special Technologies (GTsST) of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation
The Main Directorate of the General Staff of the Armed Forces of the Russian Federation, which employed the four Russian individuals listed above, is listed separately in the Council’s decision for its alleged involvement in a series of destructive cyber-attacks between 2015 and 2017, including the 2017 NotPetya attacks and the attacks directed at a Ukrainian power grid in 2015 and 2016. According to the Decision, the Main Centre for Special Technologies is closely linked to the Sandworm hacking group, which is the group of Russian military intelligence hackers thought to be behind NotPetya.
The Main Centre for Special Technologies, which is also known by its field post number 74455, is also listed in the 2018 U.S. indictment against the four individuals named above for acquiring and maintaining the social media accounts and other infrastructure used to carry out the attacks against anti-doping agencies.
- North Korean entity Chosun Expo, for its involvement in the WannaCry attack and other attacks
The Council also imposed sanctions against Chosun Expo, based in North Korea, for allegedly facilitating a series of cyber-attacks against entities around the world, including the 2017 WannaCry ransomware attacks, the 2014 attack on Sony Pictures Entertainment, and the theft of millions of dollars from Bangladesh Bank in 2016. As noted in the Decision, Chosun Expo is believed to be a North Korean government front company linked to the government-sponsored hacking team known as the Lazarus Group, which carried out the WannaCry attacks.
In 2018, the U.S. Attorney’s Office for the Central District of California and the National Security Division’s Counterintelligence and Export Control Section unsealed a criminal complaint against North Korean citizen Park Jin Hyok, a member of the Lazarus Group and an employee of Chosun Expo, for his alleged role in the attacks listed above.