On July 30th, 2020 the EU Commission has imposed restrictive measures against six individuals and three entities responsible for or involved in various cyber-attacks. These attacks include the one against the Organisation for the Prohibition of Chemical Weapons and those that are known as ‘WannaCry’, ‘NotPetya’, and ‘Operation Cloud Hopper’.
The sanctions include a travel ban and an asset freeze. Furthermore, EU persons and entities cannot fund those listed.
The legal framework, that includes targeted restrictive measures against cyber-attacks, was adopted in May 2019 and recently renewed. Sanctions are one of the options available in the EU cyber diplomacy toolbox to prevent, deter and respond to malicious cyber activities against the EU or its member states. This is the first time the EU has used this tool.
The target individuals include two personas from China, linked to APT10 and designated in connection with Operation Cloud Hopper. The organization employing them is sanctioned too. Operation Cloud Hopper was an espionage campaign that has targeted managed IT service providers (MSPs), allowing the APT10 group unprecedented potential access to the intellectual property and sensitive data of those MSPs and their clients globally.
The other four persons are Russian with different roles in the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GU/GRU). The team of four Russian military intelligence officers attempted to gain unauthorised access to the Wi-Fi network of the OPCW in The Hague, the Netherlands, in April 2018. The cyber-attack aimed at hacking into the Wi-Fi network of the OPCW. If successful, would have compromised the security of the network and the OPCW’s ongoing investigatory work. The Netherlands Defence Intelligence and Security Service disrupted the attempted cyber-attack, thereby preventing serious damage to the OPCW.
The Main Directorate of the General Staff of the Armed Forces of the Russian Federation is sanctioned too it is responsible for cyber-attacks with a significant effect: those publicly known as “NotPetya” or “EternalPetya” in June 2017 and the cyber-attacks directed at a Ukrainian power grid in the winter of 2015 and 2016. The actor publicly known as “Sandworm” which is also behind the attack on the Ukrainian power grid, carried out “NotPetya” or “EternalPetya”. The Main Directorate of the General Staff had an active role in the cyber-activities undertaken by Sandworm and can be linked to Sandworm.
The other sanctioned organization is Chosun Expo because it supported and facilitated cyber-attacks against to the Union or its Member States.
These attacks include “WannaCry”, those against the Polish Financial Supervision and Sony Pictures Entertainment, as well as cyber-theft from the Bangladesh and the Vietnam Tien Phong Bank. WannaCry was carried out by the actor publicly known as “APT38” or “Lazarus Group”. The links between Chosun Expo and APT38/the Lazarus Group are the accounts used for the attacks.
The attribution of the various attacks has been known for a long time and books and papers have been written on the attributions, but now it is written on an official document maybe to raise an alert on future cyber and hybrid attacks. However, with a bit of hypocrisies, the press release specifies that
“Targeted restrictive measures have a deterrent and dissuasive effect and should be distinguished from attribution of responsibility to a third state.”