In its first ever use of the new framework introduced last year by the EU Council, the EU imposes sanctions on cybercriminals from Russia, North Korea and China. Six individuals were sanctioned, two Chinese citizens and four Russian nationals. Companies sanctioned include an export firm based in North Korea and technology companies from Russia and China.
The New EU Sanctions Framework
On 17 May 2019, the Council of the European Union (aka the EU Council) established a new framework. The framework allows the EU to impose “targeted restrictive measures to deter and respond to cyber-attacks” originating from outside the EU. These sanctions can be applied against individuals or organizations that have either attacked or tried to attack EU member states. Previously sanctions were only applied to governments accused of supporting cybercriminal groups.
The sanctions do not just apply to the cybercriminals themselves. The EU has created a blacklist of individuals and organizations that have conducted cyberattacks against EU companies in the past. Anyone providing “financial, technical or material support” to those blacklisted can also face sanctions. Furthermore, sanctions can be imposed on individuals or organizations just for being associated or otherwise involved with those blacklisted.
The sanctions can include “a ban on persons travelling to the EU, and an asset freeze on persons and entities. In addition, EU persons and entities are forbidden from making funds available to those listed.” However, these restrictive measures can only be imposed with the unanimous consent of all EU member states. Furthermore, the sanctions only condemn individuals or organizations that carried out the attacks, not the governments that support these groups.
In China, the EU sanctions were imposed on the Chinese Technology firm Haitai Technology Development. The company is accused of supporting the cyberattacks known as Operation Cloud Hopper. This operation tried to steal commercially sensitive data from multinationals across the world. Two Chinese individuals allegedly involved in Operation Cloud Hopper were also sanctioned.
China defended itself, with a Chinese diplomatic mission to the EU stating that China “is a staunch defender of network security and one of the biggest victims of hacker attacks.” For example, China accused the US in March this year of cyber espionage. Since then, the US has accused China of targeting Covid-19 Research Organizations back in May. In addition, the US officially named Chinese telecommunication companies Huawei and ZTE as a risk to national security. Furthermore, last month the US charged two Chinese nationals for hacking Covid-19 research facilities.
The statement from the Chinese diplomatic mission also said that China wants global cybersecurity to be maintained through “dialogue and cooperation” and not through sanctions.
North Korean Sanctions
Also sanctioned was the North Korean export company Chosun Expo. Chosun Expo was sanctioned for allegedly supporting the Lazarus Group, a cybercriminal group accused of major attacks worldwide. The Lazarus Group is accused of conducting the world’s biggest cyber heist in 2016. The group stole $81 million from Bangladesh Bank’s account held at the Federal Reserve Bank of New York. The group is also accused of the WannaCry ransomware attack of May 2017. This attack disrupted the IT systems of the UK’s National Health Service and rapidly spread to other government institutions and companies worldwide.
The Chosun Expo is also linked to an attack on Hollywood film studio Sony Pictures in 2014. The studio was attacked in an attempt to prevent the release of a satirical movie about North Korea’s leader, Kim Jong-un. Moreover, the firm is named in relation to attacks on Polish financial sector regulator, the Polish Financial Supervision Authority.
North Korea has denied any involvement in these or other cyberattacks.
EU sanctions in Russia targeted four officers from Russia’s military intelligence service. They were sanctioned for attempting to hack the Organization for the Prohibition of Chemical Weapons (OPCW), in the Netherlands in 2018. The four men’s passport numbers and places of birth were published by the EU as part of their sanctions.
Also sanctioned was the department for specialist technologies of the Russian military intelligence service. The service is known as Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). Furthermore, the EU sanctioned the GRU’s Moscow-based technology branch, the Main Centre for Specialist Technologies (GTST). The EU accused the service of having carried out two cyberattacks in June 2017 that struck several companies in Europe resulting in large scale financial losses. The service was also accused of two cyberattacks against Ukraine’s power grid in the winter of 2015/2016.