EU sanctions against cyberattacks

Recognizing the importance of cyberspace and after having observed, especially during the coronavirus pandemic, an increase in cyberattacks (as known manifested through phishing and malware distribution campaigns, scanning activities and distributed denial-of-service attacks), the European Union has decided to put the fight against this matter in the foreground. In this regard, the EU has repeatedly expressed its concern and demonstrated its solidarity with all countries that were victims of such malicious cyber activities. Consequently, its increasing global cyber resilience has resulted for the first time in the emanation of sanctions against such cyberattacks.

In particular, this central decision concerning restrictive measures has been taken last 30 July 2020 by the Council, considering the proposal from the High Representative of the Union for Foreign Affairs and Security Policy and having regard to the Treaty on European Union, especially Article 29 thereof, according to which the Council shall adopt, as in this case, decisions which shall define the approach of the Union to a particular thematic nature.

The cyberattacks that fall within the scope of this new sanctions’ regime are those with potentially significant effects and that use infrastructure outside the EU or are originated or carried out by persons or entities established or operating outside the EU providing financial, technical, or material support or being otherwise involved. Moreover, also just attempted cyber-attacks are covered by this same sanction’s regime.

Specifically, the Council imposes restrictive measures against six individuals and three entities, included in an annexed list, who were deemed guilty for carrying out or taking part in various cyber-attacks. Among the responsible natural persons there are GAO Qiang (China), ZHANG Shilong (China), Alexey Valeryevich MININ (Russia), Aleksei Sergeyvich MORENETS (Russia), Evgenii Mikhaylovich Serebriakov (Russia) and Oleg Mikhaylovich Sotnikov (Russia).

The sanctions include the travel ban and the freezing of assets for individuals and entities or bodies. Furthermore, EU persons and entities are forbidden directly and indirectly from making funds available to those targeted in the list. Finally, if it is deemed necessary to achieve common foreign and security policy objectives set out in the relevant provisions of Article 21 of the Treaty on European Union, restrictive measures can also be applied in response to cyber-attacks with a significant impact against third States or international organizations

Concerning the denounced subjects, the first two Chinese hackers were involved in the hacking campaign “Operation Cloud Hopper” that targeted information systems of multinational companies in six continents, including companies located in the Union, for example the Swedish Ericson telecom system, and gained unauthorized access to commercially sensitive data, resulting in significant economic loss. The actors were publicly known as “APT10”, what stands for “Advanced Persistent Threat 10”. Moreover, the two Chinese criminals were employed by Huaying Haitai, an entity that provided support and facilitated “Operation Cloud Hopper”, which was thereby also added in the list of the denounced bodies by the Council.

The further three perpetrators from Russia, instead, took part in an attempted cyber-attack, with severe potential effects, against the Organization for the Prohibition of Chemical Weapons (OPCW) in the Netherlands (The Hague, April 2018). Luckily, the Netherlands Defence Intelligence and Security Service disrupted it preventing any serious damage to the Wi-Fi network of the OPCW.

Among the other entities, the Main Centre for Special Technologies, acknowledged as “Sandworm”, is particularly responsible for cyber-attacks publicly known as “NoPetya” or “EternalPetya”, which occurred in June 2017. “NotPetya” or “EternalPetya” rendered data inaccessible in several companies in the Union, wider Europe and worldwide, by targeting computers with ransomware and blocking access to data, resulting among others in significant economic loss. Indeed, PC system were infected when they were started up, preventing users from being able to access computers and, subsequently, it required the users to make a Bitcoin payment to regain access to the system. More, other cyber-attacks were directed at a Ukrainian power grid in the winter 2015 and 2016, and presumably also against Germany and France.

Lastly, the third legal person Chosun Expo, from North Korea, led cyber-attacks noted as “WannaCry”. This has been a large-scale attack in May 2017 on computers of many organizations and companies using Microsoft Windows, also in this case, encrypting their files for asking then a ransom to decrypt them back. “WannaCry” affected information systems of companies in the Union, including information system relating to services necessary for the maintenance of essential services and economic activities within the Member states. More, the Chosun Expo entity was found responsible for cyber-attacks against the Polish Financial Supervision Authority and the Sony Pictures Entertainment, as well as cyber-theft from the Bangladesh Bank. Additionally, it attempted a cyber-theft from the Vietnam Tien Phong Bank.

The applied restrictive sanctions are one of the options made available in the EU’s cyber diplomacy toolbox, which was adopted on the 19 June 2017 to expressly promote security and stability in cyberspace and in general raise awareness on cyberattacks. In fact, as the High Representative declared, this is inevitable to ensure a cyberspace where human rights, fundamental freedoms and the rule of law fully apply. Of course, a solid cooperation at technical, operational, judicial, and diplomatic levels, forms a fundamental basis to achieve this.

Additionally, the European Union and its member states express their willingness to continue to work, within the framework of the United Nations and other appropriate international bodies, on the further development and implementation of rules and principles for responsible behavior in the cyberspace and to protect the intellectual property against cyberspace theft in multilateral forums. In the meanwhile, according to the international law and the 2010, 2013 and 2015 consensus reports of the United Nations Groups of Governmental Experts (UNGGEs) in the field of Information and Telecommunications in the Context of International Security, the EU continues to call upon every country to exercise due diligence and take appropriate actions against actors conducting such activities from its territory.