The European Union on Thursday imposed its first-ever sanctions over cyberattacks, slapping them on alleged Russian military agents, Chinese cyberspies, and organizations, including a North Korean firm.
The six people and three groups hit with sanctions include Russia’s GRU military intelligence agency. EU headquarters blamed them in a statement for the 2017 “WannaCry” ransomware and “NotPetya” malware attacks and the “Cloud Hopper” cyberespionage campaign.
EU foreign policy chief Josep Borrell said the sanctions “are a travel ban and asset freeze to natural persons and an asset freeze to entities or bodies. It is also prohibited to directly or indirectly make funds available to listed individuals and entities or bodies.”
Four Russians identified as GRU members were accused of trying to hack the Wi-Fi network of the Netherlands-based Organization for the Prohibition of Chemical Weapons, or OPCW, which has probed the use of chemical weapons in Syria. Dutch authorities foiled the 2018 attack.
The GRU was also sanctioned for NotPetya, which targeted companies that do business with Ukraine and caused billions of dollars in damage globally, and cyberattacks on Ukraine’s power grid in 2015 and 2016.
The two sanctioned Chinese nationals were accused of involvement in “Operation Cloud Hopper,” which the EU said hit companies on six continents, including Europe, through cloud services providers and “gained unauthorized access to commercially sensitive data, resulting in significant economic loss.”
One of the two, Zhang Shilong, was indicted in the United States in December 2018 for his alleged role in the operation, which US authorities said at the time targeted a wide array of industries including aviation, biotechnology and satellite and maritime technology. Also sanctioned by the EU was the Chinese company Huaying Haitai, listed as Zhang’s employer.
The North Korean firm sanctioned is Chosun Expo, which the EU said advanced cyberattacks including WannaCry, the hacking of Sony Pictures, and cyber robberies of Vietnamese and Bangladeshi banks.
A leading US cybersecurity expert noted that the attempt to hack the chemical weapons group involved a rare physical visit to its organization’s facilities in The Hague, Netherlands.
John Hultquist, Senior Director of Analysis, Mandiant Threat Intelligence, said, “The European Union imposed sanctions against multiple people and organizations for their role in several cyberattacks and cyber espionage incidents. The sanctions are tied to the NotPetya and Ukraine blackout attacks carried out by the GRU as well as an act of cyber espionage that was attempted against the OPCW by that same organization. WannaCry was another global destructive event similar to the NotPetya incident that posed as ransomware, though it was carried out by North Korean actors. Cloud Hopper was a long term complex cyber-espionage operation that targeted managed service providers to gain access to third parties that was carried out by Chinese contractors working on behalf of the Ministry of State Security.”
He added, “NotPetya and WannaCry were two of the most devastating cyberattacks in history, causing billions of dollars in damaging and disrupting many vital systems, such as those belonging to the UK’s NHS. At least one victim of NotPetya has claimed 1.3 billion dollars in damage. The NotPetya attack was carried out by the GRU actors known as Sandworm, who had previously conducted two raids on Ukraine’s grid. Those same actors attempted a destructive attack on the Pyeongchang Olympics though no government statement has accused the Russian government of their role in that incident.
The Cloud Hopper campaign was a complex intelligence collection operation, that was meant to gather intelligence rather than disrupt systems. APT10 gained access to Managed Service Providers as a means to target than their customers – organizations that used those providers to host their IT. China and others continue this type of activity, moving upstream to telecommunications and IT providers where they can gain access to multiple organizations and individuals simultaneously.
The GRU was also behind an attempt to hack the OPCW’s WI-FI network by physically visiting their facilities in the Hague. That operation was disrupted, but the unit had been involved in similar activities in Switzerland, Brazil, and Malaysia, which targeted the Olympics and other investigations involving Russia. The consistent use of physical human intelligence teams to supplement its intrusion efforts makes the GRU a particularly capable adversary. Sanctions may be particularly useful for disrupting this activity as they may hinder the free movement of this unit.”