EU Issues First Sanctions for Cyberattacks

The European Union issued its first sanctions for cyberattacks on Thursday against Chinese, North Korean, and Russian groups linked to recent major hacking incidents.

The sanctions—against six individuals and three entities—are in response for the NotPetya, Operation Cloud Hopper, and WannaCry attacks, as well as a cyberattack against the Organisation for the Prohibition of Chemical Weapons in The Hague.

“The sanctions imposed include a travel ban and an asset freeze,” the European Council of the European Union said in a press release. “In addition, EU persons and entities are forbidden from making funds available to those listed.”

Of those sanctioned, the most well known is Russia’s GRU military intelligence service unit 74455—commonly referred to as Sandworm. The group has been “linked to the NotPetya ransomware attacks, which experts say began as a political attack against Ukraine but then quickly spread across the world and caused over $10 billion in damage,” according to MIT Technology Review. “The group is also linked to hacking and turning off the Ukrainian power grid during the winters of 2015 and 2016. The sanctions also targeted four Russian spies linked to a cyberattack on the Organization for the Prohibition of Chemical Weapons, which investigates the use of chemical weapons in Syria.”

China’s Haitai Technology Development, along with two citizens, were sanctioned for their roles in Cloudhopper—a cyberattack that ran from 2014 to 2017 targeting telecommunications companies, among others.

And the actions against North Korea were aimed at Chosun Firm for its support of the WannaCry ransomware attack that spread throughout the globe—with especially critical damage to the UK’s National Health Service.

The Netherlands led the push for the European Union to develop a cyber sanctions regime after the OPCW was attacked in 2018. The European Council adopted a framework in May 2019 that would allow it to issue restrictive measures against those responsible for cyberattacks that have “significant effect which constitute an external threat to the Union or its Member States.” Thursday’s sanctions mark the first time, however, the EU has used those powers.

“The EU has a shared interest in working together against these attacks,” said Netherlands Minister of Foreign Affairs Stef Blok in a press release. “The time of simply issuing warnings in cyberspace is over.”

To issue sanctions, 27 EU members must agree on the decision—posing challenges depending on who the sanctions would target.

“China, in particular, is a touchy subject among countries, with some wary of endangering relations with the bloc’s second biggest trading partner and a major foreign investor,” according to Bloomberg. “Others are seeking a progressive normalization of relations with Russia, on which the EU depends for much of its energy supplies.”