EU’s First Cyber Sanctions Target Russian, North Koreans, Chinese Attackers

The European Union, for the first time in its history, has levied sanctions in response to cyber attacks, naming six individuals and three groups associated with some of the biggest hits in recent years. 

EU officials imposed restrictions on North Korean, Chinese and Russian attackers associated with the WannaCry, Operation Cloudhopper, and NotPetya attacks, including a travel ban and an asset freeze, according to a statement Thursday. 

“Sanctions are one of the options available in the EU’s cyber diplomacy toolbox to prevent, deter and respond to malicious cyber activities directed against the EU or its member states, and today is the first time the EU has used this tool. The legal framework for targeted restrictive measures against cyber-attacks was adopted in May 2019 and recently renewed.”

The 2017 WannaCry ransomware attacks, attributed to North Korean actors, struck institutions, including many hospitals and city governments. The attackers used a Windows exploit that was originally discovered by the NSA and revealed to Microsoft shortly after. 

The 2017 NotPetya attacks were carried out by individuals associated with the Russian military, specifically the intelligence service, GRU. The attackers first targeted Ukraine, hitting banks, media outlets and utilities. These were highly destructive attacks not just knocking the affected computers offline but overwriting key files. The attack quickly spread to other computers around the world. 

John Hultquist, senior director of analysis at Mandiant Threat Intelligence, said “NotPetya and WannaCry were two of the most devastating cyberattacks in history, causing billions of dollars in damage and disrupting many vital systems, such as those belonging to the UK’s NHS [National Health Service]. At least one victim of NotPetya has claimed 1.3 billion dollars in damage... Those same actors attempted a destructive attack on the Pyeongchang Olympics though no government statement has accused the Russian government for their role in that incident.”

The sanctions document from the EU lists “Olympics Destroyer,” an alias for the group that attacked the Pyeongchang Olympics, sometimes called “Sandworm,” associated with the NotPetya attacks. 

Hultquist described the Cloud Hopper campaign as a less destructive, more traditional intelligence-collection operation, widely attributed to Chinese actors. The group, also called APT10, “gained access to Managed Service Providers as a means to then target their customers – organizations who used those providers to host their IT. China and others continue this type of activity, moving upstream to telecommunications and IT providers where they can gain access to multiple organizations and individuals simultaneously,” he said.