In a first, EU issues hacking sanctions
Measures target agencies, people
BRUSSELS — The European Union on Thursday slapped sanctions on six people and three organizations, including Russia’s military intelligence agency, accusing them of responsibility for several cyberattacks that threatened EU interests.
EU headquarters said in a statement that those targeted include people considered to be involved in the 2017 WannaCry ransomware attack, the NotPetya strike that notably caused havoc in Ukraine, and the Operation Cloud Hopper hacking campaign.
The sanctions are the first that the EU has ever imposed for cyberattacks.
EU foreign-policy chief Josep Borrell said that “the measures concerned are a travel ban and asset freeze to natural persons and an asset freeze to entities or bodies. It is also prohibited to directly or indirectly make funds available to listed individuals and entities or bodies.”
Four members of Russia’s GRU military intelligence agency were singled out. The EU accuses them of trying to hack the Wi-Fi network of the Netherlands-based Organization for the Prohibition of Chemical Weapons, which has investigated the use of chemical weapons in Syria. The 2018 attack was foiled by Dutch authorities.
Two Chinese citizens were targeted over Operation Cloud Hopper, which the EU said hit technology systems in companies on six continents, including Europe, and “gained unauthorized access to commercially sensitive data, resulting in significant economic loss.”
A leading U.S. cybersecurity expert said the GRU attempt to hack the chemical-weapons agency involved a physical visit to the organization’s facilities in The Hague.
“The consistent use of physical human intelligence teams to supplement its intrusion efforts makes the GRU a particularly effective adversary,” said John Hultquist, senior director of analysis at Mandiant Threat Intelligence.
“Sanctions may be particularly effective for disrupting this activity as they may hinder the free movement of this unit,” he said.
Hultquist said NotPetya and WannaCry were “two of the most devastating cyberattacks in history, causing billions of dollars in damaging and disrupting many vital systems.”