Europe, Breach, Content, EMEA

European Union Sanctions Chinese, Russian Nationals for Alleged Hacking

Six individual hackers and three corrupt organizations have been banned from traveling to or entering any of the 28-member European Union (EU) states and their assets frozen, in the first-ever cyber-related sanctions the economic union’s legislative Council has imposed.

The perpetrators, which include two Chinese citizens and four Russian nationals, were involved in the high profile WannaCry, NotPetya and Cloud Hopper cyber attacks, the Council charged in its ruling. In addition, the companies reportedly carrying out the cyber assaults include a North Korean export operation and technology companies based in China and Russia. The cyber invaders are also said to be behind an attack on the Organisation for the Prohibition of Chemical Weapons (OPCW) headquartered in The Hague, Netherlands.

As part of the sanctions, EU persons and entities are forbidden from making funds available to the cyber attackers.

“Sanctions are one of the options available in the EU’s cyber diplomacy toolbox to prevent, deter and respond to malicious cyber activities directed against the EU or its member states, and today is the first time the EU has used this tool,” the Council said.

Will the U.S. follow the EU Council's sanctioning lead? While U.S. law enforcement has indicted a growing number of cyber gangsters, aside from the Lazarus crew--also known as Hidden Cobra, associated with several high-profile cyber attacks, including the Sony Pictures hack in 2014 and Bangladesh Bank heist in 2016--it has not engaged in sanctioning cyber crooks similar to what the EU has done. In late July, the U.S. Justice Department made public an indictment of two Chinese nationals accused of spying on three unnamed U.S.-based targets involved in medical research to fight the coronavirus (COVID-19). The indictment accused the Chinese hackers of conducting a reconnaissance operation against a Massachusetts biotech firm known to be working on a COVID-19 vaccine. While it is unlikely the Chinese hackers will ever face trial in the U.S., they may not be sanctioned by authorities as well.

Still, the National Security Agency, the Federal Bureau of Investigation and the Department of Homeland Security’s Cybersecurity Infrastructure and Systems Agency all have repeatedly issued official warnings naming well-known state sponsored cyber threat groups originating from China, North Korea and Russia.

According to the European Council, here are the individual perps:

  • Chinese nationals Gao Qiang and Zhang Shilong for their involvement in the Cloud Hopper operation that targeted information systems of multinational companies in six continents.
  • Russian nationals Alexey Valeryevich, Aleksei Sergeyvich, Evgenii Mikhaylovich, and Oleg Mikhaylovich for attempting to target the OPCW. The Russians are also wanted by the Federal Bureau of Investigation.

Here are the sanctioned organizations:

  • The Tianjin Huaying Haitai Science and Technology Development Co. Ltd, (China) for financing, providing technical support and facilitating Cloud Hopper. Huaying Haitai is associated with Qiang and Shilong and linked to the notorious APT10 gang.
  • Chosun Expo (North Korea) for its involvement in WannaCry, the Sony Pictures cyber attack and the Bangladesh Bank heist, among other attacks. The group is associated with the Lazarus cyber crew.
  • The Main Centre for Special Technologies of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (Russia), for the NotPetya attack and the cyber attacks directed at an Ukrainian power grid in 2015 and 2016. The bad actor is associated with the Sandworm cyber gang.

“Those persons and entities or bodies are responsible for, provided support for or were involved in, or facilitated cyber-attacks or attempted cyber-attacks, including the attempted cyber-attack against the OPCW and the cyber-attacks publicly known as ‘WannaCry’ and ‘NotPetya’, as well as ‘Operation Cloud Hopper’, the Council’s ruling dated July 30, 2020 said.

In 2018, the U.S. charged Shilong in 2018 with targeting 45 companies and government agencies and stealing hundreds of gigabytes of sensitive data.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.