EU imposes first-ever sanctions against Chinese and Russian hackers

The European Council recently imposed travel bans and froze assets of a number of Chinese and Russian hackers and entities who were behind the destructive WannaCry and NotPetya attacks, Operation Cloud Hopper, as well as the cyber attack targeting the OPCW (Organisation for the Prohibition of Chemical Weapons).

The European Council said that the first-ever sanctions announced in response to various cyber attacks were implemented to prevent, discourage, deter and respond to continuing and increasing malicious behaviour in cyberspace. The sanctioned individuals and entities either carried out, provided support to, or were involved in a spate of cyber attacks targeting European institutions and individuals.

"Sanctions are one of the options available in the EU’s cyber diplomacy toolbox to prevent, deter and respond to malicious cyber activities directed against the EU or its member states, and today is the first time the EU has used this tool. The legal framework for targeted restrictive measures against cyber-attacks was adopted in May 2019 and recently renewed," it said.

Operation Cloud Hopper

Backed by China's top security agency, Operation Cloud Hopper involved the targeting of IT systems owned by multinational companies by a hacker group known as APT10 whose motive was to gain access to commercially sensitive data owned by the targeted companies.

The European Council sanctioned two Chinese nationals, namely Gao Qiang and Zhang Shilong, for their involvement in Operation Cloud Hopper and for being members of APT10. The Council also sanctioned Tianjin-based Haitai Technology Development Co. Ltd who employed the two individuals.

Operation Cloud Hopper was first detected and analysed in detail by cyber security experts at the UK's National Cyber Security Centre (NCSC), BAE Systems and PwC and it was then concluded that the hacker group (APT10) behind the operation had links to China's People's Liberation Army (PLA).

"The espionage campaign has targeted managed IT service providers (MSPs), allowing the APT10 group unprecedented potential access to the intellectual property and sensitive data of those MSPs and their clients globally.

"The sheer scale of the operation was uncovered through collaboration amongst organisations in the public and private sectors, but is still only likely to reflect a small portion of APT10’s global operations. A number of Japanese organisations have also been targeted in a separate, simultaneous campaign by the same group, with APT10 masquerading as legitimate Japanese government entities to gain access," said PwC.

According to BAE systems, Managed Service Providers (MSPs) are the favourite targets of hackers behind Operation Cloud Hopper as they serve as a hub from which hackers can access multiple end-victim networks through supply chain attacks.

The attempted cyber attack targeting OPCW

The European Council sanctioned four Russian hackers, namely Alexey Minin, Aleksei Morenets, Evgenii Serebriakov, and Oleg Sotnikov for being behind an attempted cyber attack targeting the OPCW (Organisation for the Prohibition of Chemical Weapons) in 2018.

The four GRU agents were expelled by Dutch authorities in April 2018 after they were caught trying to infiltrate an IT network belonging to the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague. The four state-sponsored hackers were also planning to attack an OPCW laboratory in Spiez, Switzerland but were thwarted by alert authorities.

The cyber attack took place soon after detailed analysis carried out by the OPCW designated laboratories of environmental and biomedical samples confirmed the identity of the toxic chemical that was used in Salisbury, which prompted the U.S., the UK, and European countries to join in denouncing Russia for using a nerve agent on British soil.

The four GRU agents were carrying diplomatic passports when they visited the Netherlands in April and stationed themselves in a hotel next to the OPCW office before attempting to hack into the OPCW's Wi-Fi network.

The four hackers belonged to GRU's Unit 26165 which is also known as APT 28. This hacker group has been accused of targeting insider information related to governments, militaries, and security organisations that would likely benefit the Russian government. Unlike China-based threat actors, APT 28 does not appear to conduct widespread intellectual property theft for economic gain, but instead is focused on collecting intelligence that would be most useful to a government.

WannaCry and NotPetya attacks

Aside from sanctioning Chinese and Russian individuals and entities, the European Council also sanctioned a North Korean company named Chosun Expo for providing financial, technical or material support to hackers who carried out the WannaCry attacks in 2017. The company was also found to be linked to the Lazarus Group that was behind cyber-attacks against the Polish Financial Supervision Authority and Sony Pictures Entertainment, as well as cyber-theft from the Bangladesh Bank and attempted cyber-theft from the Vietnam Tien Phong Bank.

The European Council also sanctioned the GRU, named as Main Centre for Special Technologies (GTsST) of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation, for being behind the NotPetya cyber attacks in June 2017 as well as cyber-attacks directed at a Ukrainian power grid in the winter of 2015 and 2016.

According to the UK's National Cyber Security Centre, GRU supports a number of hacker groups that have caused mayhem across the world in the past few years. These hacker groups include APT 28, Fancy Bear, Sofacy, Pawnstorm, STRONTIUM, Sandworm, Sednit, CyberCaliphate, Voodoo Bear, Cyber Berkut, and BlackEnergy Actors.

"Today’s actions will raise the cost on malicious cyber activity by state and non-state actors and will help counter future hostile activity in cyberspace. The UK was at the forefront of efforts to establish the EU Cyber Sanctions regime and we will continue to implement this regime after the end of the Transition Period," said Foreign Secretary Dominic Raab.

Commenting on sanctions imposed by the European Council, Tom Kellermann, Head of Cybersecurity Strategy at VMware Carbon Black, said that as the number of destructive cyberattacks continue to surge across the globe, nation-states are coming to an inflection point. The EU has is now leveraging economic power to penalize countries who launch destructive attacks. The newly imposed sanctions issued by the EU set a precedent that the world should follow.

“Geopolitical tension is manifesting in cyberspace and destructive attacks have increased by 102% since last year, according to a recent report by VMware Carbon Black. With the ongoing cyberwarfare created by the multiplicity of malicious actors, it is time to leverage the power of policy to help prevent, discourage and respond to cyber threats,” he added.

Copyright Lyonsdown Limited 2020