For the first time, the European Union has imposed restrictive measures against six individuals and three organizations. They were involved in or responsible for cyberattacks such as WannaCry, NotPetya and Operation Cloud Hopper.
Specifically, the EU names two Chinese and four Russian hackers – found in the Council Decision (CFSP) 2020/1127 and in their implementation. This also includes the groups APT10, APT38 – also known as the Lazarus group – and the Sandworm group. An overview of the previously known APT groups can be found, for example on the website from the security company FireEye. There is also evidence in the groups of Chinese or Russian origin; the assignment of certain attacks or the attribution is always quite difficult in individual cases.
The sanctions with which the EU wants to react to and deter fraudulent cyber activities directed against it or its member states include a ban on entry and the freezing of assets. EU individuals and entities are also prohibited from making funds available to the individuals and groups mentioned.
The sanctions are an option from the EU tools for cyber diplomacy, which the member states had already agreed to combat increasing cyber crime in June 2017.
The European Union defends itself
The legal framework for targeted restrictive measures against cyberattacks has been referred to Article 21 and 13 of the EU Treaty – common defense of the basic values, security, etc. of the EU – adopted in May 2019 and now renewed. The Council published two documents on July 30, 2020: the decision Council Decision (CFSP) 2020/1127, which supplements the decision (CFSP) 2019/797 from May 2019, on the other hand, its implementation Implementing Regulation (EU) 2019/796. Both have the objective in the title: “concerning restrictive measures against cyber-attacks threatening the Union or its Member States”.
One of the reasons for the sanctions now seems to be the drastic increase in criminal activity in the wake of the corona pandemic, including against health care and other critical infrastructures. At the end of April 2020, Josep Borrell, high representative of the EU for foreign and security policy, had this an explanation published in which he affirmed that attempts to “impair the functioning of critical infrastructures” cannot be accepted.
And: “The European Union and its Member States are adopting a common approach to cyber threats and are determined to prevent, deter and respond to them,” including through “using their framework for a common EU diplomatic response to malicious threats Cyber activities “.