The European Union has sanctioned six people and three organizations in Russia, China and North Korea in connection with three major cyberattacks dating back to 2017.
EU officials announced Thursday they would enact restrictive measures against the people it deemed responsible for the WannaCry ransomware outbreak in 2017, the NotPetya campaign and Operation Cloud Hopper, a Chinese cyber-espionage effort. Penalties include a travel ban, asset freeze and prohibit people and organizations in the EU from “making funds available” to the sanctioned individuals and entities.
The move follows previous U.S. allegations against many of the same parties.
“Sanctions are one of the options available in the EU’s cyber diplomacy toolbox to prevent, deter and respond to malicious cyber activities directed against the EU or its member states, and today is the first time the EU has used this tool,” officials said in a statement.
The sanctions name unit 74455 of Russia’s GRU military intelligence service, which the EU says “is responsible for cyber-attacks with a significant effect[,]” in connection with NotPetya. The 2017 ransomware attack locked up computers throughout the world, particularly in Ukraine, by exploiting a software vulnerability in otherwise innocuous tax software. The U.S. and U.K. governments previously blamed Russia for the incident, which cost more than $10 billion in total damages, according to a White House assessment.
EU officials also blame the GRU for cyberattacks directed at Ukrainian power facilities in 2015 and 2016, which resulted in areas of the grid being switched off during the winter.
Four members of Russia’s GRU also were sanctioned for their alleged involvement in an attempted attack on the WiFi network of the Organization for the Prohibition of Chemical Weapons in the Netherlands. The timing of the attack, in April 2018, coincided with an investigation into the use of chemical weapons in Syria, a Russian ally.
Dutch security services stopped the attempted hack, the EU noted.
The EU also penalized two Chinese nationals, Gao Qiang and Zhang Shilong, and the Tianjin Huaying Haitai Science and Technology Development Co. in connection with Operation Cloud Hopper. Cloud Hopper is the name for a years-long Chinese cyber-espionage plot to steal corporate secrets from targets on six continents. The same campaign, pinned on a group known as APT10, is the subject of a major U.S. indictment unsealed in 2018.
The U.S. Department of Justice previously linked APT10 to the Ministry of State Security.
Finally, the EU sanctions target Chosun Expo, a North Korean firm allegedly linked to the WannaCry ransomware attack that spread through international computer networks in 2017. The sanction document links Chosun to APT38, and also says it had a role in the Bangladesh Bank theft in which hackers stole $81 million through a series of fraudulent transactions.
The Justice Department previously identified Chosun Expo as a front company for North Korean government-backed hacking. In a 2018 indictment, U.S. officials said a North Korean citizen, Park Jin Hyok, who worked for Chosun Expo as part of his role in the WannaCry cyberattacks, which affected hundreds of thousands of machines around the globe, including in EU member countries.
Park was not named in the sanctions Thursday.
Chosun Expo has been a front company for a North Korean government hacking organization known as “Lab 110,” since at least 2002, according to the Justice Department.
The U.S. Treasury Department previously sanctioned Chosun Expo for its affiliation with the North Korean government two years ago.
The governments of Russia, China and North Korea have consistently denied any involvement in malicious cyber activities.
Shannon Vavra contributed reporting.