The European Union has issued sanctions against hackers; six individuals and three organisations in Russia, China and North Korea. The sanctions are imposed in relation to three major cyberattacks of 2017: WannaCry, NotPetya, and Operation Cloud Hopper. These are the first-ever cyber-attack sanctions that ban the travel of culprits. They also freeze the assets of individuals and the organisations involved in the attacks. They also ban organisations in the EU from “making funds available” to the sanctioned individuals and organisations. Their names have been included in the list of natural and legal persons, entities, and bodies subject to restrictive measures. This article focuses on the legal basis of the EU sanctions against hackers, and the investigation was undertaken to reach such a decision.
Findings of the EU against the individuals and the organisations
According to the decision on sanctions, two Chinese nationals, GAO Qiang and Zhang Shilong were hired by a China-based company, Tianjin Huaying Haitai Science and Technology Development Co. Ltd., for Operation Cloud Hopper. The organisation provided financial, technical or material support for facilitating the ‘Operation Cloud Hopper’. It was a series of cyber attacks which targeted information systems of multinational companies across the world. It gained unauthorized access to commercially sensitive data, resulting in significant economic loss. Collectively, these actors are called with the name of Advanced Potential Threat 10 (APT 10).
Four Russian nationals, Alexy Valeryvich Minin, Aleksei Serveyvich, Evgenii Mikhaylovich Serebriakov, and Oleg Mikhaylovich Sotnikov were also sanctioned due to their involvement in an attempt to gain unauthorised access of the Wi-Fi network of the Organisation for the Prohibition of Chemical Weapons (OPCW) in the Netherlands. These four individuals are human intelligence support officer of the GRU (Russian intelligence agency). However, their attempt was not successful as it was disrupted by the Netherlands Defense Intelligence and Security Service (DISS). The Service prevented any harm to the network and the OPCW’s ongoing investigatory work.
EU also issued sanctions against a North Korean firm, Chosum Expo for providing financial, technical or material support for a ransomware, WannaCry (yes, the one that had cause havoc worldwide, exploiting SMB v1.0). This malware blocked the data access of the organisations and individuals worldwide including the National Health Services (NHS) of the United Kingdom, Sony Pictures Limited, Bangladesh Bank and Vietnam Tien Phong Bank. The firm is also known as APT 38.
Another organisation, Main Centre for Special Technologies (GTsST) of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation has also been sanctioned due to its involvement in “NotPetya” or “EternalPetya” cyber-attacks in 2017, and the cyber-attacks directed against the Ukrainian Power Grid in 2015 and 2016.
The Legal Basis for the EU sanctions against hackers
The present decision for these sanctions has been taken under the Common Foreign and Security Policy (CFSP) of the EU. This policy focuses on international security, development and consolidation of democracy, the rule of law and respect of human rights and fundamental freedoms, and defence diplomacy and actions. In case of jurisdictional limitations to try individuals or entities involved in cyber-attack, the EU can opt for this policy.
In pursuit of the CFSP goals (Article 21 and 30), The Treaty of European Union (TEU) proposes “restrictive measures” or sanctions as one of the possible instruments. According to the Guidelines On Implementation and Evaluation of Restrictive Measures (sanctions) in the framework of the EU CFSP, restrictive measures include control over ownership of resources, and control of any transfer of funds or availability of economic resources to the designated persons and entities.
The Cyber Diplomacy Toolkit
In order to improve internet governance and deter state sponsored cyber-attacks or other external threats, the European union developed a ‘cyber diplomacy toolkit’. This toolkit allows the EU to impose targeted restrictive measures to deter and respond to cyber-attacks to achieve the objectives of the CFSP. It includes cyber-attacks which have significant impact and which:
- originate or are carried out from outside the EU
- or use infrastructure outside the EU
- or are carried out by persons or entities established or operating outside the EU
- or are carried out with the support of person or entities operating outside the EU.
This toolkit is the very basis of the EU sanctions against hackers.
Restrictive measures or sanctions include a ban on persons travelling to the EU, and an asset freeze on personas and organisations. In addition to it, EU persons and entities are forbidden from making funds available to those listed in the list of natural and legal persons, entities and bodies subject to restrictive measures.
Method of investigation and collection of evidences
In the absence of any international evidence law, the international legal system uses a ‘decentralized interpretation’ and ‘application of law’ to reach a judgement. In such cases, precise evidence rules are not followed as in the case of domestic legal systems. Typically, the evidence pointing to attribution of an attack is based on the material gathered through intelligence, which is difficult to disclose. It may include information related to tools used for investigation and sources which can be crucial to a state for security purposes.
Therefore, the cyber diplomacy toolkit relies upon state and non-state actors, which are sovereign political decision makers, to impose sanctions against third countries, entities and individuals involved in cybercrimes. This means that the EU member states are the actual implementer of the sanctions against the individuals and the entities. Additionally, for strong intelligence inputs for cyber-attacks, EU maintains information sharing and forensic cooperation between EU agencies and institutions like ENISA, Europol’s EC3, the EU CSRIT network, and the Hybrid Fusion Cell.
This is the first attempt by the EU to strengthen internet governance by issuing cyber sanctions against individual and organisations. An official of the EU has emphasized that the EU and its member states will further reinforce their cooperation at technical, operational, judicial and diplomatic fronts with their international partners. Further, the EU and member states have called upon every nation state of the world to exercise due diligence and take stringent actions consistent with the international law and the 2010, 2013, and 2015 consensus report of the United Nations Groups of Governmental Experts (UNGGEs) against the cyber-attacks and international security. It would be great to see how the sanctioned individuals, organisations, and their countries respond to these EU sanctions against hackers.