EU sanctions for WannaCry, NotPetya, OPCW & Cloud Hopper attackers

Individuals and  entities from North Korea, China and Russia, responsible for or involved in ‘WannaCry’, ‘NotPetya’, ‘Operation Cloud Hopper’ and the OPCW (Organisation for the Prohibition of Chemical Weapons) cyber attacks have been identified and received travel bans and an asset freeze in the first ever imposition of restrictive sanctions by the EU Council. EU persons and entities are also forbidden from making funds available to those listed.

In a public statement the EU says: “In order to better prevent, discourage, deter and respond to such malicious behaviour in cyberspace, the Council decided today to apply restrictive measures to six individuals and three entities or bodies involved in cyber-attacks with a significant effect, or attempted cyber-attacks with a potentially significant effect, which constitute an external threat to the European Union or its member states, or with a significant effect against third States or international organisations. The measures concerned are a travel ban and asset freeze to natural persons and an asset freeze to entities or bodies. It is also prohibited to directly or indirectly make funds available to listed individuals and entities or bodies.

In June 2017, the EU stepped up its ability to discourage, deter and respond to cyber threats and malicious cyber activities response by establishing a Framework for a Joint EU Diplomatic Response to Malicious Cyber Activities (the “cyber diplomacy toolbox“). The EU and its member states can use all CFSP measures to protect the integrity and security of the EU and its member states.

An official EU statement draws a distinction between targeted restrictive measures having a deterrent and dissuasive effect, saying they should be distinguished from attribution of responsibility to a third state. But effectively they do allow identification of the perpetrator and allow retaliatory action against those they believe responsible who they have identified, down to their passport numbers.

Those identified are …

Those identified and their roles given by the report are:

Gao Qiang of Shandong Province, and Zhang Shilong of Tianjin, China.  The report says they were involved in Operation Cloud Hopper” which targeted information systems of multinational companies in six continents, including companies located in the Union, and gained unauthorised access to commercially sensitive data, resulting in significant economic loss.  It says, “ The actor publicly known as “APT10” (“Advanced Persistent Threat 10”) (a.k.a. “Red Apollo”, “CVNX”, “Stone Panda”, “MenuPass” and “Potassium”) carried out “Operation Cloud Hopper”.

It adds, “Gao Qiang can be linked to APT10, including through his association with APT10 command and control infrastructure. Moreover, Huaying Haitai, an entity designated for providing support to and facilitating “Operation Cloud Hopper”, employed Gao Qiang. He has links with Zhang Shilong, who is also designated in connection with “Operation Cloud Hopper”. Gao Qiang is therefore associated with both Huaying Haitai and Zhang Shilong.

Zhang Shilong can also be linked to APT10, including through the malware he developed and tested in connection with the cyber-attacks carried out by APT10.

Tianjin Huaying Haitai Science and Technology Development Co. Ltd (Huaying Haitai) of Tianjin, China is reported to have provided financial, technical or material support for and facilitated “Operation Cloud Hopper”

Alexey Valeryevich Minin from Perm Oblast, Russian SFSR (now Russian Federation),  Aleksei Sergeyvich Morenets of Murmanskaya Oblast, Russian SFSR, Evgenii Mikhaylovich Serebriakov of Kursk, Russian SFSR  and Oleg Mikhaylovich Sotnikov of Ulyanovsk, Russian SFSR took part in an attempted cyber-attack with a potentially significant effect against the Organisation for the Prohibition of Chemical Weapons (OPCW) in the Netherlands.

As a human intelligence support officer of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GU/GRU), Alexey Minin was part of a team of four Russian military intelligence officers who attempted to gain unauthorised access to the Wi-Fi network of the OPCW in The Hague, the Netherlands, in April 2018. The attempted cyber-attack was aimed at hacking into the Wi-Fi network of the OPCW, which, if successful, would have compromised the security of the network and the OPCW’s ongoing investigatory work. The Netherlands Defence Intelligence and Security Service (DISS) (Militaire Inlichtingen- en Veiligheidsdienst – MIVD) disrupted the attempted cyber-attack, thereby preventing serious damage to the OPCW.

The Main Centre for Special Technologies (GTsST) of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GU/GRU), also known by its field post number 74455, is responsible for cyberattacks with a significant effect originating from outside the Union and constituting an external threat to the Union or its Member States and for cyber-attacks with a significant effect against third States, including the cyber-attacks publicly known as “NotPetya” or “EternalPetya” in June 2017 and the cyber-attacks directed at an Ukrainian power grid in the winter of 2015 and 2016.

“NotPetya” or “EternalPetya” rendered data inaccessible in a number of companies in the Union, wider Europe and worldwide, by targeting computers with ransomware and blocking access to data, resulting amongst others in significant economic loss. The cyber-attack on a Ukrainian power grid resulted in parts of it being switched off during winter.

The actor publicly known as “Sandworm” (a.k.a. “Sandworm Team”, “BlackEnergy Group”, “Voodoo Bear”, “Quedagh”, “Olympic Destroyer” and “Telebots”), which is also behind the attack on the Ukrainian power grid, carried out “NotPetya” or “EternalPetya”.

The Main Centre for Special Technologies of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation has an active role in the cyber-activities undertaken by Sandworm and can be linked to Sandworm.

Korean WannaCry originators identified

Chosen Expo; Korea Export Joint Venture in the DPRK.  The report says Chosen Expo provided financial, technical or material support for and facilitated a series of cyber-attacks with a significant effect originating from outside the Union and constituting an external threat to the Union or its Member States and of cyber-attacks with a significant effect against third States, including the cyber-attacks publicly known as “WannaCry” and cyber-attacks against the Polish Financial Supervision Authority and Sony Pictures Entertainment, as well as cyber-theft from the Bangladesh Bank and attempted cyber-theft from the Vietnam Tien Phong Bank.

“WannaCry” disrupted information systems around the world by targeting information systems with ransomware and blocking access to data. It affected information systems of companies in the Union, including information systems relating to services necessary for the maintenance of essential services and economic activities within Member States.

The actor publicly known as “APT38” (“Advanced Persistent Threat 38”) or the “Lazarus Group” carried out “WannaCry”.

Chosun Expo can be linked to APT38/the Lazarus Group, including through the accounts used for the cyber-attacks.

UK also applying sanctions

The UK welcomed the  announcement saying it is was at the forefront of efforts to establish the EU Cyber Sanctions regime and will continue to implement this regime at the end of the Transition Period, through our own autonomous UK Cyber Sanctions regime.

A statement says “these sanctions – which are now in force in the UK – send a strong signal that malicious cyber activity against our European partners and allies has consequences. The cyber sanctions will impose meaningful costs for the reckless behaviour of state and non-state actors through asset freezes and travel bans within the EU, including the UK.”

It adds, “we’ve recently laid the statutory instrument for our own UK autonomous cyber sanctions regime, which will allow us to impose travel bans and asset freezes on individuals and organisations.  The UK has previously identified the organisations sanctioned today for their roles in state sponsored cyber attacks which targeted democratic institutions, critical national infrastructure, media outlets and international organisations.”

Disruption may hinder attackers

In an email John Hultquist, senior director of analysis, Mandiant Threat Intelligence commented:   “NotPetya and WannaCry were two of the most devastating cyberattacks in history, causing billions of dollars in damage and disrupting many vital systems, such as those belonging to the UK’s NHS. At least one victim of NotPetya has claimed US$1.3 billion in damage. The NotPetya attack was carried out by the GRU actors known as Sandworm who had previously conducted two attacks on Ukraine’s grid. Those same actors attempted a destructive attack on the Pyeongchang Olympics though no government statement has accused the Russian government for their role in that incident.

“The Cloud Hopper campaign was a complex intelligence collection operation that was meant to gather intelligence rather than disrupt systems. APT10 gained access to Managed Service Providers as a means to then target their customers – organisations who used those providers to host their IT. China and others continue this type of activity, moving upstream to telecommunications and IT providers where they can gain access to multiple organisations and individuals simultaneously.

“The GRU was also behind an attempt to hack the OPCW’s WI-FI network by physically visiting their facilities in the Hague. That operation was disrupted but the unit had been involved in similar operations in Switzerland, Brazil, and Malaysia which targeted the Olympics and other investigations involving Russia. The consistent use of physical human intelligence teams to supplement its intrusion efforts makes the GRU a particularly effective adversary. Sanctions may be particularly effective for disrupting this activity as they may hinder the free movement of this unit.”