(by Army General (2S) Watin-Augouard, Founder of the FIC)
On 30 July 2020, one year after their release, the Council of the European Union has implemented the framework decision and regulation passed on 17 May 2019 which sanctions through restrictive measures natural or legal persons, entities, or bodies responsible for successful or attempted cyber-attacks. These measures apply to six individuals and three entities.
The implemented bills
On 19 June 2017, the European Council adopted conclusions on a framework for a joint diplomatic response to malicious cyber activities. The “Cyber Diplomacy Toolbox” addresses the need to protect the Union, its Member States and citizens against State and non-State actors undertaking cyber-attacks. It contributes to conflict prevention, cooperation, and stability in cyberspace by setting out measures within the CFSP, including restrictive measures, to prevent and respond to malicious cyber activities.
During the Tallinn Digital Summit (29 September 2017), then President of the European Commission Jean-Claude Juncker declared: “Cyber-attacks know no borders, but our response capacity differs very much from one country to the other, creating loopholes where vulnerabilities attract even more the attacks. The EU needs more robust and effective structures to ensure strong cyber resilience and respond to cyber-attacks.” He added: “We do not want to be the weakest links in this threat. ”
On 19 and 20 October 2017, again in Tallinn, the European Council requested a common approach on cybersecurity in the EU, which translated into the Cybersecurity Act, passed by the European Parliament on 12 March 2019 (see ‘La Veille Juridique’ of the CREOGN – May 2019).
On 27 May 2019, the Council of the European Union made a framework decision and regulation in line with the logic of the “Cyber Diplomacy Toolbox”.
The Council decision (CFSP) 2019/797 of 17 May 2019 concerns restrictive measures against cyber-attacks threatening the Union or its Member States. For the Council, “the measures within the common foreign and security policy (CFSP), including, if necessary, restrictive measures, adopted under the relevant provisions of the Treaties, are suitable for a framework for a joint Union diplomatic response to malicious cyber activities, with the aim of encouraging cooperation, facilitating the mitigation of immediate and long-term threats, and influencing the behaviour of potential aggressors in the long term”.
These measures aim to dissuade and stop cyber-attacks from territories outside the Union that are targeting it or its Member States (cybercrime internal to the Union is therefore not concerned). They can however apply, if deemed necessary, to achieve CFSP objectives in the relevant provisions of Article 21 of the Treaty on European Union when cyber-attacks target third states or international organisations.
The restrictive measures set by the decision concern the prevention of entry into or transit through the territories of Member States and the freezing of funds and economic resources belonging to natural or legal persons, entities, or bodies responsible for cyber-attacks or attempted cyber-attacks. On the matter of frozen funds and resources, the Council Regulation (EU) of 17 May 2019 concerning restrictive measures against cyber-attacks threatening the Union or its Member States, clarifies the details of its implementation.
As established by the framework decision, the restrictive measures must be differentiated from the attribution of responsibility for cyber-attacks, which is a sovereign political decision on a case-by-case basis. Every Member State remains free to determine by itself the implication of a third State.
Decisions of 30 July 2020
On 16 April 2018, the Council firmly condemned the cyber-attacks known as ‘WannaCry’ and ’NotPetya’, which caused significant damage and economic loss in the Union. These cyber-attacks — ransomware for the former, data destruction tool for the latter —serve as models by their scale and effects. NotPetya, which mainly targeted Ukraine, had significant collateral effects, notably in France (Saint-Gobain, SNCF, Auchan, and BNP).
On 4 October 2018 the presidents of the European Council and of the European Commission as well as of the High Representative of the Union for Foreign Affairs and Security jointly condemned an attempted cyber-attack on the Organisation for the Prohibition of Chemical Weapons (OPCW) in the Netherlands. In a declaration on behalf of the EU on 12 April 2019, the High Representative urged the actors to stop undertaking malicious activities which undermine the EU’s integrity, security, and economic competitiveness, including espionage acts violating intellectual propriety. These “cyber-enabled thefts” are notably among those perpetrated by the group called ‘APT10’ (Advanced Persistent Threat 10) involved in ‘ Operation Cloud Hopper’ which targeted companies through the cloud. For the Council, “‘Operation Cloud Hopper’ targeted information systems of multinational companies in six continents, including companies located in the Union, and gained unauthorised access to commercially sensitive data, resulting in significant economic loss”.
The sanctions imposed include a travel ban through EU territory and an asset freeze. In addition, EU persons and entities are forbidden from making funds available to those people and entities listed.
Six individuals and three entities are on the list of natural and legal persons, entities, and bodies in Annex I of the Council Decision (CFSP) 2020/1127 and the Council Regulation (EU) 2019/796, blank prior to this decision. Two Chinese and four Russian individuals are concerned as well as three entities: a Chinese, a North Korean and a Russian one. One will notice the EU does not hesitate to punish bodies related to States (Russia in particular).
Below are copied two extracts illustrating how the annex is presented.
|GAO Qiang||Place of birth: Shandong Province, China
Address: Room 1102, Guanfu Mansion, 46 Xinkai Road, Hedong District, Tianjin, China
|Gao Qiang is involved in “Operation Cloud Hopper”, a series of cyber-attacks with a significant effect originating from outside the Union and constituting an external threat to the Union or its Member States and of cyber-attacks with a significant effect against third States.
“Operation Cloud Hopper” targeted information systems of multinational companies in six continents, including companies located in the Union, and gained unauthorised access to commercially sensitive data, resulting in significant economic loss.
The actor publicly known as “APT10” (“Advanced Persistent Threat 10”) (a.k.a. “Red Apollo”, “CVNX”, “Stone Panda”, “MenuPass” and “Potassium”) carried out “Operation Cloud Hopper”.
Gao Qiang can be linked to APT10, including through his association with APT10 command and control infrastructure. Moreover, Huaying Haitai, an entity designated for providing support to and facilitating “Operation Cloud Hopper”, employed Gao Qiang. He has links with Zhang Shilong, who is also designated in connection with “Operation Cloud Hopper”. Gao Qiang is therefore associated with both Huaying Haitai and Zhang Shilong.
|Main Centre for Special Technologies (GTsST) of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GU/GRU)||Address: 22 Kirova Street, Moscow, Russian Federation||The Main Centre for Special Technologies (GTsST) of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GU/GRU), also known by its field post number 74455, is responsible for cyber-attacks with a significant effect originating from outside the Union and constituting an external threat to the Union or its Member States and for cyber-attacks with a significant effect against third States, including the cyber-attacks publicly known as “NotPetya” or “EternalPetya” in June 2017 and the cyber-attacks directed at an Ukrainian power grid in the winter of 2015 and 2016.
“NotPetya” or “EternalPetya” rendered data inaccessible in a number of companies in the Union, wider Europe and worldwide, by targeting computers with ransomware and blocking access to data, resulting amongst others in significant economic loss. The cyber-attack on a Ukrainian power grid resulted in parts of it being switched off during winter.
The actor publicly known as “Sandworm” (a.k.a. “Sandworm Team”, “BlackEnergy Group”, “Voodoo Bear”, “Quedagh”, “Olympic Destroyer” and “Telebots”), which is also behind the attack on the Ukrainian power grid, carried out “NotPetya” or “EternalPetya”.
The Main Centre for Special Technologies of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation has an active role in the cyber-activities undertaken by Sandworm and can be linked to Sandworm.