EU sanctions Chinese, Russian and North-Korean hacking crews
13 August 2020
Decision adds important legal dimension to existing predicament for ransomware victims: to pay or not to pay?
On 30 July 2020, the European Union (EU) imposed financial and travel restrictions on two Chinese and four Russian nationals, a Russian military intelligence unit and two Chinese and North-Korean entities1. The decision responds to a number of widely-publicised cyber attacks, including the ‘WannaCry’ and ‘NotPetya’ attacks (two major ransomware attacks disrupting the IT systems of banks, corporations and governments around the world), ‘Operation Cloud Hopper’ (a global series of sustained attacks targeting clients of some of the world’s biggest IT service providers) and the US$ 81 million Bangladesh Bank cyber heist.
Under the newly imposed sanctions, those persons and entities listed are subject to a travel ban to the EU and will see their funds in the EU frozen. But EU persons and entities are also impacted as we will discuss in more detail below.
First ever EU Sanctions in response to cyber attacks
The decision marks the first designation under the EU’s cyber sanctions regime introduced in May 2019, allowing the bloc to impose targeted restrictive measures to deter and respond to cyber attacks originating from outside the EU but constituting an external threat to the EU, its Member States or even third states and international organisations. Even though the regime is said to be ‘country neutral’ because designations only target individual attackers, one of the express considerations for adopting the regime was that foreign states “are not to use proxies to commit internationally wrongful acts using [information and communication technologies]” and that they “should seek to ensure that their territory is not used by non-State actors to commit such acts”2.
Remarkably, and in contrast to other sanctions provisions (not in the least with respect to Iran; see our previous post on the EU Blocking Regulation), the decision brings EU policy in line with that of the U.S., which introduced a cyber sanctions programme as early as 2015, and has either indicted or sanctioned most of the attackers now cited by the EU. Post-Brexit, the decision will also be implemented in the UK through its own autonomous cyber sanctions regime.
Additional designations under the EU regime are likely to follow, with officials reportedly discussing sanctions in response to other (state-sponsored) cyber attacks, including against Russian individuals said to be responsible for the large-scale hacking of the German Parliament in 2015.
Ransomware: to pay or not to pay?
Significantly, because of the newly imposed sanctions, EU persons and entities are now in principle prohibited from making funds or economic resources available, either directly or indirectly, to or for the benefit of the listed actors. This includes the situation where the victim of a ransomware attack pays a ransom to decrypt its systems and regain access to its data.
This adds an important legal dimension to a difficult predicament when faced with cyber extortion: paying a ransom may not only embolden criminal activity or prove ineffective; it may now also expose the victim of an attack to liability for breaching EU sanctions. And the consequences may be severe: in Belgium, breaches of EU sanctions are punishable by administrative fines (up to EUR 2.5 million for legal entities) and criminal penalties (up to EUR 960,000 for legal entities and imprisonment of between 8 days to 5 years for individuals).
For the EU, that is what it takes to “influenc[e] the behaviour of potential aggressors in the long term”3.
1. Council Implementing Regulation (EU) 2020/1125 of 30 July 2020 implementing Regulation (EU) 2019/796 concerning restrictive measures against cyber-attacks threatening the Union or its Member States.
2. Council Decision (CFSP) 2019/797 of 17 May 2019 concerning restrictive measures against cyber-attacks threatening the Union or its Member States, recital (4).
3. Council Decision (CFSP) 2019/797 of 17 May 2019 concerning restrictive measures against cyber-attacks threatening the Union or its Member States, recital (2).