First use of new EU sanctions against Russia, China hackers

The EU named the four men and published their passport numbers and places of birth, saying they were guilty of trying to hack an international institute, the Organisation for the Prohibition of Chemical Weapons, in The Hague, in 2018.

It said the GTST attacked several EU companies with "ransomware" in 2017 "blocking access to data [and] resulting ... in significant economic loss".

It also said the GRU offshoot tried to take down Ukraine's electricity grid in the winter of 2015/2016.

The EU blacklists were the first time Europe used new legal measures, created last year, which target individuals and entities, instead of states, on cybercrime.

The EU has also created quick-fire sanctions to target individuals guilty of using chemical weapons and is working on similar measures, due in autumn, to target human rights abusers worldwide.

Thursday's measures also named two Chinese men and a Chinese company, Haitai Technology Development, who, the EU said, tried to steal commercially-sensitive secrets from Western multinational firms.

And they named a North Korean company, Chosun Expo, for attacks on Polish financial sector regulator, the Polish Financial Supervision Authority, as well as US firm Sony Pictures, and banks in Asia and the US.

"Such behaviour is unacceptable as it undermines international security and stability," EU foreign affairs chief Josep Borrell said.

Russia and North Korea did not immediately comment.

But the Chinese EU embassy in Brussels said it was "a staunch defender of network security and one of the biggest victims of hacker attacks", in a statement to the Reuters news agency.

Cyberspace should be kept safe via "dialogue and cooperation", instead of sanctions, it added.

The EU's counter-GRU sanctions came the same day a California-based internet security firm, Mandiant Solutions, also pointed at Moscow for hacking news websites in Europe.

The firm had "moderate confidence", it said, that 14 anti-Nato disinformation attacks between March 2017 and May this year came out of Russia.

The incidents were "part of a larger, concerted, and ongoing influence campaign" which was "aligned with Russian security interests", it said.

'Ghostwriter'

It called the campaign "Ghostwriter" because the hackers broke into news websites in the Baltic countries and Poland to insert fake stories on their webpages.

In one example, in September last year, Ghostwriter hacked Lithuanian website kaunas.kasvyksta.lt and inserted a fake article saying German Nato troops in the country had desecrated a Jewish cemetery.

It also created photoshopped images of the cemetery as purported evidence accompanying the article.

In a second example, in May this year, it compromised seven Polish regional news websites with fake quotes from a US general ridiculing Polish armed forces.

Ghostwriter also published bogus content that Nato soldiers were spreading coronavirus in the region, raping people, and running over children in armoured cars

And it used fake online personas to send links to the fake stories to other media.

Borrell's diplomatic service has a special cell for debunking Russian propaganda.

But the EU has no counter-propaganda sanctions on the cybercrime, chemical weapons, or human rights model.

"Ghostwriter is already targeting the West, but the methods associated with it will be seen more and more in Europe and the US as a means to alter perception there," Mandiant Solutions tech expert John Hultquist said in a statement.

"The method of hacking media sites to push fabricated narratives is a powerful one," he added.