This document is an excerpt from the EUR-Lex website
Document 02019D0797-20250127
Council Decision (CFSP) 2019/797 of 17 May 2019 concerning restrictive measures against cyber-attacks threatening the Union or its Member States
Consolidated text: Council Decision (CFSP) 2019/797 of 17 May 2019 concerning restrictive measures against cyber-attacks threatening the Union or its Member States
Council Decision (CFSP) 2019/797 of 17 May 2019 concerning restrictive measures against cyber-attacks threatening the Union or its Member States
02019D0797 — EN — 27.01.2025 — 011.001
This text is meant purely as a documentation tool and has no legal effect. The Union's institutions do not assume any liability for its contents. The authentic versions of the relevant acts, including their preambles, are those published in the Official Journal of the European Union and available in EUR-Lex. Those official texts are directly accessible through the links embedded in this document
|
COUNCIL DECISION (CFSP) 2019/797 of 17 May 2019 concerning restrictive measures against cyber-attacks threatening the Union or its Member States (OJ L 129I 17.5.2019, p. 13) |
Amended by:
|
|
|
Official Journal |
||
|
No |
page |
date |
||
|
L 153 |
4 |
15.5.2020 |
||
|
L 246 |
12 |
30.7.2020 |
||
|
L 351I |
5 |
22.10.2020 |
||
|
L 393 |
19 |
23.11.2020 |
||
|
L 174I |
1 |
18.5.2021 |
||
|
L 138 |
16 |
17.5.2022 |
||
|
L 129 |
16 |
16.5.2023 |
||
|
L 2686 |
1 |
28.11.2023 |
||
|
L 1391 |
1 |
17.5.2024 |
||
|
L 1779 |
1 |
24.6.2024 |
||
|
L 171 |
1 |
27.1.2025 |
||
Corrected by:
COUNCIL DECISION (CFSP) 2019/797
of 17 May 2019
concerning restrictive measures against cyber-attacks threatening the Union or its Member States
Article 1
Cyber-attacks constituting an external threat include those which:
originate, or are carried out, from outside the Union;
use infrastructure outside the Union;
are carried out by any natural or legal person, entity or body established or operating outside the Union; or
are carried out with the support, at the direction or under the control of any natural or legal person, entity or body operating outside the Union.
For this purpose, cyber-attacks are actions involving any of the following:
access to information systems;
information system interference;
data interference; or
data interception,
where such actions are not duly authorised by the owner or by another right holder of the system or data or part of it, or are not permitted under the law of the Union or of the Member State concerned.
Cyber-attacks constituting a threat to Member States include those affecting information systems relating to, inter alia:
critical infrastructure, including submarine cables and objects launched into outer space, which is essential for the maintenance of vital functions of society, or the health, safety, security, and economic or social well-being of people;
services necessary for the maintenance of essential social and/or economic activities, in particular in the sectors of: energy (electricity, oil and gas); transport (air, rail, water and road); banking; financial market infrastructures; health (healthcare providers, hospitals and private clinics); drinking water supply and distribution; digital infrastructure; and any other sector which is essential to the Member State concerned;
critical State functions, in particular in the areas of defence, governance and the functioning of institutions, including for public elections or the voting process, the functioning of economic and civil infrastructure, internal security, and external relations, including through diplomatic missions;
the storage or processing of classified information; or
government emergency response teams.
Article 2
For the purposes of this Decision, the following definitions apply:
‘information systems’ means a device or group of interconnected or related devices, one or more of which, pursuant to a programme, automatically processes digital data, as well as digital data stored, processed, retrieved or transmitted by that device or group of devices for the purposes of its or their operation, use, protection and maintenance.
‘information system interference’ means hindering or interrupting the functioning of an information system by inputting digital data, by transmitting, damaging, deleting, deteriorating, altering or suppressing such data, or by rendering such data inaccessible.
‘data interference’ means deleting, damaging, deteriorating, altering or suppressing digital data on an information system, or rendering such data inaccessible; it also includes theft of data, funds, economic resources or intellectual property.
‘data interception’ means intercepting, by technical means, non-public transmissions of digital data to, from or within an information system, including electromagnetic emissions from an information system carrying such digital data.
Article 3
The factors determining whether a cyber-attack has a significant effect as referred to in Article 1(1) include any of the following:
the scope, scale, impact or severity of disruption caused, including to economic and societal activities, essential services, critical State functions, public order or public safety;
the number of natural or legal persons, entities or bodies affected;
the number of Member States concerned;
the amount of economic loss caused, such as through large-scale theft of funds, economic resources or intellectual property;
the economic benefit gained by the perpetrator, for himself or for others;
the amount or nature of data stolen or the scale of data breaches; or
the nature of commercially sensitive data accessed.
Article 4
Member States shall take the measures necessary to prevent the entry into, or transit through, their territories of:
natural persons who are responsible for cyber-attacks or attempted cyber-attacks;
natural persons who provide financial, technical or material support for or are otherwise involved in cyber-attacks or attempted cyber-attacks, including by planning, preparing, participating in, directing, assisting or encouraging such attacks, or facilitating them whether by action or omission;
natural persons associated with the persons covered by points (a) and (b),
as listed in the Annex.
Paragraph 1 shall be without prejudice to the cases where a Member State is bound by an obligation of international law, namely:
as a host country of an international intergovernmental organisation;
as a host country to an international conference convened by, or under the auspices of, the United Nations;
under a multilateral agreement conferring privileges and immunities; or
pursuant to the 1929 Treaty of Conciliation (Lateran Pact) concluded by the Holy See (Vatican City State) and Italy.
Article 5
All funds and economic resources belonging to, owned, held or controlled by:
natural or legal persons, entities or bodies that are responsible for cyber-attacks or attempted cyber-attacks;
natural or legal persons, entities or bodies that provide financial, technical or material support for or are otherwise involved in cyber-attacks or attempted cyber-attacks, including by planning, preparing, participating in, directing, assisting or encouraging such attacks, or facilitating them whether by action or omission;
natural or legal persons, entities or bodies associated with the natural or legal persons, entities or bodies covered by points (a) and (b),
as listed in the Annex, shall be frozen.
By way of derogation from paragraphs 1 and 2, the competent authorities of the Member States may authorise the release of certain frozen funds or economic resources, or the making available of certain funds or economic resources, under such conditions as they deem appropriate, after having determined that the funds or economic resources concerned are:
►C1 necessary to satisfy the basic needs of the natural or legal persons, entities or bodies listed in the Annex ◄ and dependent family members of such natural persons, including payments for foodstuffs, rent or mortgage, medicines and medical treatment, taxes, insurance premiums, and public utility charges;
intended exclusively for the payment of reasonable professional fees or the reimbursement of incurred expenses associated with the provision of legal services;
intended exclusively for the payment of fees or service charges for the routine holding or maintenance of frozen funds or economic resources;
necessary for extraordinary expenses, provided that the relevant competent authority has notified the competent authorities of the other Member States and the Commission of the grounds on which it considers that a specific authorisation should be granted, at least two weeks prior to the authorisation; or
to be paid into or from an account of a diplomatic or consular mission or an international organisation enjoying immunities in accordance with international law, insofar as such payments are intended to be used for official purposes of the diplomatic or consular mission or international organisation.
The Member State concerned shall inform the other Member States and the Commission of any authorisation granted under this paragraph.
By way of derogation from paragraph 1, the competent authorities of the Member States may authorise the release of certain frozen funds or economic resources, provided that the following conditions are met:
the funds or economic resources are the subject of an arbitral decision rendered prior to the date on which the natural or legal person, entity or body referred to in paragraph 1 was listed in the Annex, or of a judicial or administrative decision rendered in the Union, or a judicial decision enforceable in the Member State concerned, prior to or after that date;
the funds or economic resources will be used exclusively to satisfy claims secured by such a decision or recognised as valid in such a decision, within the limits set by applicable laws and regulations governing the rights of persons having such claims;
the decision is not for the benefit of a natural or legal person, entity or body listed in the Annex; and
recognition of the decision is not contrary to public policy in the Member State concerned.
The Member State concerned shall inform the other Member States and the Commission of any authorisation granted under this paragraph.
Paragraph 2 shall not apply to the addition to frozen accounts of:
interest or other earnings on those accounts;
payments due under contracts, agreements or obligations that were concluded or arose prior to the date on which those accounts became subject to the measures provided for in paragraphs 1 and 2; or
payments due under judicial, administrative or arbitral decisions rendered in the Union or enforceable in the Member State concerned,
provided that any such interest, other earnings and payments remain subject to the measures provided for in paragraph 1.
Paragraphs 1 and 2 shall not apply to the making available of funds or economic resources necessary to ensure the timely delivery of humanitarian assistance or to support other activities that support basic human needs where such assistance and other activities are carried out by:
the United Nations (UN), including its programmes, funds and other entities and bodies, as well as its specialised agencies and related organisations;
international organisations;
humanitarian organisations having observer status with the UN General Assembly and members of those humanitarian organisations;
bilaterally or multilaterally funded non-governmental organisations participating in the UN Humanitarian Response Plans, UN Refugee Response Plans, other UN appeals or humanitarian clusters coordinated by the UN Office for the Coordination of Humanitarian Affairs;
organisations and agencies to which the Union has granted the Humanitarian Partnership Certificate or which are certified or recognised by a Member State in accordance with national procedures;
Member States’ specialised agencies; or
the employees, grantees, subsidiaries or implementing partners of the entities referred to in points (a) to (f) while and to the extent that they are acting in those capacities.
Article 6
Article 7
Article 8
No claims in connection with any contract or transaction the performance of which has been affected, directly or indirectly, in whole or in part, by the measures imposed under this Decision, including claims for indemnity or any other claim of this type, such as a claim for compensation or a claim under a guarantee, in particular a claim for extension or payment of a bond, guarantee or indemnity, in particular a financial guarantee or financial indemnity, of whatever form, shall be satisfied, if they are made by:
designated natural or legal persons, entities or bodies listed in the Annex;
any natural or legal person, entity or body acting through or on behalf of one of the natural or legal persons, entities or bodies referred to in point (a).
Article 9
In order to maximise the impact of the measures set out in this Decision, the Union shall encourage third States to adopt restrictive measures similar to those provided for in this Decision.
Article 10
This Decision shall apply until 18 May 2025 and shall be kept under constant review.
Article 11
This Decision shall enter into force on the day following that of its publication in the Official Journal of the European Union.
ANNEX
List of natural and legal persons, entities and bodies referred to in Articles 4 and 5
A. Natural persons
|
|
Name |
Identifying information |
Reasons |
Date of listing |
|
1. |
GAO Qiang |
Date of birth: 4 October 1983 Place of birth: Shandong Province, China Address: Room 1102, Guanfu Mansion, 46 Xinkai Road, Hedong District, Tianjin, China Nationality: Chinese Gender: male |
Gao Qiang is involved in ‘Operation Cloud Hopper’, a series of cyber-attacks with a significant effect originating from outside the Union and constituting an external threat to the Union or its Member States and of cyber-attacks with a significant effect against third States. ‘Operation Cloud Hopper’ has targeted information systems of multinational companies in six continents, including companies located in the Union, and gained unauthorised access to commercially sensitive data, resulting in significant economic loss. The actor publicly known as ‘APT10’ (‘Advanced Persistent Threat 10’) (a.k.a. ‘Red Apollo’, ‘CVNX’, ‘Stone Panda’, ‘MenuPass’ and ‘Potassium’) carried out ‘Operation Cloud Hopper’. Gao Qiang can be linked to APT10, including through his association with APT10 command and control infrastructure. Moreover, Huaying Haitai, an entity designated for providing support to and facilitating ‘Operation Cloud Hopper’, employed Gao Qiang. He has links with Zhang Shilong, who is also designated in connection with ‘Operation Cloud Hopper’. Gao Qiang is therefore associated with both Huaying Haitai and Zhang Shilong. |
30.7.2020 |
|
2. |
ZHANG Shilong |
Date of birth: 10 September 1981 Place of birth: China Address: Hedong, Yuyang Road No 121, Tianjin, China Nationality: Chinese Gender: male |
Zhang Shilong is involved in ‘Operation Cloud Hopper’, a series of cyber-attacks with a significant effect originating from outside the Union and constituting an external threat to the Union or its Member States and of cyber-attacks with a significant effect against third States. ‘Operation Cloud Hopper’ has targeted information systems of multinational companies in six continents, including companies located in the Union, and gained unauthorised access to commercially sensitive data, resulting in significant economic loss. The actor publicly known as ‘APT10’ (‘Advanced Persistent Threat 10’) (a.k.a. ‘Red Apollo’, ‘CVNX’, ‘Stone Panda’, ‘MenuPass’ and ‘Potassium’) carried out ‘Operation Cloud Hopper’. Zhang Shilong can be linked to APT10, including through the malware he developed and tested in connection with the cyber-attacks carried out by APT10. Moreover, Huaying Haitai, an entity designated for providing support to and facilitating ‘Operation Cloud Hopper’, employed Zhang Shilong. He has links with Gao Qiang, who is also designated in connection with ‘Operation Cloud Hopper’. Zhang Shilong is therefore associated with both Huaying Haitai and Gao Qiang. |
30.7.2020 |
|
3. |
Alexey Valeryevich MININ |
Алексей Валерьевич МИНИН Date of birth: 27.5.1972 Place of birth: Perm Oblast, Russian SFSR (now Russian Federation) Passport number: 120017582 Issued by: Ministry of Foreign Affairs of the Russian Federation Validity: from 17.4.2017 until 17.4.2022 Location: Moscow, Russian Federation Nationality: Russian Gender: male |
Alexey Minin took part in an attempted cyber-attack with a potentially significant effect against the Organisation for the Prohibition of Chemical Weapons (OPCW) in the Netherlands and in cyber-attacks with a significant effect against third States. As a human intelligence support officer of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GU/GRU), Alexey Minin was part of a team of four Russian military intelligence officers who attempted to gain unauthorised access to the Wi-Fi network of the OPCW in The Hague, the Netherlands, in April 2018. The attempted cyber-attack was aimed at hacking into the Wi-Fi network of the OPCW, which, if successful, would have compromised the security of the network and the OPCW’s ongoing investigatory work. The Netherlands Defence Intelligence and Security Service (Militaire Inlichtingen- en Veiligheidsdienst) disrupted the attempted cyber-attack, thereby preventing serious damage to the OPCW. A grand jury in the Western District of Pennsylvania (United States of America) has indicted Alexey Minin, as an officer of the Russian Main Intelligence Directorate (GRU), for computer hacking, wire fraud, aggravated identity theft and money laundering. |
30.7.2020 |
|
4. |
Aleksei Sergeyvich MORENETS |
Алексей Сергеевич МОРЕНЕЦ Date of birth: 31.7.1977 Place of birth: Murmanskaya Oblast, Russian SFSR (now Russian Federation) Passport number: 100135556 Issued by: Ministry of Foreign Affairs of the Russian Federation Validity: from 17.4.2017 until 17.4.2022 Location: Moscow, Russian Federation Nationality: Russian Gender: male |
Aleksei Morenets took part in an attempted cyber-attack with a potentially significant effect against the Organisation for the Prohibition of Chemical Weapons (OPCW) in the Netherlands and in cyber-attacks with a significant effect against third States. As a cyber-operator for the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GU/GRU), Aleksei Morenets was part of a team of four Russian military intelligence officers who attempted to gain unauthorised access to the Wi-Fi network of the OPCW in The Hague, the Netherlands, in April 2018. The attempted cyber-attack was aimed at hacking into the Wi-Fi network of the OPCW, which, if successful, would have compromised the security of the network and the OPCW’s ongoing investigatory work. The Netherlands Defence Intelligence and Security Service (Militaire Inlichtingen- en Veiligheidsdienst) disrupted the attempted cyber-attack, thereby preventing serious damage to the OPCW. A grand jury in the Western District of Pennsylvania (United States of America) has indicted Aleksei Morenets, as assigned to Military Unit 26165, for computer hacking, wire fraud, aggravated identity theft and money laundering. |
30.7.2020 |
|
5. |
Evgenii Mikhaylovich SEREBRIAKOV |
Евгений Михайлович СЕРЕБРЯКОВ Date of birth: 26.7.1981 Place of birth: Kursk, Russian SFSR (now Russian Federation) Passport number: 100135555 Issued by: Ministry of Foreign Affairs of the Russian Federation Validity: from 17.4.2017 until 17.4.2022 Location: Moscow, Russian Federation Nationality: Russian Gender: male |
Evgenii Serebriakov took part in an attempted cyber-attack with a potentially significant effect against the Organisation for the Prohibition of Chemical Weapons (OPCW) in the Netherlands and in cyber-attacks with a significant effect against third States. As a cyber-operator for the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GU/GRU), Evgenii Serebriakov was part of a team of four Russian military intelligence officers who attempted to gain unauthorised access to the Wi-Fi network of the OPCW in The Hague, the Netherlands, in April 2018. The attempted cyber-attack was aimed at hacking into the Wi-Fi network of the OPCW, which, if successful, would have compromised the security of the network and the OPCW’s ongoing investigatory work. The Netherlands Defence Intelligence and Security Service (Militaire Inlichtingen- en Veiligheidsdienst) disrupted the attempted cyber-attack, thereby preventing serious damage to the OPCW. Since spring 2022, Evgenii Serebriakov is leading ‘Sandworm’ (a.k.a. ‘Sandworm Team’, ‘BlackEnergy Group’, ‘Voodoo Bear’, ‘Quedagh’, ‘Olympic Destroyer’ and ‘Telebots’), an actor and hacking group affiliated with Unit 74455 of the Russian Main Intelligence Directorate. Sandworm has carried out cyber-attacks on Ukraine, including Ukrainian government agencies, following Russia’s war of aggression against Ukraine. |
30.7.2020 |
|
6. |
Oleg Mikhaylovich SOTNIKOV |
Олег Михайлович СОТНИКОВ Date of birth: 24.8.1972 Place of birth: Ulyanovsk, Russian SFSR (now Russian Federation) Passport number: 120018866 Issued by: Ministry of Foreign Affairs of the Russian Federation Validity: from 17.4.2017 until 17.4.2022 Location: Moscow, Russian Federation Nationality: Russian Gender: male |
Oleg Sotnikov took part in an attempted cyber-attack with a potentially significant effect against the Organisation for the Prohibition of Chemical Weapons (OPCW) in the Netherlands and in cyber-attacks with a significant effect against third States. As a human intelligence support officer of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GU/GRU), Oleg Sotnikov was part of a team of four Russian military intelligence officers who attempted to gain unauthorised access to the Wi-Fi network of the OPCW in The Hague, the Netherlands, in April 2018. The attempted cyber-attack was aimed at hacking into the Wi-Fi network of the OPCW, which, if successful, would have compromised the security of the network and the OPCW’s ongoing investigatory work. The Netherlands Defence Intelligence and Security Service (Militaire Inlichtingen- en Veiligheidsdienst) disrupted the attempted cyber-attack, thereby preventing serious damage to the OPCW. A grand jury in the Western District of Pennsylvania has indicted Oleg Sotnikov, as an officer of the Russian Main Intelligence Directorate (GRU), for computer hacking, wire fraud, aggravated identity theft and money laundering. |
30.7.2020 |
|
7. |
Dmitry Sergeyevich BADIN |
Дмитрий Сергеевич БАДИН Date of birth: 15.11.1990 Place of birth: Kursk, Russian SFSR (now Russian Federation) Nationality: Russian Gender: male |
Dmitry Badin took part in a cyber-attack with a significant effect against the German federal parliament (Deutscher Bundestag) and in cyber-attacks with a significant effect against third States. As a military intelligence officer of the 85th Main Centre for Special Services (GTsSS) of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GU/GRU), Dmitry Badin was part of a team of Russian military intelligence officers who conducted a cyber-attack against the German federal parliament in April and May 2015. That cyber-attack targeted the parliament’s information system and affected its operation for several days. A significant amount of data was stolen and the email accounts of several MPs, as well as of former Chancellor Angela Merkel, were affected. A grand jury in the Western District of Pennsylvania (United States of America) has indicted Dmitry Badin, as assigned to Military Unit 26165, for computer hacking, wire fraud, aggravated identity theft and money laundering. |
22.10.2020 |
|
8. |
Igor Olegovich KOSTYUKOV |
Игорь Олегович КОСТЮКОВ Date of birth: 21.2.1961 Nationality: Russian Gender: male |
Igor Kostyukov is the current Head of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GU/GRU), where he previously served as First Deputy Head. One of the units under his command is the 85th Main Centre for Special Services (GTsSS) (a.k.a. ‘Military Unit 26165’, ‘APT28’, ‘Fancy Bear’, ‘Sofacy Group’, ‘Pawn Storm’ and ‘Strontium’). In this capacity, Igor Kostyukov is responsible for cyber-attacks carried out by the GTsSS, including those with a significant effect constituting an external threat to the Union or its Member States. In particular, military intelligence officers of the GTsSS took part in the cyber-attack against the German federal parliament (Deutscher Bundestag) in April and May 2015 and the attempted cyber-attack aimed at hacking into the Wi-Fi network of the Organisation for the Prohibition of Chemical Weapons (OPCW) in the Netherlands in April 2018. The cyber-attack against the German federal parliament targeted the parliament’s information system and affected its operation for several days. A significant amount of data was stolen and email accounts of several MPs, as well as of former Chancellor Angela Merkel, were affected. |
22.10.2020 |
|
9. |
Ruslan Aleksandrovich PERETYATKO |
Руслан Александрович ПЕРЕТЯТЬКО Date of birth: 3.8.1985 Nationality: Russian Gender: Male |
Ruslan Peretyatko took part in cyberattacks with a significant effect, which constitute an external threat to the Union or its Member States. ►C2 Ruslan Peretyatko is part of the “Callisto group” of Russian intelligence officers conducting cyber operations against EU Member States and third states. ◄ Callisto Group (a.k.a. ‘Seaborgium’, ‘Star Blizzard’, ‘ColdRiver’, ‘TA446’) has launched multi-year phishing campaigns used to steal account credentials and data. Furthermore, the Callisto group is responsible for campaigns targeting individuals and critical state functions, including in the areas of defence and external relations. Therefore, Ruslan Peretyatko is involved in cyberattacks with a significant effect, which constitute an external threat to the Union or its Member States. |
24.6.2024 |
|
10. |
Andrey Stanislavovich KORINETS |
Андрей Станиславович КОРИНЕЦ Date of birth: 18.5.1987 Place of birth: City of Syktyvkar, Russia Nationality: Russian Gender: Male |
Andrey Stanislavovich Korinets took part in cyberattacks with a significant effect, which constitute an external threat to the Union or its Member States. Andrey Stanislavovich Korinets is an officer of ‘Center 18’ of the Federal Security Service (FSB) of the Russian Federation. ►C2 Andrey Stanislavovich Korinets is part of the “Callisto group” of Russian intelligence officers conducting cyber operations against EU Member States and third states. ◄ Callisto Group (a.k.a. ‘Seaborgium’, ‘Star Blizzard’, ‘ColdRiver’, ‘TA446’) has launched multi-year phishing campaigns used to steal account credentials and data. Furthermore, the Callisto group is responsible for campaigns targeting individuals and critical state functions, including in the areas of defence and external relations. Therefore, Andrey Stanislavovich Korinets is involved in cyberattacks with a significant effect, which constitute an external threat to the Union or its Member States. |
24.6.2024 |
|
11. |
Oleksandr SKLIANKO |
Александр СКЛЯНКО (Russian spelling) Олександр СКЛЯНКО (Ukrainian spelling) Date of birth: 5.8.1973 Passport: EC 867868, issued on 27.11.1998 (Ukraine) Gender: male |
Oleksandr Sklianko took part in cyberattacks with a significant effect against EU Member States, as well as cyberattacks with a significant effect against third states. Oleksandr Sklianko is part of the ‘Armageddon’ hacker group supported by the Federal Security Service (FSB) of the Russian Federation that carried out various cyberattacks with a significant effect on the government of Ukraine and on EU Member States and their government officials, including by using phishing emails and malware campaigns. Therefore, Oleksandr Sklianko is involved in cyberattacks with a significant effect against third states, as well as in cyberattacks with a significant effect, which constitute an external threat to the Union or its Member States. |
24.6.2024 |
|
12. |
Mykola CHERNYKH |
Николай ЧЕРНЫХ (Russian spelling) Микола ЧЕРНИХ (Ukrainian spelling) Date of birth: 12.10.1978 Passport: EC 922162, issued on 20.01.1999 (Ukraine) Gender: male |
Mykola Chernykh took part in cyberattacks with a significant effect against EU Member States, as well as cyberattacks with a significant effect against third states. Mykola Chernykh is part of the ‘Armageddon’ hacker group supported by the Federal Security Service (FSB) of the Russian Federation that carried out various cyberattacks with a significant effect on the government of Ukraine and on EU Member States and their government officials, including by using phishing emails and malware campaigns. As a former employee of the Security Service of Ukraine, he is charged in Ukraine with treason and unauthorised interference in the operation of electronic computing machines and automated systems. Therefore, Mykola Chernykh is involved in cyberattacks with a significant effect, which constitute an external threat to the Union or its Member States. |
24.6.2024 |
|
13. |
Mikhail Mikhailovich TSAREV |
Михаил Михайлович ЦАРЕВ Date of birth: 20.4.1989 Place of birth: Serpukhov, Russian Federation Nationality: Russian Address: Serpukhov Gender: male |
Mikhail Mikhailovich Tsarev took part in cyberattacks with a significant effect, which constitute an external threat to EU Member States. Mikhail Mikhailovich Tsarev, also known by the online monikers ‘Mango’, ‘Alexander Grachev’, ‘Super Misha’, ‘Ivanov Mixail’, ‘Misha Krutysha’, and ‘Nikita Andreevich Tsarev’ is a key-player in the deployment of the ‘Conti’ and ‘Trickbot’ malware programs and is involved in the Russia-based threat group ‘Wizard Spider’. The Conti and Trickbot malware programs were created and developed by Wizard Spider. Wizard Spider has conducted ransomware campaigns in a variety of sectors, including essential services such as health and banking. The group has infected computers worldwide and their malware has been developed into a highly modular malware suite. Campaigns by Wizard Spider, using malware such as Conti, ‘Ryuk’ and TrickBot, are responsible for substantial economic damage in the European Union. Mikhail Mikhailovich Tsarev is therefore involved in cyberattacks with a significant effect, which constitute an external threat to the Union or its Member States. |
24.6.2024 |
|
14. |
Maksim Sergeevich GALOCHKIN |
Максим Сергеевич ГАЛОЧКИН Date of birth: 19.5.1982 Place of birth: Abakan, Russian Federation Nationality: Russian Gender: male |
Maksim Galochkin took part in cyberattacks with a significant effect, which constitute an external threat to EU Member States. Maksim Galochkin is also known by the online monikers ‘Benalen’, ‘Bentley’, ‘Volhvb’, ‘volhvb’, ‘manuel’, ‘Max17’ and ‘Crypt’. Galochkin is a key player in the deployment of the ‘Conti’ and ‘Trickbot’ malware programs and is involved in the Russia-based threat group ‘Wizard Spider’. He has led a group of testers, with responsibilities for the development, supervision, and implementation of tests for the TrickBot malware program, created and deployed by Wizard Spider. Wizard Spider has conducted ransomware campaigns in a variety of sectors, including essential services such as health and banking. The group has infected computers worldwide and their malware has been developed into a highly modular malware suite. Campaigns by Wizard Spider, using malware such as Conti, ‘Ryuk’ and TrickBot, are responsible for substantial economic damage in the European Union. Maksim Galochkin is therefore involved in cyberattacks with a significant effect, which constitute an external threat to the Union or its Member States. |
24.6.2024 |
|
15. |
Nikolay Alexandrovich KORCHAGIN |
Николай Александрович Корчагин Date of birth: 16.9.1997 Nationality: Russian Gender: male Associated entity: Main Directorate of the General Staff of the Armed Forces of the Russian Federation |
Nikolay Korchagin is involved in and responsible for cyber-attacks with a significant effect by conducting intelligence activities directed against Estonia and gaining access to a computer system illegally. Nikolay Korchagin is an officer of military unit 29155 of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). In that role, he is involved in and responsible for cyber-attacks against computer systems with the aim of collecting data from the data systems of multiple institutions, which independently or in combination, give an overview of the cyber security policy of Estonia, the cyber capabilities of the state, sensitive personal data and other sensitive data, with the aim of using the data to threaten the security of Estonia. The attacks therefore concern the storage of classified information. The attacks concerned allies and partners of Estonia. Therefore, Nikolay Korchagin is involved in and responsible for cyber-attacks with a significant effect which constitute an external threat to a Member State. |
27.1.2025 |
|
16. |
Vitaly SHEVCHENKO |
Виталий Шевченко Date of birth: 1.9.1997 Nationality: Russian Gender: male Associated entity: Main Directorate of the General Staff of the Armed Forces of the Russian Federation |
Vitaly Shevchenko is involved in and responsible for cyber-attacks with a significant effect by conducting intelligence activities directed against Estonia and gaining access to a computer system illegally. Vitaly Shevchenko is an officer of military unit 29155 of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). In that role, he is involved in and responsible for cyber-attacks against computer systems with the aim of collecting data from the data systems of multiple institutions, which independently or in combination, give an overview of the cyber security policy of Estonia, the cyber capabilities of the state, sensitive personal data and other sensitive data, with the aim of using the data to threaten the security of Estonia. The attacks therefore concern the storage of classified information. The attacks concerned allies and partners of Estonia. Therefore, Vitaly Shevchenko is involved in and responsible for cyber-attacks with a significant effect which constitute an external threat to a Member State. |
27.1.2025 |
|
17. |
Yuriy Fedorovich DENISOV |
Юрий Федорович Денисов Date of birth: 17.6.1980 Nationality: Russian Gender: male Associated entity: Main Directorate of the General Staff of the Armed Forces of the Russian Federation |
Yuriy Denisov is involved in and responsible for cyber-attacks with a significant effect by conducting intelligence activities directed against Estonia and gaining access to a computer system illegally. Yuriy Denisov is an officer of military unit 29155 of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). In that role, he is involved in and responsible for cyber-attacks against computer systems with the aim of collecting data from the data systems of multiple institutions, which independently or in combination, give an overview of the cyber security policy of Estonia, the cyber capabilities of the state, sensitive personal data and other sensitive data, with the aim of using the data to threaten the security of Estonia. The attacks therefore concern the storage of classified information. The attacks concerned allies and partners of Estonia. Therefore, Yuriy Denisov is involved in and responsible for cyber-attacks with a significant effect which constitute an external threat to a Member State. |
27.1.2025 |
B. Legal persons, entities and bodies
|
|
Name |
Identifying information |
Reasons |
Date of listing |
|
1. |
Tianjin Huaying Haitai Science and Technology Development Co. Ltd (Huaying Haitai) |
a.k.a.: Haitai Technology Development Co. Ltd Location: Tianjin, China |
Huaying Haitai provided financial, technical or material support for and facilitated ‘Operation Cloud Hopper’, a series of cyber-attacks with a significant effect originating from outside the Union and constituting an external threat to the Union or its Member States and of cyber-attacks with a significant effect against third States. ‘Operation Cloud Hopper’ has targeted information systems of multinational companies in six continents, including companies located in the Union, and gained unauthorised access to commercially sensitive data, resulting in significant economic loss. The actor publicly known as ‘APT10’ (‘Advanced Persistent Threat 10’) (a.k.a. ‘Red Apollo’, ‘CVNX’, ‘Stone Panda’, ‘MenuPass’ and ‘Potassium’) carried out ‘Operation Cloud Hopper’. Huaying Haitai can be linked to APT10. Moreover, Huaying Haitai employed Gao Qiang and Zhang Shilong, who are both designated in connection with ‘Operation Cloud Hopper’. Huaying Haitai is therefore associated with Gao Qiang and Zhang Shilong. |
30.7.2020 |
|
2. |
Chosun Expo |
a.k.a.: Chosen Expo; Korea Export Joint Venture Location: DPRK |
Chosun Expo provided financial, technical or material support for and facilitated a series of cyber-attacks with a significant effect originating from outside the Union and constituting an external threat to the Union or its Member States and of cyber-attacks with a significant effect against third States, including the cyber-attacks publicly known as ‘WannaCry’ and cyber-attacks against the Polish Financial Supervision Authority and Sony Pictures Entertainment, as well as cyber-theft from the Bangladesh Bank and attempted cyber-theft from the Vietnam Tien Phong Bank. ‘WannaCry’ disrupted information systems around the world by targeting information systems with ransomware and blocking access to data. It affected information systems of companies in the Union, including information systems relating to services necessary for the maintenance of essential services and economic activities within Member States. The actor publicly known as ‘APT38’ (‘Advanced Persistent Threat 38’) or the ‘Lazarus Group’ carried out ‘WannaCry’. Chosun Expo can be linked to APT38/the Lazarus Group, including through the accounts used for the cyber-attacks. |
30.7.2020 |
|
3. |
Main Centre for Special Technologies (GTsST) of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GU/GRU) |
Address: 22 Kirova Street, Moscow, Russian Federation |
The Main Centre for Special Technologies (GTsST) of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GU/GRU), also known by its field post number 74455, is involved in cyber-attacks with a significant effect originating from outside the Union and constituting an external threat to the Union or its Member States and in cyber-attacks with a significant effect against third States, including the cyber-attacks publicly known as ‘NotPetya’ or ‘EternalPetya’ in June 2017 and the cyber-attacks directed at a Ukrainian power grid in the winter of 2015 and 2016. ‘NotPetya’ or ‘EternalPetya’ rendered data inaccessible in a number of companies in the Union, wider Europe and worldwide, by targeting computers with ransomware and blocking access to data, resulting amongst others in significant economic loss. The cyber-attack on a Ukrainian power grid resulted in parts of it being switched off during winter. The actor publicly known as ‘Sandworm’ (a.k.a. ‘Sandworm Team’, ‘BlackEnergy Group’, ‘Voodoo Bear’, ‘Quedagh’, ‘Olympic Destroyer’ and ‘Telebots’), which is also behind the attack on the Ukrainian power grid, carried out ‘NotPetya’ or ‘EternalPetya’. Sandworm has carried out cyber-attacks against Ukraine, including Ukrainian government agencies and Ukrainian critical infrastructure, following Russia’s war of aggression against Ukraine. Those cyber-attacks include spear-phishing campaigns, malware and ransomware attacks. The Main Centre for Special Technologies of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation has an active role in the cyber-activities undertaken by Sandworm and can be linked to Sandworm. |
30.7.2020 |
|
4. |
85th Main Centre for Special Services (GTsSS) of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GU/GRU) |
Address: Komsomol’skiy Prospekt, 20, Moscow, 119146, Russian Federation |
The 85th Main Centre for Special Services (GTsSS) of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GU/GRU) (a.k.a. ‘Military Unit 26165’, ‘APT28’, ‘Fancy Bear’, ‘Sofacy Group’, ‘Pawn Storm’ and ‘Strontium’) is involved in cyber-attacks with a significant effect constituting an external threat to the Union or its Member States and in cyber-attacks with a significant effect against third States. In particular, military intelligence officers of the GTsSS took part in the cyber-attack against the German federal parliament (Deutscher Bundestag) in April and May 2015 and the attempted cyber-attack aimed at hacking into the Wi-Fi network of the Organisation for the Prohibition of Chemical Weapons (OPCW) in the Netherlands in April 2018. The cyber-attack against the German federal parliament targeted the parliament’s information system and affected its operation for several days. A significant amount of data was stolen and email accounts of several MPs, as well as of former Chancellor Angela Merkel, were affected. Following Russia’s war of aggression against Ukraine, cyber-attacks by the GTsSS (spear-phishing and malware-based attacks) were carried out against Ukraine. |
22.10.2020 |