Council of the
European Union
Brussels, 20 July 2020
(OR. en)
9564/20
LIMITE
CORLX 339
CFSP/PESC 601
RELEX 536
CYBER 126
JAI 581
FIN 472
LEGISLATIVE ACTS AND OTHER INSTRUMENTS
Subject:
COUNCIL DECISION amending Decision (CFSP) 2019/797 concerning
restrictive measures against cyber-attacks threatening the Union or its
Member States
9564/20
NT/sr
RELEX.1.C
LIMITE
EN
COUNCIL DECISION (CFSP) 2020/…
of …
amending Decision (CFSP) 2019/797
concerning restrictive measures against cyber-attacks
threatening the Union or its Member States
THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty on European Union, and in particular Article 29 thereof,
Having regard to the proposal from the High Representative of the Union for Foreign Affairs and
Security Policy,
9564/20
NT/sr
1
RELEX.1.C
LIMITE
EN
Whereas:
(1)
On 17 May 2019 the Council adopted Decision (CFSP) 2019/797
1.
(2)
Targeted restrictive measures against cyber-attacks with a significant effect which
constitute an external threat to the Union or its Member States are among the measures
included in the Union's framework for a joint diplomatic response to malicious
cyber-activities (the cyber diplomacy toolbox) and are a vital instrument to deter and
respond to such activities. Restrictive measures can also be applied in response to
cyber-attacks with a significant effect against third States or international organisations,
where deemed necessary to achieve common foreign and security policy objectives set out
in the relevant provisions of Article 21 of the Treaty on European Union.
1
Council Decision (CFSP) 2019/797 of 17 May 2019 concerning restrictive measures against
cyber-attacks threatening the Union or its Member States (OJ L 129I, 17.5.2019, p. 13).
9564/20
NT/sr
2
RELEX.1.C
LIMITE
EN
(3)
On 16 April 2018 the Council adopted conclusions in which it firmly condemned the
malicious use of information and communications technologies, including in the
cyber-attacks publicly known as 'WannaCry' and 'NotPetya', which caused significant
damage and economic loss in the Union and beyond. On 4 October 2018 the Presidents of
the European Council and of the European Commission and the High Representative of the
Union for Foreign Affairs and Security Policy (the 'High Representative') expressed
serious concerns in a joint statement about an attempted cyber-attack to undermine the
integrity of the Organisation for the Prohibition of Chemical Weapons (OPCW) in the
Netherlands, an aggressive act which demonstrated contempt for the solemn purpose of the
OPCW. In a declaration made on behalf of the Union on 12 April 2019, the High
Representative urged actors to stop undertaking malicious cyber-activities that aim to
undermine the Union's integrity, security and economic competiveness, including acts of
cyber-enabled theft of intellectual property. Such cyber-enabled thefts include those
carried out by the actor publicly known as 'APT10' ('Advanced Persistent Threat 10').
9564/20
NT/sr
3
RELEX.1.C
LIMITE
EN
(4)
In this context, and to prevent, discourage, deter and respond to continuing and increasing
malicious behaviour in cyberspace, six natural persons and three entities or bodies should
be included in the list of natural and legal persons, entities and bodies subject to restrictive
measures set out in the Annex to Decision (CFSP) 2019/797. Those persons and entities or
bodies are responsible for, provided support for or were involved in, or facilitated
cyber-attacks or attempted cyber-attacks, including the attempted cyber-attack against
the OPCW and the cyber-attacks publicly known as 'WannaCry' and 'NotPetya', as well as
'Operation Cloud Hopper'.
(5)
Decision (CFSP) 2019/797 should therefore be amended accordingly,
HAS ADOPTED THIS DECISION:
9564/20
NT/sr
4
RELEX.1.C
LIMITE
EN
Article 1
The Annex to Decision (CFSP) 2019/797 is amended in accordance with the Annex to this
Decision.
Article 2
This Decision shall enter into force on the date of its publication in the
Official Journal of the
European Union.
Done at …,
For the Council
The President
9564/20
NT/sr
5
RELEX.1.C
LIMITE
EN
ANNEX
The following persons and entities or bodies are added to the list of natural and legal persons, entities and bodies set out in the Annex to
Decision (CFSP) 2019/797:
'A.
Natural persons
Name
Identifying information
Reasons
Date of
listing
1. GAO Qiang
Place of birth: Shandong
Gao Qiang is involved in "Operation Cloud Hopper", a series of cyber-attacks
Province, China
with a significant effect originating from outside the Union and constituting an
Address: Room 1102, Guanfu
external threat to the Union or its Member States and of cyber-attacks with a
Mansion, 46 Xinkai Road,
significant effect against third States.
Hedong District, Tianjin, China
"Operation Cloud Hopper" targeted information systems of multinational
Nationality: Chinese
companies in six continents, including companies located in the Union, and
gained unauthorised access to commercially sensitive data, resulting in
Gender: male
significant economic loss.
OJ: Please insert the date of entry into force of this Decision (ST 9564/2020).
9564/20
NT/sr
1
ANNEX
RELEX.1.C
LIMITE
EN
Name
Identifying information
Reasons
Date of
listing
The actor publicly known as "APT10" ("Advanced Persistent Threat 10")
(a.k.a. "Red Apollo", "CVNX", "Stone Panda", "MenuPass" and "Potassium")
carried out "Operation Cloud Hopper".
Gao Qiang can be linked to APT10, including through his association with
APT10 command and control infrastructure. Moreover, Huaying Haitai, an
entity designated for providing support to and facilitating "Operation Cloud
Hopper", employed Gao Qiang. He has links with Zhang Shilong, who is also
designated in connection with "Operation Cloud Hopper". Gao Qiang is
therefore associated with both Huaying Haitai and Zhang Shilong.
9564/20
NT/sr
2
ANNEX
RELEX.1.C
LIMITE
EN
Name
Identifying information
Reasons
Date of
listing
2. ZHANG Shilong
Address: Hedong, Yuyang Road Zhang Shilong is involved in "Operation Cloud Hopper", a series of
No 121, Tianjin, China
cyber-attacks with a significant effect originating from outside the Union and
Nationality: Chinese
constituting an external threat to the Union or its Member States and of
cyber-attacks with a significant effect against third States.
Gender: male
"Operation Cloud Hopper" has targeted information systems of multinational
companies in six continents, including companies located in the Union, and
gained unauthorised access to commercially sensitive data, resulting in
significant economic loss.
The actor publicly known as "APT10" ("Advanced Persistent Threat 10")
(a.k.a. "Red Apollo", "CVNX", "Stone Panda", "MenuPass" and "Potassium")
carried out "Operation Cloud Hopper".
OJ: Please insert the date of entry into force of this Decision (ST 9564/2020).
9564/20
NT/sr
3
ANNEX
RELEX.1.C
LIMITE
EN
Name
Identifying information
Reasons
Date of
listing
Zhang Shilong can be linked to APT10, including through the malware he
developed and tested in connection with the cyber-attacks carried out by
APT10. Moreover, Huaying Haitai, an entity designated for providing support
to and facilitating "Operation Cloud Hopper", employed Zhang Shilong. He has
links with Gao Qiang, who is also designated in connection with "Operation
Cloud Hopper". Zhang Shilong is therefore associated with both Huaying
Haitai and Gao Qiang.
9564/20
NT/sr
4
ANNEX
RELEX.1.C
LIMITE
EN
Name
Identifying information
Reasons
Date of
listing
3. Alexey
Алексей Валерьевич МИНИН Alexey Minin took part in an attempted cyber-attack with a potentially
Valeryevich
Date of birth: 27 May 1972
significant effect against the Organisation for the Prohibition of Chemical
MININ
Weapons (OPCW) in the Netherlands.
Place of birth: Perm Oblast,
Russian SFSR (now Russian
As a human intelligence support officer of the Main Directorate of the General
Federation)
Staff of the Armed Forces of the Russian Federation (GU/GRU), Alexey Minin
was part of a team of four Russian military intelligence officers who attempted
Passport number: 120017582
to gain unauthorised access to the Wi-Fi network of the OPCW in The Hague,
Issued by: Ministry of Foreign
the Netherlands, in April 2018. The attempted cyber-attack was aimed at
Affairs of the Russian
hacking into the Wi-Fi network of the OPCW, which, if successful, would have
Federation
compromised the security of the network and the OPCW's ongoing
Validity: from 17 April 2017
investigatory work. The Netherlands Defence Intelligence and Security Service
until 17 April 2022
(DISS) (Militaire Inlichtingen- en Veiligheidsdienst – MIVD) disrupted the
Location: Moscow, Russian
attempted cyber-attack, thereby preventing serious damage to the OPCW.
Federation
Nationality: Russian
Gender: male
OJ: Please insert the date of entry into force of this Decision (ST 9564/2020).
9564/20
NT/sr
5
ANNEX
RELEX.1.C
LIMITE
EN
Name
Identifying information
Reasons
Date of
listing
4. Aleksei Sergeyvich Алексей Сергеевич
Aleksei Morenets took part in an attempted cyber-attack with a potentially
MORENETS
МОРЕНЕЦ
significant effect against the Organisation for the Prohibition of Chemical
Date of birth: 31 July 1977
Weapons (OPCW) in the Netherlands.
Place of birth: Murmanskaya
As a cyber-operator for the Main Directorate of the General Staff of the Armed
Oblast, Russian SFSR (now
Forces of the Russian Federation (GU/GRU), Aleksei Morenets was part of a
Russian Federation)
team of four Russian military intelligence officers who attempted to gain
unauthorised access to the Wi-Fi network of the OPCW in The Hague, the
Passport number: 100135556
Netherlands, in April 2018. The attempted cyber-attack was aimed at hacking
Issued by: Ministry of Foreign
into the Wi-Fi network of the OPCW, which, if successful, would have
Affairs of the Russian
compromised the security of the network and the OPCW's ongoing
Federation
investigatory work. The Netherlands Defence Intelligence and Security Service
Validity: from 17 April 2017
(DISS) (Militaire Inlichtingen- en Veiligheidsdienst – MIVD) disrupted the
until 17 April 2022
attempted cyber-attack, thereby preventing serious damage to the OPCW.
Location: Moscow, Russian
Federation
Nationality: Russian
Gender: male
OJ: Please insert the date of entry into force of this Decision (ST 9564/2020).
9564/20
NT/sr
6
ANNEX
RELEX.1.C
LIMITE
EN
Name
Identifying information
Reasons
Date of
listing
5. Evgenii
Евгений Михайлович
Evgenii Serebriakov took part in an attempted cyber-attack with a potentially
Mikhaylovich
СЕРЕБРЯКОВ
significant effect against the Organisation for the Prohibition of Chemical
SEREBRIAKOV
Date of birth: 26 July 1981
Weapons (OPCW) in the Netherlands.
Place of birth: Kursk, Russian
As a cyber-operator for the Main Directorate of the General Staff of the Armed
SFSR (now Russian Federation) Forces of the Russian Federation (GU/GRU), Evgenii Serebriakov was part of a
team of four Russian military intelligence officers who attempted to gain
Passport number: 100135555
unauthorised access to the Wi-Fi network of the OPCW in The Hague, the
Issued by: Ministry of Foreign
Netherlands, in April 2018. The attempted cyber-attack was aimed at hacking
Affairs of the Russian
into the Wi-Fi network of the OPCW, which, if successful, would have
Federation
compromised the security of the network and the OPCW's ongoing
Validity: from 17 April 2017
investigatory work. The Netherlands Defence Intelligence and Security Service
until 17 April 2022
(DISS) (Militaire Inlichtingen- en Veiligheidsdienst – MIVD) disrupted the
Location: Moscow, Russian
attempted cyber-attack, thereby preventing serious damage to the OPCW.
Federation
Nationality: Russian
Gender: male
OJ: Please insert the date of entry into force of this Decision (ST 9564/2020).
9564/20
NT/sr
7
ANNEX
RELEX.1.C
LIMITE
EN
Name
Identifying information
Reasons
Date of
listing
6. Oleg Mikhaylovich Олег Михайлович
Oleg Sotnikov took part in an attempted cyber-attack with a potentially
SOTNIKOV
СОТНИКОВ
significant effect against the Organisation for the Prohibition of Chemical
Date of birth: 24 August 1972
Weapons (OPCW), in the Netherlands.
Place of birth: Ulyanovsk,
As a human intelligence support officer of the Main Directorate of the General
Russian SFSR (now Russian
Staff of the Armed Forces of the Russian Federation (GU/GRU), Oleg Sotnikov
Federation)
was part of a team of four Russian military intelligence officers who attempted
to gain unauthorised access to the Wi-Fi network of the OPCW in The Hague,
Passport number: 120018866
the Netherlands, in April 2018. The attempted cyber-attack was aimed at
Issued by: Ministry of Foreign
hacking into the Wi-Fi network of the OPCW, which, if successful, would have
Affairs of the Russian
compromised the security of the network and the OPCW's ongoing
Federation
investigatory work. The Netherlands Defence Intelligence and Security Service
Validity: from 17 April 2017
(DISS) (Militaire Inlichtingen- en Veiligheidsdienst – MIVD) disrupted the
until 17 April 2022
attempted cyber-attack, thereby preventing serious damage to the OPCW.
Location: Moscow, Russian
Federation
Nationality: Russian
Gender: male
OJ: Please insert the date of entry into force of this Decision (ST 9564/2020).
9564/20
NT/sr
8
ANNEX
RELEX.1.C
LIMITE
EN
B.
Legal persons, entities and bodies
Name
Identifying
Reasons
Date of
information
listing
1. Tianjin Huaying Haitai a.k.a.: Haitai
Huaying Haitai provided financial, technical or material support for and facilitated
Science and
Technology
"Operation Cloud Hopper", a series of cyber-attacks with a significant effect
Technology
Development Co. Ltd originating from outside the Union and constituting an external threat to the Union or
Development Co. Ltd
Location: Tianjin,
its Member States and of cyber-attacks with a significant effect against third States.
(Huaying Haitai)
China
"Operation Cloud Hopper" has targeted information systems of multinational
companies in six continents, including companies located in the Union, and gained
unauthorised access to commercially sensitive data, resulting in significant economic
loss.
The actor publicly known as "APT10" ("Advanced Persistent Threat 10") (a.k.a. "Red
Apollo", "CVNX", "Stone Panda", "MenuPass" and "Potassium") carried out
"Operation Cloud Hopper".
Huaying Haitai can be linked to APT10. Moreover, Huaying Haitai employed Gao
Qiang and Zhang Shilong, who are both designated in connection with "Operation
Cloud Hopper". Huaying Haitai is therefore associated with Gao Qiang and Zhang
Shilong.
OJ: Please insert the date of entry into force of this Decision (ST 9564/2020).
9564/20
NT/sr
9
ANNEX
RELEX.1.C
LIMITE
EN
Name
Identifying
Reasons
Date of
information
listing
2. Chosun Expo
a.k.a.: Chosen Expo; Chosun Expo provided financial, technical or material support for and facilitated a
Korea Export Joint
series of cyber-attacks with a significant effect originating from outside the Union
Venture
and constituting an external threat to the Union or its Member States and of cyber-
Location: DPRK
attacks with a significant effect against third States, including the cyber-attacks
publicly known as "WannaCry" and cyber-attacks against the Polish Financial
Supervision Authority and Sony Pictures Entertainment, as well as cyber-theft from
the Bangladesh Bank and attempted cyber-theft from the Vietnam Tien Phong Bank.
"WannaCry" disrupted information systems around the world by targeting
information systems with ransomware and blocking access to data. It affected
information systems of companies in the Union, including information systems
relating to services necessary for the maintenance of essential services and economic
activities within Member States.
The actor publicly known as "APT38" ("Advanced Persistent Threat 38") or the
"Lazarus Group" carried out "WannaCry".
Chosun Expo can be linked to APT38 / the Lazarus Group, including through the
accounts used for the cyber-attacks.
OJ: Please insert the date of entry into force of this Decision (ST 9564/2020).
9564/20
NT/sr
10
ANNEX
RELEX.1.C
LIMITE
EN
Name
Identifying
Reasons
Date of
information
listing
3. Main Centre for
Address: 22 Kirova
The Main Centre for Special Technologies (GTsST) of the Main Directorate of the
Special Technologies
Street, Moscow,
General Staff of the Armed Forces of the Russian Federation (GU/GRU), also known
(GTsST) of the Main
Russian Federation
by its field post number 74455, is responsible for cyber-attacks with a significant
Directorate of the
effect originating from outside the Union and constituting an external threat to the
General Staff of the
Union or its Member States and for cyber-attacks with a significant effect against
Armed Forces of the
third States, including the cyber-attacks publicly known as "NotPetya" or
Russian Federation
"EternalPetya" in June 2017 and the cyber-attacks directed at an Ukrainian power
(GU/GRU)
grid in the winter of 2015 and 2016.
"NotPetya" or "EternalPetya" rendered data inaccessible in a number of companies in
the Union, wider Europe and worldwide, by targeting computers with ransomware
and blocking access to data, resulting amongst others in significant economic loss.
The cyber-attack on a Ukrainian power grid resulted in parts of it being switched off
during winter.
OJ: Please insert the date of entry into force of this Decision (ST 9564/2020).
9564/20
NT/sr
11
ANNEX
RELEX.1.C
LIMITE
EN
Name
Identifying
Reasons
Date of
information
listing
The actor publicly known as "Sandworm" (a.k.a. "Sandworm Team", "BlackEnergy
Group", "Voodoo Bear", "Quedagh", "Olympic Destroyer" and "Telebots"), which is
also behind the attack on the Ukrainian power grid, carried out "NotPetya" or
"EternalPetya".
The Main Centre for Special Technologies of the Main Directorate of the General
Staff of the Armed Forces of the Russian Federation has an active role in the
cyber-activities undertaken by Sandworm and can be linked to Sandworm.
'.
9564/20
NT/sr
12
ANNEX
RELEX.1.C
LIMITE
EN