This is an HTML version of an attachment to the Freedom of Information request 'EU Cyber Sanctions - Intelligence packages'.


 
  
 
 
 

Council of the 
 
 

 European Union 
   
 
Brussels, 20 July 2020 
(OR. en) 
    9564/20 
 
 
 
 
LIMITE 

 
CORLX 339 

CFSP/PESC 601 
 
 
RELEX 536 
CYBER 126 
JAI 581 
FIN 472 
 
LEGISLATIVE ACTS AND OTHER INSTRUMENTS 
Subject: 
COUNCIL DECISION amending Decision (CFSP) 2019/797 concerning 
restrictive measures against cyber-attacks threatening the Union or its 
Member States 
 
 
 
9564/20   
 
NT/sr 
 
 
RELEX.1.C 
LIMITE 
EN 
 

 
COUNCIL DECISION (CFSP) 2020/… 
of … 
amending Decision (CFSP) 2019/797  
concerning restrictive measures against cyber-attacks  
threatening the Union or its Member States 
THE COUNCIL OF THE EUROPEAN UNION, 
Having regard to the Treaty on European Union, and in particular Article 29 thereof, 
Having regard to the proposal from the High Representative of the Union for Foreign Affairs and 
Security Policy, 
 
9564/20   
 
NT/sr 

 
RELEX.1.C 
LIMITE 
EN 
 

 
Whereas: 
(1) 
On 17 May 2019 the Council adopted Decision (CFSP) 2019/7971
(2) 
Targeted restrictive measures against cyber-attacks with a significant effect which 
constitute an external threat to the Union or its Member States are among the measures 
included in the Union's framework for a joint diplomatic response to malicious 
cyber-activities (the cyber diplomacy toolbox) and are a vital instrument to deter and 
respond to such activities. Restrictive measures can also be applied in response to 
cyber-attacks with a significant effect against third States or international organisations, 
where deemed necessary to achieve common foreign and security policy objectives set out 
in the relevant provisions of Article 21 of the Treaty on European Union. 
                                                 
1 
Council Decision (CFSP) 2019/797 of 17 May 2019 concerning restrictive measures against 
cyber-attacks threatening the Union or its Member States (OJ L 129I, 17.5.2019, p. 13). 
 
9564/20   
 
NT/sr 

 
RELEX.1.C 
LIMITE 
EN 
 

 
(3) 
On 16 April 2018 the Council adopted conclusions in which it firmly condemned the 
malicious use of information and communications technologies, including in the 
cyber-attacks publicly known as 'WannaCry' and 'NotPetya', which caused significant 
damage and economic loss in the Union and beyond. On 4 October 2018 the Presidents of 
the European Council and of the European Commission and the High Representative of the 
Union for Foreign Affairs and Security Policy (the 'High Representative') expressed 
serious concerns in a joint statement about an attempted cyber-attack to undermine the 
integrity of the Organisation for the Prohibition of Chemical Weapons (OPCW) in the 
Netherlands, an aggressive act which demonstrated contempt for the solemn purpose of the 
OPCW. In a declaration made on behalf of the Union on 12 April 2019, the High 
Representative urged actors to stop undertaking malicious cyber-activities that aim to 
undermine the Union's integrity, security and economic competiveness, including acts of 
cyber-enabled theft of intellectual property. Such cyber-enabled thefts include those 
carried out by the actor publicly known as 'APT10' ('Advanced Persistent Threat 10'). 
 
9564/20   
 
NT/sr 

 
RELEX.1.C 
LIMITE 
EN 
 

 
(4) 
In this context, and to prevent, discourage, deter and respond to continuing and increasing 
malicious behaviour in cyberspace, six natural persons and three entities or bodies should 
be included in the list of natural and legal persons, entities and bodies subject to restrictive 
measures set out in the Annex to Decision (CFSP) 2019/797. Those persons and entities or 
bodies are responsible for, provided support for or were involved in, or facilitated 
cyber-attacks or attempted cyber-attacks, including the attempted cyber-attack against 
the OPCW and the cyber-attacks publicly known as 'WannaCry' and 'NotPetya', as well as 
'Operation Cloud Hopper'. 
(5) 
Decision (CFSP) 2019/797 should therefore be amended accordingly, 
HAS ADOPTED THIS DECISION: 
 
9564/20   
 
NT/sr 

 
RELEX.1.C 
LIMITE 
EN 
 

 
Article 1 
The Annex to Decision (CFSP) 2019/797 is amended in accordance with the Annex to this 
Decision. 
Article 2 
This Decision shall enter into force on the date of its publication in the Official Journal of the 
European Union
Done at …, 
 
For the Council 
 
The President 
 
 
9564/20   
 
NT/sr 

 
RELEX.1.C 
LIMITE 
EN 
 

 
ANNEX 
The following persons and entities or bodies are added to the list of natural and legal persons, entities and bodies set out in the Annex to 
Decision (CFSP) 2019/797: 
'A. 
Natural persons 
 
Name 
Identifying information 
Reasons 
Date of 
listing 
1.  GAO Qiang 
Place of birth: Shandong 
Gao Qiang is involved in "Operation Cloud Hopper", a series of cyber-attacks 
 
Province, China 
with a significant effect originating from outside the Union and constituting an 
Address: Room 1102, Guanfu 
external threat to the Union or its Member States and of cyber-attacks with a 
Mansion, 46 Xinkai Road, 
significant effect against third States. 
Hedong District, Tianjin, China 
"Operation Cloud Hopper" targeted information systems of multinational 
Nationality: Chinese 
companies in six continents, including companies located in the Union, and 
gained unauthorised access to commercially sensitive data, resulting in 
Gender: male 
significant economic loss. 
                                                 
 
OJ: Please insert the date of entry into force of this Decision (ST 9564/2020). 
 
9564/20   
 
NT/sr 

ANNEX 
RELEX.1.C 
LIMITE 
EN 
 

 
 
Name 
Identifying information 
Reasons 
Date of 
listing 
   
 
The actor publicly known as "APT10" ("Advanced Persistent Threat 10") 
 
(a.k.a. "Red Apollo", "CVNX", "Stone Panda", "MenuPass" and "Potassium") 
carried out "Operation Cloud Hopper". 
Gao Qiang can be linked to APT10, including through his association with 
APT10 command and control infrastructure. Moreover, Huaying Haitai, an 
entity designated for providing support to and facilitating "Operation Cloud 
Hopper", employed Gao Qiang. He has links with Zhang Shilong, who is also 
designated in connection with "Operation Cloud Hopper". Gao Qiang is 
therefore associated with both Huaying Haitai and Zhang Shilong. 
 
9564/20   
 
NT/sr 

ANNEX 
RELEX.1.C 
LIMITE 
EN 
 

 
 
Name 
Identifying information 
Reasons 
Date of 
listing 
2.  ZHANG Shilong 
Address: Hedong, Yuyang Road  Zhang Shilong is involved in "Operation Cloud Hopper", a series of 
 
No 121, Tianjin, China 
cyber-attacks with a significant effect originating from outside the Union and 
Nationality: Chinese 
constituting an external threat to the Union or its Member States and of 
cyber-attacks with a significant effect against third States. 
Gender: male 
"Operation Cloud Hopper" has targeted information systems of multinational 
companies in six continents, including companies located in the Union, and 
gained unauthorised access to commercially sensitive data, resulting in 
significant economic loss. 
The actor publicly known as "APT10" ("Advanced Persistent Threat 10") 
(a.k.a. "Red Apollo", "CVNX", "Stone Panda", "MenuPass" and "Potassium") 
carried out "Operation Cloud Hopper". 
                                                 
 
OJ: Please insert the date of entry into force of this Decision (ST 9564/2020). 
 
9564/20   
 
NT/sr 

ANNEX 
RELEX.1.C 
LIMITE 
EN 
 

 
 
Name 
Identifying information 
Reasons 
Date of 
listing 
   
 
Zhang Shilong can be linked to APT10, including through the malware he 
 
developed and tested in connection with the cyber-attacks carried out by 
APT10. Moreover, Huaying Haitai, an entity designated for providing support 
to and facilitating "Operation Cloud Hopper", employed Zhang Shilong. He has 
links with Gao Qiang, who is also designated in connection with "Operation 
Cloud Hopper". Zhang Shilong is therefore associated with both Huaying 
Haitai and Gao Qiang. 
 
9564/20   
 
NT/sr 

ANNEX 
RELEX.1.C 
LIMITE 
EN 
 

 
 
Name 
Identifying information 
Reasons 
Date of 
listing 
3.  Alexey 
Алексей Валерьевич МИНИН  Alexey Minin took part in an attempted cyber-attack with a potentially 
 
Valeryevich 
Date of birth: 27 May 1972 
significant effect against the Organisation for the Prohibition of Chemical 
MININ 
Weapons (OPCW) in the Netherlands. 
Place of birth: Perm Oblast, 
Russian SFSR (now Russian 
As a human intelligence support officer of the Main Directorate of the General 
Federation) 
Staff of the Armed Forces of the Russian Federation (GU/GRU), Alexey Minin 
was part of a team of four Russian military intelligence officers who attempted 
Passport number: 120017582  
to gain unauthorised access to the Wi-Fi network of the OPCW in The Hague, 
Issued by: Ministry of Foreign 
the Netherlands, in April 2018. The attempted cyber-attack was aimed at 
Affairs of the Russian 
hacking into the Wi-Fi network of the OPCW, which, if successful, would have 
Federation 
compromised the security of the network and the OPCW's ongoing 
Validity: from 17 April 2017 
investigatory work. The Netherlands Defence Intelligence and Security Service 
until 17 April 2022 
(DISS) (Militaire Inlichtingen- en Veiligheidsdienst – MIVD) disrupted the 
Location: Moscow, Russian 
attempted cyber-attack, thereby preventing serious damage to the OPCW. 
Federation 
Nationality: Russian 
Gender: male 
                                                 
 
OJ: Please insert the date of entry into force of this Decision (ST 9564/2020). 
 
9564/20   
 
NT/sr 

ANNEX 
RELEX.1.C 
LIMITE 
EN 
 

 
 
Name 
Identifying information 
Reasons 
Date of 
listing 
4.  Aleksei Sergeyvich  Алексей Сергеевич 
Aleksei Morenets took part in an attempted cyber-attack with a potentially 
 
MORENETS 
МОРЕНЕЦ 
significant effect against the Organisation for the Prohibition of Chemical 
Date of birth: 31 July 1977 
Weapons (OPCW) in the Netherlands. 
Place of birth: Murmanskaya 
As a cyber-operator for the Main Directorate of the General Staff of the Armed 
Oblast, Russian SFSR (now 
Forces of the Russian Federation (GU/GRU), Aleksei Morenets was part of a 
Russian Federation) 
team of four Russian military intelligence officers who attempted to gain 
unauthorised access to the Wi-Fi network of the OPCW in The Hague, the 
Passport number: 100135556 
Netherlands, in April 2018. The attempted cyber-attack was aimed at hacking 
Issued by: Ministry of Foreign 
into the Wi-Fi network of the OPCW, which, if successful, would have 
Affairs of the Russian 
compromised the security of the network and the OPCW's ongoing 
Federation 
investigatory work. The Netherlands Defence Intelligence and Security Service 
Validity: from 17 April 2017 
(DISS) (Militaire Inlichtingen- en Veiligheidsdienst – MIVD) disrupted the 
until 17 April 2022 
attempted cyber-attack, thereby preventing serious damage to the OPCW. 
Location: Moscow, Russian 
Federation 
Nationality: Russian 
Gender: male 
                                                 
 
OJ: Please insert the date of entry into force of this Decision (ST 9564/2020). 
 
9564/20   
 
NT/sr 

ANNEX 
RELEX.1.C 
LIMITE 
EN 
 

 
 
Name 
Identifying information 
Reasons 
Date of 
listing 
5.  Evgenii 
Евгений Михайлович 
Evgenii Serebriakov took part in an attempted cyber-attack with a potentially 
 
Mikhaylovich 
СЕРЕБРЯКОВ 
significant effect against the Organisation for the Prohibition of Chemical 
SEREBRIAKOV 
Date of birth: 26 July 1981 
Weapons (OPCW) in the Netherlands. 
Place of birth: Kursk, Russian 
As a cyber-operator for the Main Directorate of the General Staff of the Armed 
SFSR (now Russian Federation)  Forces of the Russian Federation (GU/GRU), Evgenii Serebriakov was part of a 
team of four Russian military intelligence officers who attempted to gain 
Passport number: 100135555 
unauthorised access to the Wi-Fi network of the OPCW in The Hague, the 
Issued by: Ministry of Foreign 
Netherlands, in April 2018. The attempted cyber-attack was aimed at hacking 
Affairs of the Russian 
into the Wi-Fi network of the OPCW, which, if successful, would have 
Federation 
compromised the security of the network and the OPCW's ongoing 
Validity: from 17 April 2017 
investigatory work. The Netherlands Defence Intelligence and Security Service 
until 17 April 2022 
(DISS) (Militaire Inlichtingen- en Veiligheidsdienst – MIVD) disrupted the 
Location: Moscow, Russian 
attempted cyber-attack, thereby preventing serious damage to the OPCW. 
Federation 
Nationality: Russian 
Gender: male 
                                                 
 
OJ: Please insert the date of entry into force of this Decision (ST 9564/2020). 
 
9564/20   
 
NT/sr 

ANNEX 
RELEX.1.C 
LIMITE 
EN 
 

 
 
Name 
Identifying information 
Reasons 
Date of 
listing 
6.  Oleg Mikhaylovich  Олег Михайлович 
Oleg Sotnikov took part in an attempted cyber-attack with a potentially 
 
SOTNIKOV 
СОТНИКОВ 
significant effect against the Organisation for the Prohibition of Chemical 
Date of birth: 24 August 1972 
Weapons (OPCW), in the Netherlands. 
Place of birth: Ulyanovsk, 
As a human intelligence support officer of the Main Directorate of the General 
Russian SFSR (now Russian 
Staff of the Armed Forces of the Russian Federation (GU/GRU), Oleg Sotnikov 
Federation) 
was part of a team of four Russian military intelligence officers who attempted 
to gain unauthorised access to the Wi-Fi network of the OPCW in The Hague, 
Passport number: 120018866 
the Netherlands, in April 2018. The attempted cyber-attack was aimed at 
Issued by: Ministry of Foreign 
hacking into the Wi-Fi network of the OPCW, which, if successful, would have 
Affairs of the Russian 
compromised the security of the network and the OPCW's ongoing 
Federation 
investigatory work. The Netherlands Defence Intelligence and Security Service 
Validity: from 17 April 2017 
(DISS) (Militaire Inlichtingen- en Veiligheidsdienst – MIVD) disrupted the 
until 17 April 2022 
attempted cyber-attack, thereby preventing serious damage to the OPCW. 
Location: Moscow, Russian 
Federation 
Nationality: Russian 
Gender: male 
                                                 
 
OJ: Please insert the date of entry into force of this Decision (ST 9564/2020). 
 
9564/20   
 
NT/sr 

ANNEX 
RELEX.1.C 
LIMITE 
EN 
 

 
B. 
Legal persons, entities and bodies 
 
Name 
Identifying 
Reasons 
Date of 
information 
listing 
1.  Tianjin Huaying Haitai  a.k.a.: Haitai 
Huaying Haitai provided financial, technical or material support for and facilitated 
 
Science and 
Technology 
"Operation Cloud Hopper", a series of cyber-attacks with a significant effect 
Technology 
Development Co. Ltd  originating from outside the Union and constituting an external threat to the Union or 
Development Co. Ltd 
Location: Tianjin, 
its Member States and of cyber-attacks with a significant effect against third States. 
(Huaying Haitai) 
China 
"Operation Cloud Hopper" has targeted information systems of multinational 
companies in six continents, including companies located in the Union, and gained 
unauthorised access to commercially sensitive data, resulting in significant economic 
loss. 
The actor publicly known as "APT10" ("Advanced Persistent Threat 10") (a.k.a. "Red 
Apollo", "CVNX", "Stone Panda", "MenuPass" and "Potassium") carried out 
"Operation Cloud Hopper". 
Huaying Haitai can be linked to APT10. Moreover, Huaying Haitai employed Gao 
Qiang and Zhang Shilong, who are both designated in connection with "Operation 
Cloud Hopper". Huaying Haitai is therefore associated with Gao Qiang and Zhang 
Shilong. 
                                                 
 
OJ: Please insert the date of entry into force of this Decision (ST 9564/2020). 
 
9564/20   
 
NT/sr 

ANNEX 
RELEX.1.C 
LIMITE 
EN 
 

 
 
Name 
Identifying 
Reasons 
Date of 
information 
listing 
2.  Chosun Expo 
a.k.a.: Chosen Expo;  Chosun Expo provided financial, technical or material support for and facilitated a 
 
Korea Export Joint 
series of cyber-attacks with a significant effect originating from outside the Union 
Venture 
and constituting an external threat to the Union or its Member States and of cyber-
Location: DPRK 
attacks with a significant effect against third States, including the cyber-attacks 
publicly known as "WannaCry" and cyber-attacks against the Polish Financial 
Supervision Authority and Sony Pictures Entertainment, as well as cyber-theft from 
the Bangladesh Bank and attempted cyber-theft from the Vietnam Tien Phong Bank. 
"WannaCry" disrupted information systems around the world by targeting 
information systems with ransomware and blocking access to data. It affected 
information systems of companies in the Union, including information systems 
relating to services necessary for the maintenance of essential services and economic 
activities within Member States. 
The actor publicly known as "APT38" ("Advanced Persistent Threat 38") or the 
"Lazarus Group" carried out "WannaCry". 
Chosun Expo can be linked to APT38 / the Lazarus Group, including through the 
accounts used for the cyber-attacks. 
                                                 
 
OJ: Please insert the date of entry into force of this Decision (ST 9564/2020). 
 
9564/20   
 
NT/sr 
10 
ANNEX 
RELEX.1.C 
LIMITE 
EN 
 

 
 
Name 
Identifying 
Reasons 
Date of 
information 
listing 
3.  Main Centre for 
Address: 22 Kirova 
The Main Centre for Special Technologies (GTsST) of the Main Directorate of the 
 
Special Technologies 
Street, Moscow, 
General Staff of the Armed Forces of the Russian Federation (GU/GRU), also known 
(GTsST) of the Main 
Russian Federation 
by its field post number 74455, is responsible for cyber-attacks with a significant 
Directorate of the 
effect originating from outside the Union and constituting an external threat to the 
General Staff of the 
Union or its Member States and for cyber-attacks with a significant effect against 
Armed Forces of the 
third States, including the cyber-attacks publicly known as "NotPetya" or 
Russian Federation 
"EternalPetya" in June 2017 and the cyber-attacks directed at an Ukrainian power 
(GU/GRU) 
grid in the winter of 2015 and 2016. 
"NotPetya" or "EternalPetya" rendered data inaccessible in a number of companies in 
the Union, wider Europe and worldwide, by targeting computers with ransomware 
and blocking access to data, resulting amongst others in significant economic loss. 
The cyber-attack on a Ukrainian power grid resulted in parts of it being switched off 
during winter. 
                                                 
 
OJ: Please insert the date of entry into force of this Decision (ST 9564/2020). 
 
9564/20   
 
NT/sr 
11 
ANNEX 
RELEX.1.C 
LIMITE 
EN 
 

 
 
Name 
Identifying 
Reasons 
Date of 
information 
listing 
 
 
 
The actor publicly known as "Sandworm" (a.k.a. "Sandworm Team", "BlackEnergy 
Group", "Voodoo Bear", "Quedagh", "Olympic Destroyer" and "Telebots"), which is 
also behind the attack on the Ukrainian power grid, carried out "NotPetya" or 
"EternalPetya". 
The Main Centre for Special Technologies of the Main Directorate of the General 
Staff of the Armed Forces of the Russian Federation has an active role in the 
cyber-activities undertaken by Sandworm and can be linked to Sandworm. 
'. 
 
 
9564/20   
 
NT/sr 
12 
ANNEX 
RELEX.1.C 
LIMITE 
EN