Jump directly to page content

Attribution: A Major Challenge for EU Cyber Sanctions

An Analysis of WannaCry, NotPetya, Cloud Hopper, Bundestag Hack and the Attack on the OPCW

SWP Research Paper 2021/RP 11, 16.12.2021, 42 Pages

doi:10.18449/2021RP11

Research Areas
  • The attribution of cyberattacks is a sovereign act by the EU Member States. However, these all have different technical and intelligence capabilities. This leads to a lack of coherence in European cyber diplomacy, for exam­ple when imposing cyber sanctions.

  • Analysis of policy responses to the WannaCry, NotPetya, Cloud Hopper, OPCW, and Bundestag hack cyber incidents reveals the following problems: Attribution takes a long time and relies on intelligence from NATO partners; the technical realities and the legal facts for classifying and pros­ecuting cyberattacks do not always match; the weighting of the criteria for establishing what constitutes a crime is unclear.

  • Cyber sanctions should be proportionate, targeted measures and destructive attacks, such as WannaCry or NotPetya, should result in harsher punishment than everyday cases of cyber espionage, such as Cloud Hopper or the Bundestag hack. The EU must adapt its tools accordingly.

  • The EU should tighten the legal criteria and harmonise the standards of evidence for attribution. The EU Joint Cyber Unit and EU INTCEN, part of the European External Action Service, should be strengthened to improve the exchange of forensic information and to coordinate attribution policy more effectively.

  • EU Member States and their allied partners should better coordinate political signalling to condemn cyberattacks. To this end, it would make sense to allow qualified majority voting for the adoption of cyber sanctions.

Issues and Recommendations

The European Union first imposed what were referred to as “cyber sanctions” against individuals associated with the Russian, North Korean and Chinese govern­ment in July 2020. The measures include travel bans and asset freezes. They apply across the EU 27 and have been adopted as a diplomatic or political response to malicious cyber operations against the EU. Cyber sanctions are only one of the common diplomatic instruments that are part of the EU’s cyber diplomacy toolbox. Their intensity is adjusted to stay below the threshold for armed conflict. Since 2017, EU Member States have been using this toolbox to try to respond to serious cyber operations in a coordinated way under the Common Foreign and Security Policy (CFSP). However, demonstrating and implementing a pro­portionate, coherent and, above all, legally justified EU response to cyberattacks is highly challenging. The diplomatic response must be consistent from a legal, technical and political perspective, in the event that listed individuals challenge the EU’s restrictive measures (financial sanctions or travel restrictions) in court. Under Article 263 IV of the Treaty on the Functioning of the European Union (TFEU), the tar­gets of such punitive measures enjoy full legal pro­tection from the European Court of Justice (ECJ).

If the EU wants to impose legitimate cyber sanc­tions, it first needs to determine the origin (attribution) of cyberattacks in a careful and reasonable man­ner. However, at EU level, the process of attribution, i.e. the technical, legal and political assignment of individual responsibility for cyberattacks, is incoherent and partly contradictory. The reasons for this are manifold. Attribution is a sovereign act of the Mem­ber States which have varying technical and intelligence capabilities. The EU’s role is only to coordinate, collect forensic evidence and share intelligence among the Member States and EU institutions. Given the increasing number and intensity of attacks in the cyber and information domain space (CIR), attribution is key. It is also necessary to be able to uphold the principle of responsible state behaviour which the EU promotes.

The central question this study seeks to answer is therefore: How does the process of attribution of cyberattacks, from a legal, technical and political perspective, function in the EU? What are the short­comings, inconsistencies and contradictions in this process? What are the implications for the EU’s adoption of cyber sanctions? What lessons learned can be derived from the analysis of historical cases where sanctions were implemented? The study analyses five specific cyberattacks against the EU (WannaCry 2017, NotPetya 2017, Operation Cloud Hopper 2016, the 2015 Bundestag hack, and the 2018 attack on the Organization for the Prohibition of Chemical Weapons, which was prevented) and finds:

First, the EU’s attribution capacity is highly de­pendent on intelligence sharing with the US and the UK. While the Five Eyes intelligence alliance (con­sisting of the US, the UK, Canada, Australia and New Zealand) coordinates its attribution and public naming and shaming in a manner which has a high media impact, the coordination processes in the EU 27 are naturally slower: months, if not years, pass between a cyber incident and the implementation of sanctions. To increase the effectiveness of politi­cal signalling, attribution must occur more quickly and coordination among Member States must be stepped-up.

Second, the legal framework developed for EU cyber sanctions does not always reflect the technical realities of cyber operations. The criteria that a cyber incident must fulfil in order to justify legal sanctions need to be honed. A greater distinction should be made between successful attacks and attempts. The criminal intent and the strategic motivation of attacks can rarely be inferred from technical indicators alone. Nevertheless, technical indicators are key for the legal assessment of an attack and the subsequent justifica­tion of a sanction decision. Therefore, technical and legal language should be harmonised.

Thirdly, cyber incidents should be more clearly differentiated according to their intensity and tech­nical characteristics in order to tailor the EU’s diplo­matic response to ensure it is proportional: WannaCry and NotPetya caused billions of dollars of damage worldwide and could have resulted in much harsher punitive measures than asset freezes.

Fourthly, EU Member States would be well advised to harmonise the criteria required for attribution. Furthermore, attribution evidence should be more transparent, without jeopardising intelligence access. All Member States should use a comparable standard­ised system (probability yardstick) to enable a classifi­cation of responsibility.

Finally, information on indicators of compromise (IoCs), i.e. characteristics and data indicating that a system or network has been compromised, must be made available to all stakeholders through the Joint Cyber Unit in the EU Commission and the EU INTCEN within the European External Action Service (EEAS). Both institutions should be strengthened in terms of competence in order to improve cyber intelligence.

Against this background, the German government would be advised to actively support the French Presi­dency’s initiative to reform the EU Cyber Diplomacy Toolbox so that attacks on the EU’s critical infrastructure, supply chains and democratic institutions can be more effectively countered in future. This is in line with the requirements for the implementation of the December 2020 Cybersecurity Strategy.

EU Cyber Diplomacy and the Problem of Attribution

Since 2013, the European Union has been developing policy and regulatory measures to respond to “mali­cious” cyber operations directed against the EU from third countries (cybersecurity by law).1 Within the framework of its cyber diplomacy, the EU advocates the peaceful resolution of international disputes and emphasises the importance of a “global, open, free, stable and secure cyberspace”.2 This stance already shaped the first cybersecurity strategy in 2013 and was most recently confirmed in December 2020 with the current strategy.3 The stated aim is to maintain the stability, security and benefits of the Internet and to guarantee the use of information and communica­tion technologies.4 Since then, the EU Member States have played a key role in multilateral forums, such as the Governmental Group of Experts and the Open Ended Working Group at United Nations (UN) level, in anchoring cyber norms in current international law and establishing and enforcing a rules-based in­ter­national order in the cyber and information space (CIR).5 In 2015, the international community agreed that a response to cyberattacks should be pro­portion­al, i.e. that counterreactions are only legiti­mised under international law if the attacks are of a certain scale and produce certain effects, i.e. are similar in intensity to an armed attack. The requirement of pro­portionality includes, for example, refraining from cyber operations against critical infrastructures. Active cyber defence is permitted if states fail to fulfil their due diligence obligations. These norms guide the EU’s actions.6

Since the spectacular cyber operations WannaCry and NotPetya (both in spring 2017), the political pressure to take action has increased.7 WannaCry is considered to be one of the most extensive cyberattacks to date with “victims” in over 150 countries. NotPetya is one of the most costly and destructive attacks to date.8 In June 2017, the Council of the EU agreed in a CFSP decision to develop a “diplomatic response framework” (known as the cyber diplomacy toolbox) to enable the Union to demonstrate a com­mon, coordinated diplomatic counterresponse to serious cyber incidents below the threshold of armed conflict. Attackers are to be persuaded to refrain from attacks against the EU through threats of retaliation (“naming and shaming”). The Council consequently announced in April 2018 that it would no longer toler­ate the misuse of information and communication technology (ICT) for “malicious” purposes.9 On 17 May 2019, the cyber sanctions regime was completed with Regulation (EU) 2019/796 on restrictive measures against cyber-attacks.10

In July 2020, years after the initial incidents, the Council of the EU imposed cyber sanctions against the North Korean, Chinese and Russian citizens deemed responsible for WannaCry, Cloud Hopper and NotPetya, respectively.11 The delay is explained in part by the fact that determining the responsibility of cyber­attacks is technically and legally challenging because it requires IT forensic and intelligence capa­bilities. Only a few Member States, including Sweden, the Netherlands, Estonia, Austria, France and Ger­many, have these attribution capabilities and the politi­cal will to share information with other Member States via EU INTCEN, the intelligence analysis unit of the European External Action Service (EEAS). A pre­requisite for Brussels to issue sanctions in response cyber­attacks is that the EU can plausibly prove the originator and the “malicious” intent. This is a rather complex undertaking, not only because of the decen­tral­ised structure of the cyber and information space, but also because of the different starting conditions in the Member States and the lack of analytical capa­bilities in the EEAS or at EU level.

A collective, common process of attribution takes place only sporadically within the EU.

Attribution is a central problem in cyber conflict research and poses a particular challenge for EU cyber diplomacy and its cyber sanctions regime.12 Security policy and the attribution of cyberattacks are the pre­rogative of EU Member States. These are reluctant to share sensitive intelligence at the EU level, as this allows inferences about national cyber defence capa­bilities. Sharing intelligence could compromise state sources and access to classified information. A collec­tive, shared process of attribution occurs only sporadi­cally within the EU: As a rule, each Member State attributes autonomously. The EU merely tries to pool the relevant information and coordinate the political response to cyberattacks. This circumstance makes it difficult for the Member States to act together to name and shame attackers in EU cyber diplomacy. Notwithstanding, coordinated attribution between Member States and EU institutions is a necessary precondition for activating the EU diplomatic response framework and sanctions.

A fragmented attribution process weakens the credibility, legitimacy and effectiveness of EU cyber diplomacy. A lack of coherence when it comes to meas­ures is one consequence: the Russian intelligence officers who were subject to cyber sanctions in the form of travel bans and asset freezes in 2020 had already been subject to the same restrictive measures under a different EU sanctions regime a few years earlier. The measures were therefore duplicative and had no additional effect.13 Moreover, apart from the redundancy of this step, it is questionable to what extent travel restrictions and frozen accounts really have a deterrent effect on aggressors or are ultimately just symbolic politics.14 Moreover, the effectiveness and legitimacy of cyber sanctions suffer if the public naming and shaming of the perpetrators of cyber­attacks is not supported by Member State governments.

It is up to each government to decide whether to follow the attributions published by other EU countries.

It is up to each government to decide whether it will endorse the attributions published by other EU states, whether through diplomacy or the media. For example, only six of the 27 EU states have reaffirmed the 2020 sanctions against Russia through govern­ment or diplomatic statements.15 Although Germany helped to initiate cyber sanctions at the EU level after the 2015 Bundestag hack, the German government has been slow to publicly condemn the perpetrators. This half-heartedness unnecessarily diminishes the signalling effect of cyber sanctions. Given the una­nimity requirement in the Council, a lack of coher­ence in signalling reduces the impact of punitive measures. As a result, cyberattackers are currently not sufficiently deterred from perpetrating attacks.16 The veto right and the polyphony of the Member States also damage the foreign policy credibility of the Europeans in international cyber diplomacy as well. As a result, EU states are undermining the principle of “due diligence” that was agreed upon within the framework of the United Nations.

The EU and the French government have announc­ed that they will evaluate the cyber diplomacy toolbox, including the cyber sanctions, in the upcoming Coun­cil Presidency. When the EU imposes sanctions, it must comply with minimum standards of the rule of law vis-à-vis the individuals concerned. This is accom­panied by qualitative requirements for attribution. In the following sections, this study will outline the urgency of reforming the diplomatic response frame­work and identify starting points for its redesign. To this end, it will first examine the cyber incidents that first triggered the cyber sanctions regime at the EU level in 2020, namely the 2015 Bundestag hack, WannaCry, NotPetya (both 2017), the attack on the Organisation for the Prohibition of Chemical Weap­ons (OPCW), and Operation Cloud Hopper. The focus is on how coherently the EU has classified these attacks from a technical, legal and political perspective. What the paper does not analyse, however, is the operational procedures of attribution between the security agencies, the exchange of information and knowledge between them, and the effectiveness of the sanctions regime in terms of its impact on the targets.

The Politics of Attribution

Attribution describes the process of assigning respon­sibility for a cyberattack to an actor. The key question is: who did it?17 The reliability of attribution changes over time as knowledge about a cyber incident grad­ually increases and uncertainty about responsibility potentially decreases. The more time and analytical skills available, the greater the certainty of attribution tends to be. The process has three levels: technical, legal and political (see Figure 1, p. 11). These build on each other, but sometimes their goals are conflicting:

The combination of these three levels can be defined as the policy of attribution. This refers to the process of technical and legal classification and public (non-) naming of the perpetrators of a cyberattack as well as the initiation of countermeasures.

After a cyber incident, the first step is technical attribution. This involves using IT forensics to evaluate technical artefacts and evidence such as network logs or malware traces (known as indicators of compromise, IoCs) in the computers affected by the attack. These are compared with the tools, techniques/tactics and procedures (TTP) of past incidents and then cor­related with each other. Based on this, competing hypotheses about attackers can be generated, similar to what happens in criminal investigations. Put simply, the goal of technical attribution is to gather knowledge about the attacker’s actions (“knowing the attacker”). This process is tactical in nature, as it is difficult to infer the strategic or political motivation for a cyber incident from simple network artefacts.18 It is also difficult to conclusively answer the “socio-political question” of who was sitting at the computer and on whose behalf an attacker acted. Malware recycl­ing among different hacker groups is a common phenomenon. Therefore, technical analysis alone can­not provide a direct answer as to who was behind an attack. Technical indications such as system language settings can provide clues, but they can also be delib­erate false flags.19

In the course of the processes of legal and political attribution, which are not always clearly distinguishable, the attacked state tries to answer more actor-related questions: Which person or organisation is responsible for the hack? Who gave the order for it? What was the strategic or political motivation behind the operation? Here, the focus is no longer on purely technical indicators, but also on political factors such as national security strategies and geopolitical con­texts.20 The core element of political attribution is the “naming and shaming” of the attacker, either bilat­erally through non-public diplomatic channels or publicly, with the aim of exposing an aggressor. The goal of this political attribution is that the perpetrator will reconsider his or her behaviour and refrain from future attacks. Political attribution can thus also be public attribution, for example in conjunction with allies and partners, with a view to strengthening the legitimacy of condemning a perpetrator before the international public. However, a state may also delib­er­ately refrain from public attribution if this does not seem opportune under the prevailing political circum­stances, for example during a political crisis, if the evidence is thin or if its own sources are in danger of becoming compromised.21 Moreover, a state which engages in public attribution may have to reckon with countermeasures, such as sanctions. Political attri­bution thus always takes place in the context of inter­national relations and power dynamics. Political attri­bution often requires a “judgement call”, because the technical indicators are not clear. Political attribution thus aims not only at knowing who the aggressor is, but also at naming them.

Figure 1

Legal attribution is essential and indispensable if the goal is a legitimate policy response to cyber incidents. Legal attribution describes the assignment of crimi­nal blame or indictment. Political attribution and legal attribution of responsibility are formally distinct actions under international law.22 The distinction between individual and state responsibility is impor­tant.23 A necessary precondition of any legal attribution of responsibility is the legal classification of the incident: cybercrime is to be treated according to dif­ferent legal statutes than a crime under international law. Cybercrime allows for individual sanctions, where­as an act in violation of international law can also legitimise collectively effective restrictive meas­ures under precisely defined circumstances. Cybercrime is, in turn, also to be distinguished from cyber­espionage, which is not prohibited under inter­national law but can be punished individually under criminal law. And this, in turn, is to be distinguished from cyberattacks crossing the threshold of an armed attack, which are illegal under international law accord­ing to Article 2.4 of the UN Charter. The latter can even trigger the right of self-defence under Article 51 of the UN Charter and justify the use of military responses.

An adequate and proportionate legal response to cyber­attacks requires detailed technical and policy competencies to classify incidents. States may legally assess the same cyber incident differently depending on their detection and investigation capabilities — for example by classifying the same incident either as cyber­crime or as a covert espionage operation. More­over, depending on the classification, there are also different requirements for evidentiary standards. Legal attribution also aims to hold individuals, the people behind the machine, accountable through the mecha­nisms of law enforcement. Higher standards of evi­dence apply than in the political process of nam­ing and shaming. Evidence must stand up in court, mak­ing intelligence sources of limited use. Accordingly, the processes of political and legal attribution do not necessarily run in sync and sometimes there is a lack of consistency between them. For example, in the early stages after a cyberattack, when uncertainty is high and evidence is still thin, an actor may be falsely held publicly responsible, only for it to be discovered at a later stage, in the course of legal attribution, that this was a false-flag operation. One example of this is the cyberattack on the French broadcaster TV5 Monde in 2015, which was initially attributed to Islamic State

Table1 Criteria for the legal attribution of cyber incidents

Criterion

Required characteristics

Cyberattack
(Art. 1(3) and (7)
Regulation [EU] 2019/796)

Actions that involve

a. access to information systems;

b. information system interference;

c. data interference; or

d. data interception

where such actions are not duly authorised by the owner or by another right holder of the system or data or of part of it, or are not permitted under the law of the Union or the Mem­ber State concerned.

Including attempted cyberattacks

Attacker determination
(Art. 1(2) and (4)
Regulation [EU] 2019/796)

Attackers

a. are located outside the EU (natural/legal persons, entities or bodies) or operate from outside the EU;

b. use infrastructure outside the EU.

Victims

within the EU (critical infrastructures, including submarine cables and objects launched into outer space as part of critical infrastructure).

Damage and scope
(Art. 2 Regulation [EU]
2019/796)

Determination of “significant effect” is measured according to

a. the scope, extent, effect or severity of disruption caused, including to economic and societal activities, essential services, critical state functions, public order or public safety;

b. the number of natural or legal persons, entities or bodies affected;

c. the number of Member States concerned;

d. the amount of economic loss caused, such as through large-scale theft of funds, economic resources or intel­lectual property;

e. the economic benefit gained by the perpetrator for himself or for others;

f. the amount or nature of data stolen or the scale of data breaches; or

g. the nature of commercially sensitive data accessed.

Table 1 (continued) Criteria for the legal attribution of cyber incidents

Criterion

Required features

Target or victim
(Art. 1(4) Regulation [EU] 2019/796)

a. Critical infrastructure, including submarine cables and objects launched into space, which is essential for the maintenance of vital functions of society or the health, safety, security and people’s economic or social well-being;

b. Services necessary for the maintenance of essential social and/or economic activities, in particular in the following sectors:

1. Energy (electricity, oil and gas)

2. Transport (air, rail, water and road)

3. Banking, financial market infrastructures

4. Healthcare (healthcare providers, hospitals and private clinics)

5. Drinking water supply and distribution

6. Digital infrastructure

7. Any other sectors essential for the Member State concerned;

c. Critical state functions, particularly in the following areas:

1. Defence

2. Governance

3. Functioning of institutions, including those required for public elections or the voting process

4.  Functioning of economic and civil infrastructure

5. Internal security

6. External relations, including diplomatic missions

d. Storage or processing of classified information

e. Government emergency response teams

Source: Own representation

(IS) in the context of terrorist attacks, but was later classified as a Russian false flag operation.24

The executive and judiciary may come to different conclusions in classifying the same incident. An actor may be declared responsible because it seems politi­cally convenient, while the technical and legal evi­dence tells a different story (“politicisation of intel­ligence”). Considering all these imponderables, it becomes clear how essential it is to develop a com­mon understanding of what is meant by a serious cyberattack. This is a significant challenge for EU cyber diplomacy. The close coordination of attri­buting organisations at the state level (intelligence services, law enforcement agencies) as well as at the supranational and intergovernmental level is there­fore essential.

What is a serious cyberattack against the EU?

In its regulation of 17 May 2019 (Article 1(1) of the Regulation), the EU defines a serious cyberattack as an external threat to the Union or its Member States with a significant or potentially significant impact.25 An external threat to the Member States occurs if cyber­attacks are carried out against critical infrastructures, services or state institutions and processes that are essential for maintaining important societal func­tions or the health, safety and welfare of the popu­lation, in particular in the areas of energy, transport, banking, healthcare, drinking water supply or digital infrastructure (Article 1(4) of the Regulation). A cyberattack (or an attempted cyberattack) describes any act involving access to or interference with infor­mation and communication systems. Information systems are systems for the automatic processing of digital data; such a system is classified as having been interfered with if its operation is hindered or dis­rupted by damage, deletion, alteration, suppression or transmission of digital data. However, cyberattacks also occur when data is interfered with or intercepted. Therefore, stealing data, funds, economic resources or intellectual property, for example, are also classified as cyberattacks (Article 1(3) and (7) of the Regulation). Whether a cyberattack has a (potentially) significant impact is determined, among other things, by the scope, extent, effect or severity of the (attempted) dis­ruption of economic and social activities, by the amount of material damage and the economic benefit obtained by the perpetrator, as well as by the amount and type of stolen data accessed (Article 2 of the Regu­lation).

Table 1 (p. 12f.) provides an overview of the legal characteristics used to classify cyberattacks. With these factual characteristics, the EU defines prohibited conduct and determines which characteristics a cyber incident must fulfil under EU law in order to trigger a specific legal consequence.

Which institutions and procedures determine attribution?

The general principle of law (General Principle, Art. 38 para. 1c ICJ Statute) states that every state has the obligation not to knowingly permit its territory to be used for acts that violate the rights of other states.26 Under these principles, each Member State is free to choose its own method and procedure for attribution. While political attribution remains a sovereign act of the Member States, at the same time the EU has an essen­tial coordinating function. There is no clear hier­archy in the “chain of command”.27 Institutionally, attribution is thus a parallel process running between the Commission, the Council and Europol and in co­ordi­nation with the 27 Member States (see Figure 2, p. 15).

The Commission has set out the principles of EU action that also guide the other EU institutions. In Sep­tember 2017, it prepared a blueprint for a coordinated response to large-scale cross-border cybersecurity incidents (blueprint for short).28 The guiding principles are respect for proportionality, subsidiarity, complementarity and confidentiality of information in the policy response to cyberattacks.29 In its draft, the EU Commission focused on building a resilient ICT structure, protecting the single market and implementing a cyber crisis response process. This so-called blueprint mechanism and the creation of the Joint Cyber Unit run in parallel to the CFSP’s crisis manage­ment. Diverging institutional interests may well exacerbate existing contradictions and incoherencies, but it is already becoming apparent that the EEAS, the Hybrid Fusion Cell within the EU INTCEN, has grown into its role. Member States realise that sharing information on cyber incidents provides collective added value. The EEAS shares information on the cyber warfare doctrines of third countries.

The framework for a joint diplomatic response to malicious cyber activities, the diplomatic response frame­work, takes effect when the Council has agreed that an external threat exists (see Figure 2, p. 15). Each Member State can submit a proposal to activate a specific measure or escalatory step from the reper­toire of the cyber diplomacy toolbox. The preparatory arrangements for the Council decision are made by the Political and Security Committee (PSC), the Hori­zontal Working Party on Cyber Issues (HWPCI or HWP Cyber), the Commission President and her depu­ties, as well as the High Representative for Foreign Affairs and Security Policy (see Figure 2, centre). Cyber­attacks are discussed and managed in the Hori­zontal Working Group, the technical body within the EU which coordinates the actions of the EU Member States. The Group receives evidence, which is inves­tigated and verified by the law enforcement agencies and intelligence services of the Member States, in cooperation with the Computer Security Incident Response Teams (CSIRTs), the European Cybercrime Centre (EC3), the European Union Agency for Cyber­security (ENISA) or the EU Computer Emergency Response Team (CERT-EU) (see Figure 2, top right).

Figure 2

The EEAS pools the collected information (Figure 2, left). Here, the responsibility lies with the Deputy Sec­retary-General for Crisis Response, the Single Intel­ligence Analysis Capacity (SIAC, which in turn con­sists of representatives from EU INTCEN and the Intelligence Division of the EU Military Staff, EUMS INT), and the Hybrid Threat Analysis Unit (EU Hybrid Fusion Cell).30 The focal point for a coordinated response is Europol’s European Cybercrime Centre (EC3). Serious cyber incidents should be reported to Europol. The EU’s top police authority conclusively identifies, assesses and classifies cyber incidents according to a threat matrix.31 Information for the assessment of the threat and damage potential is gathered via the Member States.

In the Council, the Council Presidency (which is also the chair of the Horizontal Working Party on Cyber Issues [HWPCI]) or the Permanent Representa­tives Committee (Coreper) deals with cybersecurity incidents. It is supported by the General Secretariat of the Council or the Political and Security Committee (PSC, chart 2, centre right). At the working level, HWP Cyber is the central authority for attribution.32 It is here, in particular with the help of the legal depart­ment, that the factual legal dimension and the reli­ability of the information is analysed. The latter always requires a query to be submitted to INTCEN/ SIAC. The classification of a cyber incident follows a linguistically defined code (probability yardstick). The Member States use a comparable standardised system just to be able to classify statements that have not been proven forensically. For the HWP Cyber, the goal of political attribution is to arrive at a common situation awareness. The willingness of Member States to participate in this process has increased with the increase in the number of publicly available forensic indicators of compromise (IoC). These are often documented by private security analysis firms and are widely available.

Comprehensive intelligence, publicly available information, including information on the possible motivations of the attacker, but also technical indi­cators are key evidence to be able to issue cyber sanctions. The evidence may also be fundamental for investigations in criminal proceedings.33 At EU level, the Committee of Permanent Representatives (Coreper II) will decide on whether further investigations are deemed necessary or whether the Council can impose sanctions. According to Article 31(1) of the Treaty on European Union (TEU), decisions must be taken by the Council acting unanimously. The natural or legal persons, entities or bodies responsible may then be included in the implementing regu­lation, i.e. placed on the sanctions list.34 A Council decision on the CFSP is a non-legislative act, but the Council’s implementing decisions and regulations are binding under Article 28(2) TEU on cyber sanctions.35

The cyber diplomacy toolbox: A step‑by‑step plan

The European Council or the Foreign Affairs Council agrees on the attribution and is responsible for the response to cyberattacks. The repertoire of measures in the cyber diplomacy toolbox largely coincides with the classic CFSP toolbox. However, the former is designed as a concrete step-by-step plan with increas­ing escalation potential. The attribution of a cyber­attack to an originator is a necessary precondition for this. Each individual escalation level with the corre­sponding reaction, whether that be diplomatic, politi­cal or in compliance with international law, requires a unanimous Council decision (see Table 2, p. 18).

A wide range of CFSP tools can be used in cyber diplomacy.

The CFSP instruments used in cyber diplomacy range from preventive, cooperative, stabilising and restrictive measures to punitive measures for self-defence in accordance with international law. The intensity and scope of possible responses to cyber­attacks increases accordingly.36 The EU Cyber Diplo­macy Toolbox and the cyber sanctions therefore fulfil a “signalling” and “naming and shaming” function. The EU’s expected diplomatic counterreaction is thus transparent for each level of escalation.37 Potential attackers are to be deterred from malicious acts by the threat of legal, economic and military sanctions: “Sanctions are one of the options available in the Union’s framework for a joint diplomatic response to malicious cyber activities (the so-called cyber diplo­macy toolbox) and are intended to prevent, discourage, deter and respond to continuing and increasing malicious behaviour in cyberspace”.38

Thus, depending on the severity of a cyber inci­dent, a tailor-made diplomatic and/or appropriate response in conformity with international law can be taken from the toolbox. While the preventive and cooperative measures are largely similar to the classic instruments of diplomatic mediation, the stabilising and restrictive measures are aimed at concrete pre­vention of threats. The response in accordance with international law is decided autonomously by the EU heads of state and government.

This classification helps to make EU action more predictable and thus more reliable for third parties.

Preventive measures are low intensity and do not neces­sarily require attribution. This category includes formats for political dialogue with third countries. These are designed to influence the behaviour and position of partners by exchanging information and deepening cooperation.

Cooperative measures include, for example, EU demarches, i.e. diplomatic protest notes that can be sub­mitted by the EU delegation in the respective host country on the instructions of the High Representa­tive (HR). Demarches can also be made jointly with third countries.

Stabilising measures: The Council unanimously agrees on an EU action or common position. Imple­menting stabilising measures requires a unanimous decision. However, Article 31(2) TEU allows decisions to be made based on a qualified majority, unless the measures have military or defence implications. This could open up the possibility for appropriate deci­sions in the field of cyber diplomacy. So far, this option has not been used, however. A weaker signal can be sent by the HR on behalf of the EU by issuing a declaration for which the Council must give its prior consent. A declaration by the HR “on behalf of the EU” is usually made in cases where an EU position needs to be developed in light of a new situation or where an existing position needs to be adapted. How­ever, the HR may also issue a declaration on its own responsibility if a rapid reaction is required and co­ordination within the EU 27 is not possible. However, in international diplomacy, other states usually notice whether or not all EU members have agreed to a declaration.

Restrictive measures: The EU may impose restrictive measures to enforce policy objectives resulting from serious cyberattacks. Such sanctions currently repre­sent the highest level of escalation below the thresh­old of an armed conflict. They are, so to speak, the “hammer” in the EU toolbox (and are also referred to as such), as they are designed to have painful eco­nomic effects on third-party actors. Restrictive meas­ures are usually directed against representatives of governments of certain third countries, but also against state-owned companies or other legal and natural persons. They must be adopted unanimously by the Council and be in line with the objectives of the CFSP as set out in Article 24 TEU.

Table 2 EU cyber diplomacy response framework (cyber diplomacy toolbox), extracted from: see Source

Preventive measures

Cooperative measures

Stabilising measures

Restrictive measures

Measures in conformity with international law

  • Confidence and security-building dialogues

  • Capacity building in third countries

  • Awareness raising

  • EU demarches (if necessary in cooperation with third countries)

  • Diplomatic protest notes

  • Common Position of the European Council

  • CFSP

  • Decision

  • Statements by HR on behalf of the Council

  • Declaration of HR

  • Measures under Art. 215 TFEU/CFSP Decision Title V Chapter 2 TEU

  • Account blocking

  • Travel restrictions

  • Solidarity clause (Art. 222 TFEU)

  • Assistance clause (Art. 42 (7) TEU) in accordance with Article 51 UN Charter (right of self-defence)

Resilience

Defence (Denial)

Retaliation

Examples:

Examples:

Examples:

  • (Non-public) Demarche “on the need to respect the rules-based order in cyberspace” (April 2019)

  • (Non-public)
    Demarche “on the need to respect the rules-based order in cyberspace” (November 2019)

  • Council conclusions on WannaCry and NotPetya (April 2018)

  • “Common mes­sages” (2018)

  • Statement HR/VP, Presidents of the European Council and the EU Commission on the OPCW attack (October 2018)

  • Declaration by HR on behalf of the EU “to respect the rules-based order in cyberspace” (April 2019).

  • Horizontal cyber sanctions regime (May 2019).

  • “Coordinated Attribution at EU Level” (Annex to the Implementation Guidelines, June 2019).

  • Council Regulations (July 2020)

Sources: Council of the European Union, Draft Council Conclusions on a Framework for a Joint EU Diplomatic Response to Malicious Cyber Activities (“Cyber Diplomacy Toolbox”) – Adoption (Brussels, 7 June 2017), and Council of the European Union, Draft Implementing Guidelines for the Framework on a Joint EU Diplomatic Response to Malicious Cyber Activities (Brussels, 9 October 2017).

In the EU, as a general rule, sanctions should always be targeted (targeted sanctions).39 Broad trade embargoes have proven to be ineffective in the past and might harm civil society. Therefore, the EU gen­erally imposes targeted measures such as asset freezes and travel and investment bans in response to mali­cious activities in the cyber and information space.40 Lists of individuals and companies, asset freezes or entry restrictions apply in all Member States. In prin­ciple, the persons targeted have the possibility of taking legal action against the imposition of sanctions. Legal protection against being listed by means of an implementing regulation exists via an action for annulment pursuant to Article 263 IV TFEU before the European Court of Justice (ECJ).

Restrictive measures under the CFSP are the most invasive instrument available in the cyber diplomacy toolbox below the threshold of an armed conflict. However, there is a sizable gap in the toolbox between the means available for civilian conflict resolution and those available for military conflict resolution as the highest level of escalation.

Responding in accordance with international law: The application of the solidarity and mutual assistance clauses, which only became part of the EU acquis with the Lisbon Treaty, is also an option in the event of a serious cyberattack against a Member State or the EU as a whole. The solidarity clause under Article 222 TFEU provides for EU states to assist each other if one or more of them has been the victim of terrorist attacks, natural or man-made disasters — and thus also of serious cyber incidents.

The strongest means of reaction would be to acti­vate the mutual assistance clause under Article 42(7) TEU. The provision roughly corresponds to Article 5 of the NATO Treaty, but is subsidiary to it for NATO members. Specifically, it means that “in the event of an armed attack on the territory of a Member State”, the other Member States must provide assis­tance in accordance with Article 51 of the UN Charter (right of self-defence).41 Both clauses can only be applied in the case of cyberattacks, which constitute a violation of the prohibition of the use of force (Art. 2.4 UN Char­ter) as jus cogens.

However, the right to military self-defence against cyberattacks is accompanied by high requirements: On the one hand, a cyber operation must be compa­rable to the use of armed force in terms of scope and effect in order to be classified as such. In addition, the operation must be either directly or indirectly attrib­utable to a state or it must be possible to prove its responsibility (in a court of law).

Only a small number of Member States are technically capable of reactive defensive cyber counter­attacks or cyber operations of their own.

Cyber sanctions need not necessarily be limited to the conventional instruments of the Common Foreign and Security Policy or the EU’s Common Security and Defence Policy described above. Self-defence can also take place within the cyber and information domain space.42 As a last resort in the toolbox, the heads of state and government in the Council have the possi­bility to decide on an “active” cyber defence in the form of a digital retaliatory strike (“hack back”). Reactive defensive cyber counterattacks or own cyber operations in third countries are possible under cer­tain conditions, for example for security purposes. Currently, however, only a small number of Member States have the technical capabilities to execute these. Cyber operations on foreign networks in peacetime may constitute a violation of sovereignty. There is always the risk of causing significant collateral dam­age to innocent third parties. This, too, is at odds with the EU’s cyber strategy, which focuses on conflict pre­vention instead of escalation, on mitigating rather than exploiting IT insecurities, and on confidence and security-building measures and cyber diplomacy legiti­mised by the rule of law and international law.43

Case Studies: EU Cyber Sanctions and Their Attribution

The cyberattacks WannaCry 2017, NotPetya 2017, Operation Cloud Hopper 2017, Bundestag hack 2015 and the attempted attack on the Organisation for the Prohibition of Chemical Weapons (OPCW) 2018 formed the basis for the imposition of the first EU cyber sanction regime by the Council of the European Union in July 2020. The Council had already classified these cases as malicious cyberattacks with a significant impact on the security of the Union and its Mem­ber States in May 2019.44 The European Commission and the High Representative justified the adoption of cyber sanctions on the basis of a hybrid threat con­stellation to the Union.45 The aforementioned cases are examined below with the aim of understanding the technical, political and legal dimensions of the EU’s attribution process. The analysis conducted is based on the elements defined in Council Regulation (EU) 2019/796 and Council Decision (CFSP) 2019/797 (see above, Table 1, p. 12).46 In the following, the dis­crepancies between a legally necessary and a politi­cally sufficient attribution are illustrated on the basis of the first cyber sanctions regime and the cyber inci­dents on which it is founded.

WannaCry 2017

The WannaCry cyberattack began on 12 May 2017 and lasted only a few days. WannaCry was a type of ransomware. Ransomware encrypts target systems and renders them unavailable. Data is not available to the user until the ransom is paid, usually in bit­coins.47 The malware spread independently, much like a worm, on vulnerable target systems.48 This in­fection technique was based on a cyberattack exploit previously stolen from the U.S. National Security Agency (NSA) called EternalBlue. The same vulner­ability was also used in the NotPetya attack and in Chinese APT (advanced persistent threat) campaigns.49 EternalBlue used a flawed implementation of Micro­soft’s SMB protocol to access files and printers on other machines on the same network. This allowed the malware to jump from computer to computer with no user interaction. This remained the case as long as Microsoft was unable to close the vulnerabilities in its Windows operating system with patches.50

Victims, damages and aim of the operation

According to media reports, approximately 230,000 computers in around 150 countries were affected by the WannaCry attack, including EU Member States. The wormable nature of WannaCry allowed it to spread uncontrollably, resulting in numerous collateral effects. Ransom payments of around US$35,000 were made to decrypt the data. The total damage was estimated at around four billion U.S. dollars.51 Victims of the attack included companies such as Télefonica and O2 (Spain and EU), DB Schen­ker (a subsidiary of Deutsche Bahn), FedEX (USA), Renault (France), Nissan in the UK, Sony Pictures (USA), telecommunications companies Vivo (Brazil) and MegaFon (Russia), Sandvik (Sweden), PetroChina and Chinese gas stations. Banco Bilbao Vizcaya Argen­taria (Spain), Bangladesh Bank, Tien Phong Bank (Vietnam),52 the Russian Ministry of Internal Affairs, the Romanian Ministry of Foreign Affairs and the Polish Financial Supervisory Authority were also affected.53 The UK National Health Service (NHS) and numerous British hospitals had to suspend their operations.54 The damage in the UK was estimated at around £92 million. More than 19,000 treatments had to be cancelled. The attack therefore had an impact on the health and lives of patients.55 Deutsche Bahn’s ticket machines failed and blackmail messages appeared on numerous display boards.56

The strategic goal of the operation is somewhat difficult to determine. The nature of the worm, the use of an NSA exploit, the built-in “kill switch” via a domain name that can be extracted from the mali­cious code, and the need to manually decrypt infected computers all suggest that WannaCry was intended as a minor disruption and to create conflict with the NSA. The fact that the attack was relatively amateur is inconsistent with a professional ransomware cam­paign and suggests that the motivation was not crimi­nal: “High damage, high publicity, very high visibility to law enforcement, and probably the lowest profit margin we’ve seen from moderate or even small ran­som­ware campaigns”, said cybersecurity researcher Craig Williams in his analysis of the attack.57 There were also suspicions that the attack could have been a red herring to cover up other espionage operations or expose NSA operations. WannaCry could also have been a “last resort effort”, i.e. a measure aimed at capitalising on a previously exposed cyber operation before the vulnerability became useless.58

Attribution of the attackers

In June 2017, just two months after WannaCry, the NSA and the UK’s Government Communications Headquarters (GCHQ) intelligence agency claimed, with “moderate certainty”, that North Korea’s “Recon­naissance General Bureau” was linked to the WannaCry cyberattack.59 The UK and U.S. governments’ public attribution of North Korea came six months later on 18 December 2017. The U.S. did not impose sanc­tions immediately.60 The UK National Cyber Security Centre (NCSC) said there was a “high probability” that the North Korean group “Lazarus” or “APT 38” was responsible for the attacks. The Five Eyes intelligence alliance (UK, U.S., Australia, New Zealand, Canada) and Japan backed this judgement. The governments involved did not provide any concrete evidence, with the clues instead coming from the cyber security indus­try. Symantec’s Amy L. Johnson had drawn a connection to the APT group Lazarus a few months earlier, in late May 2017.61 Security researchers Rafael Amado and Pasquale Stirparo, on the other hand, did not suspect that WannaCry had originated in North Korea.62 Also in May 2017, security firm Symantec had uncovered earlier versions of WannaCry circu­lating on the Internet, believed to be the result of malware test runs. These had similarities to the Laza­rus Group’s tools, techniques/tactics and procedures (TTPs).63 The components of WannaCry seemed to represent an evolution of the 2014 cyber operation against Sony Pictures. The same zip file passwords were used in WannaCry and the Sony hack. This is an indication that the malware was written by the same group.64 In addition, the campaigns’ bitcoin accounts were similar, suggesting the same creator.65 The IP addresses of the command and control (C2) servers and the use of similar encryption techniques for secure communication also supported the idea that this was the same group of actors. The U.S. govern­ment indicted software developers Park Jin Hyok, Jon Chang Hyok and Kim Il, employees of e-commerce firm Chosun Expo about a year later, in September 2018. The company is owned by the North Korean state.66 Lazarus’ TTPs contained references to user accounts, fake online identities (fake online personas), passwords, reused software codes and IP addresses that belonged to or could be attributed to Chosun Expo.67

EU response to WannaCry

On 16 April 2018, the Council published its conclu­sions condemning the malicious use of information and communication technologies in the form of the WannaCry and NotPetya attacks. However, it was not until the end of July 2020, that it imposed punitive economic measures on the Chosun Expo company,68 through Executive Order 2020/1125.69 These targeted sanctions (“smart sanctions”) involved the freezing of all funds and economic resources owned, held or con­trolled by the natural or legal persons, entities or bodies. No funds or economic resources were to be made available, directly or indirectly, to the sanc­tioned persons, entities or bodies.

The attribution of responsibility to Lazarus/APT38 was preceded by elaborate diplomatic efforts.

The attribution of responsibility to Lazarus/APT38 was preceded by elaborate diplomatic efforts. The attribution was based predominantly on information from the U.S. security services. The indictment against Park Jin Hyok – according to the U.S. Depart­ment of Justice70 an employee of a shell company in the service of the North Korean government – was based on about 1,000 seized email and social media accounts and 85 international letters. Mandiant and FireEye also played a central role in the attribution process.71 The criminal complaint against Park Jin Hyok revealed that the person, email addresses, IT infrastructure for the attack, victims and malware families were connected.72

Estonia,73 the Netherlands,74 France,75 the UK,76 Australia77 and the U.S.78 also welcomed the EU’s restrictive measures as a means of strengthening the message to those responsible. The U.S. attributed the attack to North Korea79 in June 2017, with the UK80 following suit in October 2017.81 While the UN Office on Drugs and Crime, or more specifically its Chief of Cybercrime Neil Walsh, condemned the WannaCry attack as a criminal act, no action was taken under international law.82

NotPetya 2017

On the eve of Ukraine’s “Constitution Day” (27 June 2017), a wiper malware disabled numerous comput­ers around the world, but especially in Ukraine. It did this by deleting (“wiping”) hard drives.83 The NotPetya malware entered a local network via a supply chain attack on the update mechanism of Ukraine’s M.E.Doc tax management software.84 The malware spread independently, much like a worm, to companies that used the aforementioned software. Companies in numerous states were infected with NotPetya.85

So, what did NotPetya do? Once it establishes a bridge­head on a system, a module in the main memory attempts to extract user credentials, in­clud­ing those of administrators with the tool. Using this data, the malware is copied to other computers. The newly infected computer, in turn, triggers the same distribution mechanism. Alternatively, the distri­bution in corporate networks occurs via the same EternalBlue component that also appeared in WannaCry.86 Due to similarities in the code, analyses from late June 2017 initially classified the malware as a variant of the Petya ransomware family, which has been used by cyber criminals since 2016,87 The malware’s approach was similar to Petya, encrypting the hard drive and replacing the Microsoft bootloader with a payment request. The attackers demanded a US$300 ransom in bitcoins. In order to recover infor­mation, victims were supposed to send an email to an address at the Berlin provider Posteo. The provider immediately blocked the email account.88

Victims, damages and aim of the operation

The NotPetya and EternalPetya cyberattacks impacted 65 countries and around 49,000 systems worldwide. Among the victims were numerous companies in the EU.89 The ransomware resulted in a loss of data avail­ability. The corporations affected included Maersk (Denmark), Rosneft (Russia), Merck Sharp & Dohme (USA), Mondelez (USA), FedEx/TNT (USA/Netherlands), Reckitt Benckiser (UK), Saint-Gobain (France) and Beiersdorf (Germany). In the U.S., the malware crippled the data processing structures of 80 hospitals and medical facilities of the Heritage Valley Health System.90 The attackers managed to infiltrate Ukrain­ian IT networks, systems of the National Bank of Ukraine, Kyiv Borispyl International Airport, the capi­tal’s metro and the agency for managing the exclu­sion zone around the damaged nuclear power plant in Chernobyl.91 Many of the companies affected were essential for the maintenance of services of general interest – including in several EU countries.92 World­wide, the cyberattack caused total economic damage of around US$10 billion.93 Individual companies were unable to restore their IT infrastructures for several weeks. The Danish shipping company Maersk and the freight service provider TNT Express each estimated their losses at over US$300 million. NotPetya is con­sidered one of the most serious and costly cyber incidents.

The operation’s objective can be determined quite clearly: certain technical indicators, such as the single contact email address representing a “single point of failure” and allowing the extortion operation to be averted by means of simple countermeasures, are not typical of criminal activity. The unprofessional use of the ransomware raised doubts about whether a state actor was involved. It was only later that the mal­ware’s wiper functionality was discovered, i.e. its ability to cause permanent data loss for those affected. NotPetya disguised itself as standard Petya ransomware. However, the malware was specifically targeted at Ukrainian systems and professionally executed as a political sabotage operation. As the pro­cess of attri­bu­tion progressed, the theory was estab­lished that the NotPetya attack was actually a large-scale campaign of destruction targeting Ukraine. This is indicated by the attack vector via software pri­marily used in Ukraine. Whether the worldwide collateral damage was in­tend­ed is still unclear; after all, Russian companies were also affected. It is therefore also conceivable that NotPetya was used as a means of diplomatic pressure (“tacit bargaining”) against Ukraine due to its high visibility.94

Attribution of the attackers

The technical attribution of NotPetya is complicated. The malware is associated with advanced persistent threats (APTs), attack campaigns known in the IT secu­rity industry by code names such as “Sandworm”, “BlackEnergy group”, “Voodoo Bear”, “Iron Viking”, “Quedagh”, “Olympic Destroyer” and “TeleBots”. At the time of the incident, it was not known how these APT groups related to each other, whether they were identical or only cooperated selectively, or what rela­tion­ship they had to state agencies in Russia.

NotPetya part of a multi-year campaign of numer­ous cyberattacks by these actors against Ukrainian businesses, government agencies and utilities.95 Accord­ing to the Slovak IT security firm ESET, the APT group TeleBots used a new backdoor component from April 2018 that had similarities with Industroyer malware frameworks. Industroyer malware had pre­viously been used to attack Ukraine’s power grid in December 2016.96 At that time, the code, attack infra­structure, IoCs and operational target did not allow for a clear political and legal attribution to one actor.97 Similarities and affinities in the malware of different attack campaigns are only an uncertain indication, as these only point to similar developers, not necessarily the same operational attackers.98 This is because cybercrime is organised around a division of labour and functionally differentiated, and differ­ent groups also copy TTPs.99 An attack may not be developed and executed by the same group. FireEye provided rather vague arguments for the attribution to Russia, namely that Russian-language documents were found on a C2 server of the APT group and that the group used a zero-day vulnerability in some cyber operations, which had previously been presented at a Russian hacker conference.100

The CIA assumes that the Russian military was behind NotPetya. However, no evidence was presented.

The process of political and legal attribution turned out to be a difficult one. The German Federal Crimi­nal Police Office (BKA) had started investigations in 2017, but without issuing an indictment or an arrest warrant. In any case, there was no evidence for either “sufficient” or “urgent suspicion”. According to a report in the Washington Post in January 2018, the CIA assumed with a “high degree of certainty” that the Russian military (more precisely: the GRU military intel­ligence service and its main centre for special tech­nologies; GTsST) had been behind NotPetya. No evidence was presented, however.101 Public attribu­tion occurred in mid-February 2018, with the Five Eyes alliance attributing the attacks to the Russian government.102 Denmark, Latvia, Sweden and Finland declared their support for this attribution. The public attribution enjoyed broad international support.103 A few months later, in early October 2018, the British NCSC provided more clarity on the question of which APT groups were linked to the GRU. According to the report, these included APT 28, which also operated under the names Fancy Bear and Sofacy. Sandworm, another GRU-affiliated group, is also known as Voo­doo Bear and BlackEnergy.104 The U.S. State Department and the British NCSC did not move to formal legal attribution until February 2020, when they both made references to a similar cyber operation in Georgia for which the aforementioned GRU division GTsST or unit “74455” was declared responsible. The British Foreign Office added apodictically: “This GRU unit [GTsST, 74455] was responsible for [...] NotPetya”.105 The U.S. finally formally indicted six Russian nationals in mid-October 2020.106 The six officers of the Russian military intelligence agency GRU in military unit 74455 are accused of being involved in several malicious cyberattacks (including the 2015 and 2016 Ukraine blackout attacks, NotPetya, the OPCW cyberattack, and the hack of Emmanuel Macron’s campaign team during the 2017 French presidential election).

EU response to NotPetya

On 16 April 2018, the Council of the European Union condemned the malicious use of information and com­munication technologies, including the cases known as WannaCry and NotPetya.107 But it was not until two years later, on 30 July 2020, that it issued economic sanctions,108 in the form of Implementing Regulation (EU) 2020/1125109 – that is, targeted sanc­tions against selected individuals.110 The Official Journal of the European Union named the accused actors: “The Main Centre for Special Technologies (GTsST) of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GU/GRU), also known by its field post number 74455, is responsible for cyber-attacks with significant impact emanating from outside the Union. It was posing an external threat to the Union and/or its Member States and for third countries. The same threat actor was made responsible for the June 2017 cyber-attacks known as ‘NotPetya’ or ‘EternalPetya’ and the cyber-attacks directed against the Ukrainian electricity grid in the winter of 2015 and 2016.”111 The Five Eyes alliance and a small number of EU Member States declared the Russian government responsible much earlier, in February 2018. The EU thus arrived at its collective response more than two years later.

Operation Cloud Hopper 2016

The Cloud Hopper operation is considered a case of industrial espionage.112 The attack began in 2016 and is classified as a supply chain attack. It was directed against what are known as “managed service pro­viders” (MSP). These are companies like Hewlett Packard Enterprise (HPE) and IBM, among others, that provide IT services to third-party companies and gov­ernment agencies around the world. They manage cloud services, applications and infrastructure such as servers and networks. The hackers penetrated the cloud management infrastructure of these MSPs using “spear phishing” emails disguised as messages from clients of the service providers. According to a tech­nical analysis by Trend Micro, the attackers had installed a modified remote access Trojan (RAT) from the PlugX, Poison Ivy, ChChes and Graftor malware families in Word documents attached to the emails.113

The attackers “hopped” (Hopper) across different cloud instances and gained access to the systems.

Once executed, the Trojan established a beachhead on the MSP systems and communicated with C2 serv­ers in Tianjin. It also installed keyloggers that logged and exfiltrated names and passwords for the clients’ infrastructure. The hackers used these credentials to laterally access the systems of those same clients via the MSP cloud infrastructure. This modus operandi explains the name Cloud Hopper: The attackers “hopped” over various cloud instances and thus gain­ed access to the systems. The attack is widely considered to be technically adept. The code used cer­tificates from large IT companies to appear authentic. Defend­ing against such supply chain attack vectors is gen­erally considered difficult.114

Victims, damages and aim of the operation

According to the Reuters news agency, in addition to IBM and HPE, other companies were targeted by the attackers: Ericsson, SKF (both Sweden), Valmet (Fin­land), Tata Consultancy Services (India), Fujitsu, NTT Data (both Japan), Dimension Data (South Africa), Computer Sciences Corporation, DXC Technology and NASA (all USA).115 The German Federal Office for Infor­­mation Security (BSI) issued a warning in Decem­ber 2018 that German companies could also be affect­ed, but did not specify further.116 U.S. targets affected were Sabre Corp (USA), a global provider of airline and hotel bookings, and Huntington Ingalls Industries, the largest shipyard in the U.S., which also builds nuclear submarines for the U.S. Navy. 40 U.S. Navy computers were also compromised. The per­sonal information of 100,000 Navy servicemen and women was stolen.117 A U.S. indictment against the perpetrators mentions at least 25 U.S. entities and 14 other victims in 12 states.118 Reports on the extent of the damage are conflicting.119 Compared to other inci­dents, public information is scarce. The MSP and HPE withheld information about their clients because of liability issues and possible legal consequences. Some companies confirmed successful intrusions but could not determine if data was stolen. There are no esti­mates of the costs.120

There are indications that several teams with different capabilities were working together on the attack.

It is striking that the systems attacked belonged predominantly to the heavy industry sector, aviation and maritime, telecommunications and satellite tech­nology. The operational targets were primarily indus­trial espionage or, in the case of Sabre, customer data and, in the case of the Navy, politically motivated intelligence gathering.121 The attack was difficult to detect and left little trace. There is also evidence that multiple attack teams with different skills divided their efforts, a sign of the complexity of the campaign. The TTPs suggest this was not the typical modus operandi of cybercriminals but more likely a state organisation with substantial financial resources.

Attribution of the attackers

In December 2018, the U.S. government publicly attributed the attack to the group APT 10 (aka menuPass, POTASSIUM, Stone Panda, Red Apollo and CVNX), which is associated with China’s Ministry of State Security. The U.S. Department of Justice released the indictments against two Chinese nationals, Zhu Hua and Zhang Shilong.122 The defendants worked for the Huaying Haitai Science and Technology Devel­opment Company in Tianjin, China. Both are said to be part of the APT group, which has specialised in steal­ing intellectual property from industries in China’s strategic interest since 2006. Technical evi­dence included the malware’s communication with IP addresses in Tianjin, the registration of more than 1,300 DNS servers in the U.S., and the congruence of attack activity with office hours in the Chinese time zone. The attribution was based on information from InfraGard and Trend Micro.123 The Five Eyes alliance concurred with the political attribution. The British NCSC stated that it was “highly likely” that APT 10 had an ongoing relationship with the Chinese Minis­try of State Security and was operating under its instruc­tions.124 Japan, which was also implicated, said it approved of the public attribution.125 Germany also announced its support for the action a day later.126

EU response to Cloud Hopper

In 2019, the EU decided to launch a policy response to the attack under the CFSP. The then High Represen­tative of the Union for Foreign Affairs and Security Policy, Federica Mogherini, declared on 12 April 2019 that malicious cyber activities that undermine the integrity, security and economic competitiveness of the Union and involve intellectual property theft would not be tolerated. The message was directed at the APT 10 group,127 but it was not until a year later, at the end of July 2020, that the Council went a step further with implementing regulations 2020/1125128 and 2020/1744,129 imposing sanctions in November 2020. The travel restrictions, which were one of the measures implemented as a result, are based on Article 4 Decision (CFSP) 2019/797,130 sanctioning Chinese nationals Gao Qiang and Zhang Shilong, as well as the company Huaying Haitai. They were declared responsible for the cyberattacks between 2014 and 2017.131 Zhang Shilong was said to be the developer of the malware. Zhang was also said to have been employed by Huaying Haitai, the company that facilitated Operation Cloud Hopper. The timing of the attacks and the targets suggest that the hackers responsible were based in China and had links to the government.132

Bundestag Hack 2015

It is suspected that on 30 April 2015, an employee of the Left Party (Die Linke) parliamentary group in the German Bundestag opened a link in an email sup­posedly sent by the UN promising information about the Ukraine conflict.133 The link led to a compromised website that installed a Trojan. The president of the BSI at the time, Michael Hange, later confirmed to the Bundestag committee that the perpetrators were able to log onto the domain controller and admin work­stations on 5 May 2015. Using the tool Mimikatz, they harvested passwords of other user accounts. With the help of extracted passwords and various remote con­trol programs, the attackers gained access to up to 50 additional systems in the Bundestag on 6 May 2015.134 The intruders gained administrative rights for the Micro­soft environment of parliament and parliamen­tary groups.

On behalf of the Left Party parliamentary group, the independent IT security researcher Claudio Guarnieri gained early access to attack artefacts.135 He suspected phishing as the means of initial infect­ion, or alternatively a bug in Windows or Flash Player. At that time, it was unclear whether the attack on the Left Party computer was part of the Bundes­tag hack or an independent attack. The emergency response turned out to be a test of the separation of powers, because the IT security of the legislature had to be supported by the BSI and the Federal Office for the Protection of the Constitution as executive author­ities. Years before the domestic intelligence agency, the Office for the Protection of the Constitu­tion, had placed members of the Left Party under sur­veillance.

Victims, damages and aim of the operation

The Trojan attack compromised the central server of the Bundestag administration and computers of mem­bers of parliament, even in the office of Chancellor Angela Merkel. It is believed that a considerable num­ber of email conversations from 2012 to 2015 were stolen.136 Around 50 IT systems were affected137 and larger amounts of data were leaked from the Bun­des­tag: “demonstrably” at least 16 gigabytes (possibly with duplicates) were sent “to around nine known, globally distributed, suspicious servers”.138 The exact volume of data and the content of the leaked data (classified information) are not known.139 By September 2015, the Bundestag’s IT department had spent “about €1 million” on incident response. The BSI has had to bill 350 working days for mitigating the damage caused by the cyberattack.140

The attack on the highest constitutional body of the Federal Republic of Germany put its democratic functionality at risk. Nevertheless, the aim of the operation was primarily political espionage. In Janu­ary 2017, unknown persons registered the domain “btleaks.com”, presumably with the intention of publishing the stolen data at an opportune moment, for example before the federal elections. This was similar to the hack of the Democratic Party head­quarters (DNC hack) in the U.S. in 2016, where the website dcleaks.com was registered.141 The idea that the attack aimed “to sow the seeds of discord or fuel anxieties” was a plausible explanation at the time, although the stolen material was never published, as is usual in classic espionage operations.142 The political context of the U.S. election in 2016, how­ever, is central to the subsequent legal and political assessment of an attack.

Attribution of the attackers

Although it is possible to glean information about the technical characteristics of the attack from public sources, the federal government kept these details, which were relevant to attribution, confidential. The BKA and German law enforcement officers also relied on public information gathered by U.S. authorities in the course of their investigation into the DNC hack.143 The IT security firm ThreatConnect posted a blog entry describing how it managed to determine that the same certificate had been used in the attack on the U.S. Democrats in the 2016 election campaign and in the 2015 Bundestag hack.144

The development of the malicious program required substantial fund­ing and support from an established orga­nisation and probably a state.

Early on, in June 2015, Claudio Guarnieri specu­lated that the Russian-based group APT 28 was a possible originator. He based this on a report by IT security firm FireEye (2014), which claimed that APT 28 was funded by the Russian state. FireEye reached this conclusion on the basis of past operations that identified similar malware artefacts and TTPs. The attack tools were compiled on systems with Russian language settings during the usual Moscow and St. Petersburg office hours. The years of development behind the malware would have required substantial funding as well as support from an established orga­nisation and “most likely” a state. The cyber operation’s goals were consistent with Russia’s foreign policy interests and strategies.145 Guarnieri’s argu­ments for attribution to APT 28 were corroborated by documentation from business consulting firm Price­waterhouseCoopers (PwC). According to the PwC report, certain IPs and SSL certificates that played a role in the Bundestag hack had previously been used in an attack that was attributed to the Sofacy/APT 28 group.146

In June 2015, the President of the Federal Office for the Protection of the Constitution, Hans-Georg Maaßen, suggested that a foreign intelligence service was responsible for the attack. He did not provide technical details.147 A year later, Maaßen claimed that the Russian state was behind the attack.148 Evidence was based on technical analysis, but also came from intelligence sources.149

In early 2018, the Dutch domestic and foreign in­tel­ligence service the AIVD (Algemene Inlichtingen- en Veiligheidsdienst) publicised information about the hacker group APT 29, also known as Cozy Bear.150 According to media reports, the Dutch had hacked into the APT group’s networks in 2014, gained access to surveillance cameras in the building where the hackers had their offices, and identified members of the APT as intelligence operatives. This finding was in turn corroborated by the investigation conducted by U.S. Special Investigator Robert Mueller. His April 2019 report and an earlier July 2018 indictment named 12 intelligence officers from units 26165 and 74455 of Russia’s GRU military intelligence service as the perpetrators. The Mueller report supports the thesis that the GRU attackers used similar TTPs in different operations such as NotPetya, the OPCW hack and the Bundestag hack.151

After 2018, further states publicly declared the Rus­sian government responsible for several cyber opera­tions. In autumn 2018, the German government endorsed this view: “The German government also assumes with a probability bordering on certainty that the Russian military intelligence service GRU is behind the APT 28 campaign [...] This assessment is based on the government’s own solid facts and reli­able sources”.152 In November 2019, the Attorney General announced that the group APT28/Fancy Bear was being investigated.153 After these investigations were concluded, in May 2020, Chancellor Merkel an­nounced that there was “‘hard evidence’ for Russian involvement” and that this was an “outrageous” event.154

EU response to the Bundestag hack

On 22 October 2020, the Council of the European Union adopted sanctions against the 85th Main Spe­cial Services Centre (GTsSS) of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GU/GRU) and its military intelligence officers Dmitry Badin and Igor Kostyukov by imple­menting Regulation (EU) 2020/1536.155 The targeted sanctions were economic sanctions under Article 3 of Regulation (EU) 2019/796 and entry restrictions under Article 4 Decision (CFSP) 2019/797.156 The grounds state that Dmitry Badin was involved as an agent of the GTsST in a cyberattack which had significant reper­cussions for the German Bundestag in April and May 2015. Igor Kostyukov, as head of the main directorate of the “military unit 26165” — known by experts as “APT28”, “Fancy Bear”, “Sofacy Group”, “Pawn Storm” and “Strontium” — had carried out the hack. Both GRU operatives were declared responsible not only for the attack against the German Bundestag, but also for the attempted cyberattack in April 2018 on the Orga­nisation for the Prohibition of Chemical Weapons (OPCW).157

Attempted attack on the OPCW 2018

On 13 April 2018, four Russian intelligence agents prepared what is known as a WiFi spoofing attack158 on the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague. They parked a rental car in the car park of the Marriott Hotel next to the OPCW building that was rigged with a fake WiFi hotspot (known as a WiFi Pineapple). The manipu­lated Pineapple router was intended to imitate the OPCW’s original WLAN. Such a procedure is called a man-in-the-middle attack.159 WiFi spoofing only works if the fake WLAN is placed in direct physical proximity to the original. To do this, the perpetrators must be directly on site (“close access operation”). While conducting the operation, the attackers had been observed and were subsequently arrested by the Dutch Military Intelligence Service (Militaire Inlich­tingen- en Veiligheidsdienst, MIVD). According to the Guardian newspaper, the Dutch had received a timely tip-off from British intelligence services.160 The four GRU operatives had entered the country through Amsterdam’s Schiphol Airport on 10 April 2018, and had been under surveillance since then.161 Dutch security authorities intervened early to prevent a suc­cessful compromise of the OPCW. They seized diplo­matic visas, a large sum of cash, technical equipment, smartphones, laptops, passports and travel receipts.162 The attack was thus unsuccessful and inconsequential.163

Attribution of the attackers

Due to the timely arrest of the attackers, the attribution in this case turned out to be quite straight­forward. The forensic analysis of the seized equipment allowed conclusions to be drawn not only about the target of the operation, but even about past and planned operations. Investigators acquired informa­tion on the poison attack on former GRU agent Sergei Skripal in Salisbury (UK). The nerve agent attack had taken place a month earlier, and the OPCW was tasked with its analysis. Travel logs showed that the next target on the perpetrators’ list had been an OPCW lab in Switzerland. The equipment’s WiFi logs also revealed that the group had previously travelled to Malaysia and Brazil. Temporal and spatial similar­ities with the results of the Dutch investigation into the shooting down of Malaysia Airlines flight MH17 and the 2016 Olympic Games in Brazil became evident.164

The call logs of the seized cell phones led directly to the GRU headquarters.

Following investigations by the World Anti-Doping Agency (WADA), Russian track and field athletes had been banned from the Olympic Games in Rio de Janeiro in July 2016 due to doping allegations. In Sep­tember 2016, WADA had also been the victim of a cyberattack by the same team of hackers. The call logs of the seized mobile phones led directly to the GRU headquarters. Visas and taxi receipts, which a state intelligence agency needs to have costs for business trips reimbursed, confirmed the involvement of GRU unit 26165, which was also involved in the NotPetya attack and the Bundestag hack.

The political attribution was made by the Dutch government on 4 October 2018, in a lengthy press conference in which all the details of the investiga­tion were shared. The Dutch stated that any incident that undermined the integrity of international organi­sations was “unacceptable”. The government in The Hague summoned the Russian ambassador, and the Dutch defence minister and the British ambassador condemned the GRU and, indirectly, the Russian gov­ernment, for these attacks.165 In the United States, on the same day of the press conference, charges were brought against seven Russian intelligence officers. They were said to be employees of GRU unit 26165,166 who, in addition to attacking the OPCW, had also carried out attacks against the anti-doping agencies USADA, WADA and the Canadian Centre for Ethics in Sport (CCED).167 Two months earlier, in August 2018, the U.S. had asked the Netherlands for legal assis­tance in prosecuting Russian cyber operations against U.S. and international organisations. The allegations and circumstantial evidence gathered in the CR 18-263 indictment on the case of the attempted OPCW attack are168 consistent with the indications provided by the Dutch Ministry of Defence. The log data from the WiFi attack equipment showed that the attackers were in the same hotel at the same time when the laptop of a representative of the Canadian anti-doping agency CCED was infiltrated.

The absence of a legal attribution is remarkable. The Dutch waived charges and detained the convicted spies only for a short time. The day after their arrest, they were put on a plane to Russia and expelled from the country. The GRU operatives had official diplo­matic passports, which protected them from prosecu­tion. An officer of the Dutch intelligence service ex­plained the situation as follows: “Hacking is a crimi­nal offence. Attempting to hack is also a criminal offence. Preparing for an attempt to hack is not a criminal offence”.169 The OPCW hack is unique because it was not a classic cyberattack. The attack was stopped in time and was promptly publicised by the Dutch government, providing the EU with infor­mation for attribution of a level of detail that had not been available in any of the other incidents discussed so far. The transparency on technical, legal and politi­cal attribution is exemplary and leaves little room for erroneous conclusions.

EU response to the attempted attack on the OPCW

The Presidents of the European Council and the Euro­pean Commission and the High Representative for Foreign Affairs and Security Policy first commented on the attempted cyberattack on the Organisation for the Prohibition of Chemical Weapons in a joint state­ment on 4 October 2018. They described the incident as “an aggressive act [that] demonstrated contempt for the solemn purpose of the Organisation for the Prohibition of Chemical Weapons (OPCW)…”.170 In this case, the timing of the political attribution worked: it was at least stringent and in concert with allies, and the signalling was clear. The EU sanctions were issued at the end of July 2020, with Implementing Regu­lation 2020/1125171 and its addendum 2020/1744172 from the end of November 2020. The restrictive meas­ures are directed against the 85th Main Special Ser­vices Centre (GTsSS) within the GRU and its employees Alexey Minin, Aleksei Morenets, Evgenii Sere­briakov and Oleg Sotnikov.173

Shortcomings of the Attribution Policy

The analysis shows that the EU’s attribution com­petence is deficient. It reveals the weaknesses of the current system of technical, political and legal identification of perpetrators. It shows the significant hurdles that still need to be overcome on the long road to an effective and legitimate “politics of attribu­tion” at both the EU and intergovernmental levels.

First, the EU relies heavily on evidence and expertise from allied third countries, such as the Five Eyes alliance as well as U.S. IT companies. Evidence pro­vided by the security services of EU Member States is usually deficient and incomplete. The OPCW attack would not have been uncovered and prevented in time without the tip-off from the UK authorities. The German investigation into the Bundestag hack was based on publicly available indictments and non-public exchanges with the FBI. Whether the exchange of information with the Five Eyes member Great Britain, which is necessary for attribution, will be maintained after Brexit remains to be seen.

Second, it is evident that in almost all the cases described, the EU responded with a time lag. The coordination processes and the unanimity required for cyber sanctions under the CFSP necessitate a lengthy attribution process, which in some cases took years longer than the convictions by the Five Eyes partners. This may be due to the complex technical forensics typical of cyber incidents, but is certainly partly also down to the parallel information sharing procedures at EU and Member State level. The respon­sibilities for cybercrime, cyber espionage and counter­intelligence, and military cyber defence lie primarily with the Member States and must be coordinated at EU level through Europol, in the EEAS through EU INTCEN, and in future also through the Joint Cyber Unit in the EU Commission.

With Brexit, the EU’s power of attri­bution has diminished considerably.

Third, it is evident that the members of the Five Eyes alliance manage public attribution better than their EU counterparts: They coordinate with speed and efficiency and issue simultaneous pronouncements based on extensive evidence. Thus, the legiti­macy of attribution is more solid than the EU’s. With Brexit, the EU’s attribution authority has diminished significantly, as the UK no longer shares intelligence through EU INTCEN, but still exchanges information bilaterally with selected EU states. Compared to Five Eyes, political attribution in support of EU cyber sanc­tions occurs infrequently and sporadically. A credible policy of attribution would require all Member States to speak with one voice. Political attribution remains the prerogative of the Member States. However, the impact of national attribution is limited. Pooling attribu­tion reports at the EU level can significantly increase the legitimacy and effectiveness of a sanction decision. This is particularly true if the attribution of responsibility takes place in coordination with inter­national partners. The so-called “naming and sham­ing” campaign by allies can only succeed if the respec­tive foreign ministries act in a coordinated manner.

Fourthly, cyber sanctions are to be imposed in the event of attacks with a “significant impact” or if the relevant criteria are fulfilled. However, the analysis shows that it is difficult to determine from technical indicators and IoCs whether a criterion is actually fulfilled, which is required to legitimise a legal con­sequence such as sanctions. The known criteria of the cyber incidents analysed are rather ambiguous, do not take technical details into account to an adequate extent, and their weighting is also unclear. For exam­ple, the question arises as to whether an attack against an electoral system is more serious than an attack against critical infrastructure. Does an attack against numerous less critical systems weigh more heavily than an attack against a hospital?174 The problem of proving malicious intent emanating from third coun­tries is illustrated by the following criteria:

a)

The fulfilment of the criterion “malicious use of ICT” cannot be clearly determined in all cases. In the case of WannaCry and NotPetya, a sufficient degree of malice can indeed be established: due to the arbitrary selection of targets, the indifference to the disruption of critical infrastructures such as hos­pitals and the billions of euros in damage caused to states and companies. In other cases, malice is difficult to prove beyond reasonable doubt.

b)

From a technical point of view, the criteria that are supposed to define a cyberattack (access to and inter­ference with information systems and interference with data or the interception of data) cannot be clearly separated from each other. An intrusion in information systems is always synonymous with an intrusion into data, since defence systems are bypassed and malware is introduced, i.e. data is almost inevitably written on a file system. The same can be seen in the differentiation between attacks and attempted attacks: organisations with good detection systems receive thousands of secu­rity alerts every day. These are often not identifi­able a priori as an attack, since the effect of an attack can only be recognised after malicious code has been executed. Only when the analysis of such code, combined with threat intelligence techniques, has identified information about attack infrastruc­tures or tools of known APT groups, can affected organisations interpret the incident as a threaten­ing act.

The strategic operational objective is difficult to derive from what are mostly purely tactical IoCs.

c)

It is also difficult to derive the strategic operational goal or motivation for the attack from what are mostly purely tactical IoCs. In the case of WannaCry, for example, the motivation for the attack is not clear. The interpretation of the Bundestag hack as an attempt at election interference is also difficult to infer from the IoCs alone. The conclusion of “elec­tion interference” is based on contextual factors, i.e. the hybrid threat, which only became prevalent in transatlantic discourse years later, after the DNC hack in 2016.

d)

There are inconsistencies in the selection of cases that prompted the EU to impose cyber sanctions. There was no plausible explanation for why, for example, cases of classical espionage (Bundestag hack and Cloud Hopper) were included in the cyber sanc­tions regime, but concrete attempts to influence elections (Macron leaks) were not. Espionage has been part of state practice for decades. While it is punishable under virtually all national legal sys­tems, it is not illegal under international law.175 During the hack of Emmanuel Macron’s campaign team’s emails in 2017, communications content was stolen and also leaked, analogous to the DNC hack, two days before runoff election day.176 Unlike the Bundestag hack, this is a clear attempt to influ­ence the electoral process, which goes beyond po­liti­cal espionage and can be considered a violation of state sovereignty. If the aim was to send a strong political signal, this incident should have been in­cluded in the 2020 cyber sanctions regime. The U.S. law enforcement agencies had, in the context of the NotPetya indictment, attributed responsi­bility for the Macron leaks to the Russian GRU.177

Office hours and IP addresses in the context of a cyberattack are merely than circumstantial evidence of an actor’s authorship.

e)

Moreover, it is questionable to what extent technical attribution allows for plausible proof of legal responsibil­ity. From the analysis of cyberattacks in the EU so far, it is not always clear which technical IoCs constitute an adequate basis for a legal normative attribution of cyberattacks according to European law (or even international law). Office hours and IP addresses in the context of a cyberattack are merely circumstantial evidence, and not proof of authorship by an individual acting on behalf of the state. Taxi receipts, cell phone logs and hacked surveil­lance cameras at the GRU headquarters, on the other hand, have greater probative value. The discrepancy between the technical indicators and the legally required elements of the crime is evi­dent: in the Bundestag hack and Cloud Hopper cases, the information published by the EU or the German government is sparse compared to the publicly available findings of IT security compa­nies, the technical details in U.S indictments in similar cases, and the Dutch government’s transparency campaign after the OPCW incident.

f)

The inconsistency of the evidence and lack of trans­parency of the legal evidence impair the legitimacy of the sanctions. Making the scope of forensic evidence as broad as possible and comprehensible to the public would help make the sanctions more credible and effective. The U.S. indictments in the cases discussed here manages this to a far greater extent than the EU does with the justifications it publishes in the Official Journal. The U.S. also pre­sents the evidence more assertively. The Member States should advocate a technically adept and legally sound legitimisation of cyber sanctions, in their own clearly understood self-interest, because EU sanction decisions can be legally challenged before the European Court of Justice.178

g)

Another inconsistency can be seen in the standards of evidence, especially in the case of the Bundestag hack. According to the German federal govern­ment, the attribution made in this regard is based on what is generally a “very good situation when it comes to our own facts and sources”.179 In the other cases, the European, U.S. and British security authorities sometimes make an attribution “with near certainty”, sometimes only with “a high degree of certainty”. A Europe-wide, or better still transatlantic, standardised terminology and method­ology would already be helpful in the case of mutual legal assistance requests. If, on top of that, information on the evidence were to be more sys­tematically processed, categorised and published in close consultation with allied states in the future, cyber sanctions could be made much more plau­sible at the EU level than they have been so far.

Lastly, the quality of the counterreactions, i.e. the sanc­tions themselves, is also worthy of discussion. In all cases, travel restrictions were imposed and accounts frozen. For the Cloud Hopper cyberattacks, the Bun­des­tag hack and the OPCW incident, this may be adequate and proportional. WannaCry and NotPetya, on the other hand, are much more serious cases. They meet far more and, above all, far weightier criteria for criminal offences, including major financial damage and sabotage of critical infrastructure. According to the legal opinion of some observers, NotPetya even reaches the threshold of an armed attack.180 The in­ten­sity of the sanctions here does not appear to be proportionate to the intensity of the attacks. It could certainly be argued that in both cases there were clear violations of sovereignty that would have permitted countermeasures under international law.181 Rapid and differentiated EU sanctions in response to cyber­attacks will remain the exception for the foreseeable future. The coherence of the sanctions process should be improved by means of a reformed Commission Blue­print (see above, p. 14). Alongside Europol, ENISA and the EU-CERT, the Commission’s newly created Joint Cyber Unit will play an important role in Euro­pean cybersecurity in the future. However, in future, the EU Commission will certainly not be in a position to steer the attribution policy pursued by the EU on its own. On this issue in particular, the Commission will be dependent on close consultation with the Coun­cil and the Council’s Horizontal Working Party on Cyber Issues.

Conclusions

The EU’s attribution policy shows that vertical, hori­zontal and institutional coherence in the EU’s exter­nal action and between EU Member States leaves much to be desired. The requirement for unanimity in the Council’s decision-making and the lack of legal and financial resources for the EEAS make it difficult for the EU to make its mark in international cyber diplomacy. The German government should support the French Council Presidency in making qualified majority voting the norm for the adoption of EU cyber sanctions. In the interest of the security of the Union and its internal market, restrictive CFSP meas­ures, such as EU cyber sanctions, should be initiated and reliably imposed more quickly than in the past in order to promptly bring perpetrators and attackers to justice.

The legal terms in the EU regulations should be tightened and more closely related to technical forensics. A number of prerequisites must be met in the practical implementation of this task. After all, for an unambiguous technical attribution that allows conclusions to be drawn about the motivation for the attack, high legal hurdles have to be overcome if the criteria set out in the relevant regulation are to be met, something which is essential for determining authorship. Ideally, the attribution policy would need to be adapted to the legal requirements. If this does not prove possible, if necessary, the law would have to be adapted. The introduction of a distinction be­tween necessary and sufficient attribution stand­ards in accordance with a uniform evaluation system (prob­ability yardstick) would at least have to be rec­on­ciled with the constitutional requirements of Union law and the current possibilities of technical foren­sics. Experience from other international cyber­attacks can also be drawn upon. For example, there were com­parable supply chain attacks before Opera­tion Cloud Hopper. The latter proved to malicious hackers just how attractive such an attack on the domestic market was. The response to supply chain attacks should therefore be practised by means of ENISA cyber defence exercises, in line with the Com­mis­sion’s recommendations in the Blueprint docu­ment.

According to the new EU Cybersecurity Strategy of 2020, private companies, public institutions and nation­al authorities should systematically and com­prehensively share information on cyber inci­dents. This is seen as a prerequisite for a joint EU response. The EU Commission’s Joint Cyber Unit is to serve as a “virtual and physical platform of co­opera­tion between the different cybersecurity com­munities in the EU”. Its focus is to be on “operational and technical coordination on serious cross-border cyber incidents and threats”. This operational co­opera­tion in the service of cybersecurity is to be heightened in line with the due diligence respon­sibili­ties of cyber diplomacy. The Cyber Unit is also intended to be a hub for communication with the Five Eyes alliance to enable joint public attributions beyond EU borders.

There is also now a debate about the extent to which EU governments and the EU should equip them­selves to carry out counter-attacks. The Cyber­security Strat­egy already contains a reference to this and cases like WannaCry and NotPetya underline the urgency. Accordingly, the EU wants to develop a “pro­posal to further define EU cyber deterrence”. Accord­ing to the cyber diplomacy toolbox, active cyber defence meas­ures would be the highest escalation level after prior activation of the treaty-based soli­darity or mutual assistance clause. They can only be taken provided that they are in accordance with international hu­mani­tarian law. The final stage of crisis management would be to stop an ongoing attack by actively coun­tering it. The last resort would be what is known as a “hack back”, i.e. the targeted disabling of a server from which an attack originates. In terms of due dili­gence, this would only be justi­fiable if an ongoing attack has severe, existence-threatening consequences and all other means have been exhausted. The neces­sary legal framework and distribution of competences have not yet even been established at national level, not to mention the EU-level legal arrangements for the attribution procedure required for this. As things stand at present, crisis management in which all 27 Member States would have to agree to activate a digi­tal cyber defence is likely to prove too complex and too slow in an emergency.

This makes it all the more important to strengthen the EU’s attribution competence and IT security in the internal market. Notwithstanding the undoubtedly correct understanding that many preconditions must be met for reliable attribution, it is a requirement for the enforcement of the rule of law that perpetrators and attackers are held accountable. Therefore, devel­oping analytical capabilities is a necessary condition worth investing in. Similarly, mandatory IT baseline protection must be maintained in the EU. New legis­lation, such as the reform of the current Network and Information Security Directive, and the Cyber Resili­ence Bill announced by Internal Market Commissioner Thierry Breton in September 2021, are right to focus on securing infrastructure, cloud services and supply chains more broadly. However, the requirement for corporations to take precautions against cybersecurity threats is not currently resulting in the required level of investment in building resilient IT systems; instead funds are flowing into the purchase of cyber insur­ance policies. The cause and success of numerous attacks lie in the inadequate protection of basic soft­ware, which often is developed in the USA, where companies are not liable for the shortcomings of their programs. Consequently, if we want to avoid a situa­tion where laws on each side of the Atlantic counteract each other, close transatlantic coordination is also needed at this point.

The most important and sustainably effective meas­ures of operational cooperation within the Union and with the Five Eyes partners are prevention and detection. As shown by the discrepancy between the detection of technical IoCs and political or legal attribution, the political assessment of an incident in the context of a strategic situation analysis by the Hybrid Fusion Cell in the EEAS plays a particularly important role. It must take into account the bigger picture of incidents in cyberspace, because hybrid threats of military relevance can also be expected. To this end, it would make sense to collect data on past and current attack campaigns, suspected perpetrators, targets, the number of Member States affected, damage incurred and its legal classification in a kind of cyber conflict database and to make this information avail­able to the Member States. This is more likely to lead to a common understanding of the incidents and ideally to a coherent response. To achieve this, the EEAS would need more technically skilled and legally qualified scientific staff. Only reliable forensics will allow for strategically substantive situational aware­ness.

While, with its technical competencies, the EU’s existing CSIRT network helps facilitate an exchange of comparable data on the protection of critical infra­structure, the Joint Cyber Unit in the EU Commission must be expanded for improved EU attribution manage­ment. Cyber diplomacy requires continuous communication between national security authorities, industry and academia. This is the responsibility of the Joint Cyber Unit, which in turn can only fulfil it in close consultation with the EEAS within the Single Intelligence Analysis Capacity. Public and pri­vate CERT alliances and mergers in industry are also essential for pooling expert knowledge on cyber diplo­macy. As mentioned above, consideration could be given to drawing a distinction between sufficient and necessary attribution standards. In order for cyber diplomacy issues to function more smoothly at the interfaces between the Council and the Commission in the future, together with EU INTCEN, the Com­­mission’s Joint Cyber Unit and Europol (EC3) could jointly manage these intersections. As an insti­tution, Europol would be particularly well suited to soften the competence boundaries between the CFSP pro­cedure of the EEAS and the Commission’s crisis management procedure. Ultima ratio would be the creation of a dual role at the highest level in the capac­ity of the President of the European Council and the President of the Commission. In the event of a merger, the strategic situation assessment for the pro­tection of the internal market and the EU Security Union would then be a supranational competence.

Appendix

Glossary

Advanced persistent threat (APT)

An advanced persistent threat is when a well-trained, typically state-controlled individual attacks a network or system in a very targeted manner over an extended period of time for the purposes of espionage or sabo­tage, possibly moving and/or spreading within that network or system and thus gathering information or manipulating it.

https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlun gen/Empfehlungen-nach-Gefaehrdungen/APT/apt.html

Backdoor

A backdoor is a program, usually installed by viruses, worms or Trojan horses, that gives third parties un­authorised access (“backdoor”) to a computer, but remains hidden and bypasses the usual security devices. Backdoors are often used for denial-of-service attacks that target the availability of services, web­sites, individual systems or entire networks.

https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfeh lungen/Glossar-der-Cyber-Sicherheit/Functions/ glossar.html?nn=522504&cms_lv2=132796

Bootloader

A bootloader is a computer program that is loaded by the firmware of a computer after start-up. A boot­loader is launched by a bootable medium and then executed. The bootloader then loads other parts of the operating system, usually the kernel.

https://en.wikipedia.org/wiki/Bootloader

Bug / Vulnerability / Security gap

Bugs refer to errors in programs. A vulnerability is a security-related error in an IT system or an institu­tion. This can be caused by the design, the algorithms used, the implementation, the configuration, the operation or the organisation. A vulnerability can be exploited resulting in a threat resulting in damage to an institution or system. If a vulnerability exists, an object (an institution or a system) is susceptible to threats.

https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfeh lungen/Glossar-der-Cyber-Sicherheit/Functions/ glossar.html?nn=522504&cms_lv2=132814

Command & Control Server (C2)

After infecting a system, most malicious programs contact the attackers’ control server (C&C server) on the Internet in order to reload further malicious code from there, to receive instructions or to transmit information (such as user names and passwords) un­covered on the infected system to this server. Contact is often made using domain names registered by the perpetrators specifically for this purpose.

https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfeh lungen/Glossar-der-Cyber-Sicherheit/Functions/ glossar.html?nn=522504&cms_lv2=132798

DNS

The Domain Name System (DNS) assigns the corresponding IP address to addresses and names used on the Internet, such as www.bsi.bund.de.

https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfeh lungen/Glossar-der-Cyber-Sicherheit/Functions/ glossar.html?nn=522504&cms_lv2=132772

Domain controller

The domain controller is a server that centrally manages and controls a domain and its various ob­jects. Users who want to log on to a network domain first contact the domain controller responsible for their domain.

https://www.ip-insider.de/was-ist-ein-domaenen controller-a-626094/

EternalBlue

Eternalblue is an exploit that takes advantage of pro­gramming flaws in the SMB implementation (also known as NetBIOS or Common Internet File System) of the Windows operating system. The vulnerability is known as CVE-2017-0144 (SMB Remote Windows Kernel Pool Corruption).

https://de.wikipedia.org/wiki/EternalBlue

Exploit

An exploit is a method or program code that can be used to execute unintended commands or functions via a vulnerability in hardware or software components. Depending on the type of vulnerability, an exploit can be used, for example, to crash a program, extend user rights or execute arbitrary program code.

https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfeh lungen/Glossar-der-Cyber-Sicherheit/Functions/ glossar.html?nn=522504&cms_lv2=132800

Five Eyes

Five Eyes is an intelligence alliance consisting of the U.S., UK, Canada, Australia and New Zealand.

https://en.wikipedia.org/wiki/Five_Eyes

Indicators of compromise

Indicators of compromise (IoCs) comprise technical information that can be used to detect malware infec­tion or other compromise. These are often network-based signatures, such as the domain names of con­trol servers or host-based signatures that are searched for on the terminal device (such as hash sums charac­terising malware, entries in the Windows registry or similar).

https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfeh lungen/Glossar-der-Cyber-Sicherheit/Functions/ glossar.html?nn=522504&cms_lv2=132764

Industroyer

Industroyer is a malware believed to have been used in the cyberattack on Ukraine’s power grid on 17 De­cember 2016. The attack cut off power to one-fifth of the capital, Kyiv, for an hour. It is the first known malware designed specifically to attack power grids.

https://malpedia.caad.fkie.fraunhofer.de/details/win. industroyer

IP

This is an address which makes a computer accessible within a network according to the Internet protocol. An IP address consists of four bytes separated by dots: for example, 194.95.179.205.

https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfeh lungen/Glossar-der-Cyber-Sicherheit/Functions/ glossar.html?nn=522504&cms_lv2=132764

Keylogger

A keylogger is a piece of hardware or software that is used to log a user’s keystrokes on the keyboard of a computer and thus monitor or reconstruct them.

https://de.wikipedia.org/wiki/Keylogger

Mimikatz

Mimikatz is a free and open source program for Micro­soft Windows that can be used to display cached credentials by exploiting vulnerabilities.

https://de.wikipedia.org/wiki/Mimikatz

MSP

A managed services provider (MSP) is an information technology service provider that assumes and man­ages responsibility for providing a defined set of services to its customers.

https://de.wikipedia.org/wiki/Managed_Services_ Provider

Patch

A patch is a software package with which software manufacturers close security gaps in their programs or introduce other improvements. Many programs facilitate the installation of these updates through automatic update functions. Patch management refers to processes and procedures that help to obtain, manage and apply available patches for the IT en­vironment as quickly as possible.

https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfeh lungen/Glossar-der-Cyber-Sicherheit/Functions/ glossar.html?nn=522504&cms_lv2=132810

Phishing

The term “phishing” is a combination of “password” and “fishing”. Phishing is an attempt to obtain access data for a service or a website, for example, by means of fake emails and/or websites. If this manipulation is not recognised by the victim and the authenticity of a message or website is not questioned, the victim may unwittingly give their access data to unauthorized persons.

https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfeh lungen/Glossar-der-Cyber-Sicherheit/Functions/ glossar.html?nn=522504&cms_lv2=132810

Ransomware

Ransomware refers to malware that restricts or pre­vents access to data and systems and only releases these resources again upon payment of a ransom. This is an attack on the security objective of avail­ability and a form of digital extortion.

https://www.allianz-fuer-cybersicherheit.de/ Webs/ACS/DE/Informationen-und-Empfehlungen/ Informationen-und-weiterfuehrende-Angebote/ Glossar-der-Cyber-Sicherheit/Functions/glossar.html? cms_lv2=132812

RAT (remote access Trojan)

A remote access Trojan (RAT) is a type of malware that allows the attacker complete remote control over a system. When a RAT enters a computer, it allows the hacker to easily access local files, secure login authorisation and other sensitive information, or it uses this connection to download viruses that could be inadvertently shared with others.

https://heimdalsecurity.com/blog/what-is-a-remote-access-trojan-rat/

Single point of failure

A single point of failure (SPOF) is a component of a technical system whose failure results in the failure of the entire system.

https://de.wikipedia.org/wiki/Single_Point_of_Failure

SMB

Server Message Block (SMB), originally called Com­mon Internet File System (CIFS), is a network protocol for file, print and other server services in computer networks. It is a central part of the network services of the Windows product family and allows access to files and directories located on another computer.

https://de.wikipedia.org/wiki/Server_Message_Block

SSL certificate

An SSL certificate is a small data file that digitally binds a cryptographic key to an organisation’s details. When installed on a web server, it activates the secu­rity lock and https protocol and enables secure con­nections from a web server to a browser. Typically SSL is used to secure credit card transactions, data trans­fers and logins. SSL is increasingly becoming the norm for securing social media site browsing. SSL certificates bind together a domain name and an organisational identity.

https://www.globalsign.com/de-de/ssl-information-center/was-ist-ein-ssl-zertifikat

TTP (Tools, tactics and procedures)

This is the overall picture of attack behaviour that results from the means used, the tactics and techniques employed, and the preferred procedures of an actor. A tactic is the high-level description of behaviour; techniques provide a more detailed description of behaviour in the context of a tactic; and procedures provide a lower-level, highly detailed descrip­tion of behaviour in the context of a technique.

https://csrc.nist.gov/glossary/term/Tactics_Techniques_and_Procedures

Wiper

A wiper is a class of malware whose goal is to wipe the hard drive of the computer it infects.

https://en.wikipedia.org/wiki/Wiper_(malware)

Zero day

The exploitation of a vulnerability that is known only to the discoverer is called a zero-day exploit. The pub­lic, and in particular the manufacturer of the affected product, usually only become aware of the vulner­ability when attacks are discovered that exploit it. The term zero day is therefore derived from the fact that a corresponding exploit already existed before the day on which the manufacturer became aware of the vul­nerability — i.e. on a fictitious “day zero”. Con­sequently, the manufacturer has no time to protect users from the first attacks.

https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfeh lungen/Glossar-der-Cyber-Sicherheit/Functions/ glossar.html?nn=522504&cms_lv2=132776

Abbreviations

AIVD

Algemene Inlichtingen- en Veiligheidsdienst (intelligence and security agency of the Netherlands)

APT

Advanced persistent threat

BBC

British Broadcasting Corporation

BKA

Federal Criminal Police Office

BSI

Federal Office for Information Security (Bonn)

C2

Command & Control (Server)

CCDCOE

NATO Cooperative Cyber Defence Centre of Excellence

CCED

Canadian Centre for Ethics in Sport (Ottawa)

CERT

Computer Emergency Response Team

CFSP

Common Foreign and Security Policy

CIA

Central Intelligence Agency (USA)

CIR

Cyber and Information Domain Service

Coreper

Permanent Representatives Committee

CRITIS

International Conference on Critical Information Infrastructures Security

CSIRT

Computer Security Incident Response Team

DNC

Democratic National Committee (USA)

DNS

Domain Name System

EC3

European Cybercrime Centre (at Europol)

ECJ

European Court of Justice

EEAS

European External Action Service

ENISA

European Union Agency for Cybersecurity

EU INTCEN

European Union Intelligence and Situation Centre

EU LE ERP

EU Law Enforcement Emergency Response Protocol

EUMS

European Union Military Staff

FBI

Federal Bureau of Investigation (USA)

GCHQ

Government Communications Headquarters (UK)

GIGA

German Institute of Global and Area Studies (Hamburg)

GRU

Glavnoye Rasvedyvatelnoye Upravleniye (Russian Military Intelligence)

GTsSS

Glavnii Centr Specialnoy Slushbi (85th Main Centre for Special Services of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation)

GTsST

Glavnii Centr Specialnych Technologii (Main Centre for Special Technologies of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation)

HR

High Representative (High Representative of the Union for Foreign Affairs and Security Policy)

HWPCI

Horizontal Working Party on Cyber Issues (also: HWP Cyber)

HWP ERCHT

Horizontal Working Party on Enhancing Resilience and Countering Hybrid Threats

ICDS

International Centre for Defence and Security (Tallinn)

ICJ

International Court of Justice

ICT

Information and communication technology

ILC

International Law Commission

INTCEN

see EU INTCEN

IoC

Indicator of compromise

IP

Internet protocol

IPCR

Integrated Political Crisis Response (EU)

IS

Islamic State

JCAT

Joint Cybercrime Action Taskforce (at Europol)

MIVD

Militaire Inlichtingen- en Veiligheidsdienst (military intelligence service of the Netherlands)

MSP

Managed service provider

NCSC

National Cyber Security Centre (UK)

NIS

Network and Information Security (Directive, EU)

NSA

National Security Agency (USA)

OPCW

Organisation for the Prohibition of Chemical Weapons

OSINT

Open Source Intelligence

PSC

Political and Security Committee

RAT

Remote access Trojan

SIAC

Single Intelligence Analysis Capacity

SMB

Server Message Block

SOCMINT

Social media intelligence

SPOF

Single point of failure

TEU

Treaty on European Union

TFEU

Treaty on the Functioning of the European Union

TTP

Tools, techniques and procedures

UN

United Nations

USADA

United States Anti-Doping Agency

VP

Vice-President of the EU Commission

VPN

Virtual private network

WADA

World Anti-Doping Agency (Montreal)

Comparison table of cases (online only)

Table can be accessed at https://bit.ly/SWP21RP10Annex

Endnotes

1

 We owe the key findings of this study to the in-depth research of Anna Sophia Tiedeke, Kerstin Zettl and Andreas Schmidt. The aforementioned contributed significantly to the development of this SWP study through their analyses in the context of the pilot project on the feasibility of a reposi­tory on cyber incidents in Europe in cooperation with the Cyber Foreign Policy Staff in 2020/21. Special thanks also go to Veronika Datzer for her revisions.
The attacks are “WannaCry”, “NotPetya”, “Operation Cloud Hopper”, “Bundestag hack” and “attempted attack on the Organization for the Prohibition of Chemical Weapons (OPCW)”. The EU classified these attacks as malicious cyber­attacks and attempted cyberattacks with a potentially signifi­cant impact “posing an external threat to the Union or its Member States”.

2

 Council of the European Union, Council Conclusions on Mali­cious Cyber Activities – Endorsement Approval, Brussels, 16 April 2018, https://data.consilium.europa.eu/doc/document/ST-7925-2018-INIT/en/pdf.

3

 Annegret Bendiek and Matthias C. Kettemann, Revisiting the EU Cybersecurity Strategy: A Call for EU Cyber Diplomacy, SWP Comment 16/2021 (Berlin: Stiftung Wissenschaft und Politik, February 2021), https://www.swp-berlin.org/publications/ products/comments/2021C16_EUCyberDiplomacy.pdf; Annegret Bendiek, Raphael Bossong and Matthias Schulze, The EU’s Revised Cybersecurity Strategy. Half-Hearted Progress on Far-Reaching Challenges, SWP Comment 47/2017, (Berlin: Stiftung Wissenschaft und Politik, November 2017), https:// www.swp-berlin.org/publikation/revised-cybersecurity-strategy; Annegret Bendiek, Tests of Partnership. Transatlantic Cooperation in Cyber Security, Internet Governance, and Data Pro­tection, SWP Research Paper 5/2014 (Berlin: Stiftung Wissen­schaft und Politik, March 2014), https://www.swp-berlin.org/ publikation/transatlantic-cooperation-in-cyber-security.

4

 Council of the European Union, Council Conclusions on Mali­cious Cyber Activities (see note 2), 2.

5

 See Matthias Schulze, Konflikte im Cyberspace Berlin: United Nations Association of Germany, 2020 (UN-Basis-Information 61), https://dgvn.de/veroeffentlichungen/publikation/einzel/ konflikte-im-cyberspace/ (accessed 6 May 2021); Alex Grigsby, “The End of Cyber Norms”, Survival 59, no. 6 (2017): 109–22.

6

 See Annegret Bendiek, Due Diligence in Cyberspace. Guidelines for International and European Cyber Policy and Cybersecurity Policy, SWP Research Paper 7/2016 (Berlin: Stiftung Wissenschaft und Politik, May 2016), https://www.swp-berlin.org/ publikation/due-diligence-in-cyberspace; European Digital Sovereignty: Combining Self-interest with Due Diligence, EU Policy Brief 5 (Ottawa: Centre for European Studies, Carleton Uni­versity, December 2020), https://carleton.ca/ces/wp-content/ uploads/Bendiek-EU-Policy-Brief-Digital-Sovereignty-2.pdf (accessed 4 June 2021).

7

 Other EU security policy initiatives include the Cyber Defence Policy Framework (2018), the EU Cybersecurity Act and the 5G Toolbox (both 2019), the Security Union Strategy and the FDI Screening Regulation (2020).

8

 Andy Greenberg, “White House Blames Russia for NotPetya, the ‘Most Costly Cyberattack in History’”, Wired (online), 15 February 2018, https://www.wired.com/story/white-house-russia-notpetya-attribution/ (accessed 18 May 2021).

9

 Council of the European Union, Council Conclusions on Mali­cious Cyber Activities (see note 2).

10

 Ibid.

11

 Council of the European Union, Council Decision (CFSP) 2020/1127 of 30 July 2020 Amending Decision (CFSP) 2019/797 Concerning restrictive Measures against Cyber-attacks Threatening the Union or Its Member States https://eur-lex.europa.eu/legal-content/DE/TXT/PDF/?uri=CELEX:32020D1127&from=DE (accessed 2 June 2021). On the legal basis of Article 13(1) of Regulation (EU) 2019/796, Annex I to Regulation (EU) 2019/796 amended the list of natural and legal persons, entities and bodies referred to in Article 3 of Regulation (EU) 2019/796.

12

 See Florian J. Egloff and Max Smeets, “Publicly Attribut­ing Cyber Attacks: A Framework”, Journal of Strategic Studies, (2021): 1–32.

13

 Stefan Soesanto, “Europe Has No Strategy on Cyber Sanctions”, Lawfare, 20 November 2020, http://www. lawfareblog.com/europe-has-no-strategy-cyber-sanctions (accessed 6 May 2020).

14

 Annegret Bendiek, Minna Ålander and Paul Bochtler, CFSP: The Capability-Expectation Gap Revisited. A Data-based Analysis, SWP Comment 58/2020 (Berlin: Stiftung Wissen­schaft und Politik, November 2020), https://www.swp-berlin.org/publikation/cfsp-the-capability-expectation-gap-revisited; see also Francesco Giumelli, Fabian Hoffmann and Anna Książczaková, “The When, What, Where and Why of European Union Sanctions”, European Security 30, no. 1 (2021): 1–23; Niklas Helwig, Juha Jokela and Clara Portela, eds., Sharpening EU Sanctions Policy for a Geopolitical Era (Hel­sinki: Prime Minister’s Office, 2020), https://julkaisut. valtioneuvosto.fi/bitstream/handle/10024/162257/VNTEAS_ 2020_31.pdf (accessed 4 June 2021); Clara Portela et al., “Consensus against All Odds: Explaining the Persistence of Sanctions on Russia”, Journal of European Integration 43, no. 6 (2020): 1–17.

15

 Soesanto, “Europe Has No Strategy on Cyber Sanctions” (see note 13).

16

 Erica D. Borghard and Shawn W. Lonergan, “The Logic of Coercion in Cyberspace”, Security Studies 26, no. 3 (2017): 452–81 (463).

17

 Thomas Rid and Ben Buchanan, “Attributing Cyber Attacks”, Journal of Strategic Studies 38, no. 1–2 (2014): 4–37 (4).

18

 Ryan Stillions, “The Detection Maturity Level Model”, Ryan Stillions Blogspot, 22 April 2014, http://ryanstillions. blogspot.com/2014/04/the-dml-model_21.html (accessed 1 January 2020).

19

 Erik Gartzke and Jon R. Lindsay, “Weaving Tangled Webs. Offense, Defense, and Deception in Cyberspace”, Security Studies 24, no. 2 (2015): 316–48.

20

 Jason Healey, Beyond Attribution: Seeking National Respon­sibility in Cyberspace, Issue Brief (Washington, D.C.: Atlantic Council, 22 December 2012), https://www.atlanticcouncil.org/ publications/issue-briefs/beyond-attribution-seeking-national-responsibility-in-cyberspace (accessed 15 September 2021).

21

 Egloff and Smeets, “Publicly Attributing Cyber Attacks” (see note 12).

22

 For an account of the German interpretation of inter­national law, see: The Federal Government, On the Application of International Law in Cyberspace. Position Paper (Berlin, March 2021), 12, https://www.auswaertiges-amt.de/blob/2446304/ 2ae17233b62966a4b7f16d50ca3c6802/on-the-application-of-international-law-in-cyberspace-data.pdf (accessed 6 May 2021).

23

 International Law Commission (ILC), Draft Articles on the Responsibility of States for Internationally Wrongful Acts (ARS) (August 2001), https://legal.un.org/ilc/texts/instruments/ english/commentaries/9_6_2001.pdf (accessed 15 June 2021).

24

 Gordon Corera, “How France’s TV5 Was Almost De­stroyed by ‘Russian Hackers’”, BBC News (online), 10 October 2016, https://www.bbc.com/news/technology-37590375 (accessed 14 July 2021).

25

 Council of the European Union, “Council Regulation (EU) 2019/796 of 17 May 2019 concerning restrictive meas­ures against cyber-attacks threatening the Union or its Member States”, Official Journal of the European Union, no. L 129 I/1 (17 May 2019), https://eur-lex.europa.eu/legal-content/ GA/TXT/?uri=CELEX%3A32019R0796 (accessed 2 June 2021).

26

 “Island of Palmas Case (Netherlands, USA), 4 April 1928”, in Reports of International Arbitral Awards, ed. United Nations, vol. II (Lake Success, 1949), 829–71 (839); International Court of Justice (ICJ), The Corfu Channel Case. Judgment of 9 April 1949, ICJ Reports 1949 (The Hague, February 1949), 22, and ICJ, Case Concerning Pulp Mills on the River Uruguay (Argentina v. Uruguay). Judgment of 20 April 2010, ICJ Reports 2010 (The Hague, 2010), p. 69, para. 197: “obligation to act with due diligence in respect of all activities which simply take place under the jurisdiction and control of each party”, https:// www.icj-cij.org/public/files/case-related/135/135-20100420-JUD-01-00-EN.pdf (accessed 14 September 2021); see also Michael N. Schmitt, ed. Tallinn Manual on the International Law Applicable to Cyberwarfare (Cambridge: Cambridge University Press, 2013), 27–8, para. 8.

27

 Council of the European Union, “Regulation (EU) 2019/796” (see note 25).

28

 European Commission, “Commission Recommenda­tion (EU) 2017/1584 of 13 September 2017 on Coordinated Response to Large-scale Cybersecurity Incidents and Crises”, Official Journal of the European Union, no. L 239 (19 September 2017): 36–58, https://eur-lex.europa.eu/eli/reco/2017/1584/oj; Council of the European Union, EU Coordinated Response to Large-Scale Cybersecurity Incidents and Crises – Council Conclusions (Brussels, 26 June 2018), https://data.consilium.europa.eu/ doc/document/ST-10086-2018-INIT/en/pdf (accessed 2 June 2021).

29

 Along with the Joint Cyber Unit of the European Com­mission, the relevant institutions, bodies and agencies of the EU Member States are to collaborate through a European platform. Under the Network and Information Security (NIS) Directive, Computer Security Incident Response Teams (CSIRTs) are already expected to share their technical solu­tions.

30

 Investigations in criminal proceedings in cases of cyber­attacks are carried out by the national law enforcement authorities. They are supported by Europol and the Joint Cybercrime Action Taskforce (JCAT) at the European Cybercrime Centre (EC3).

31

 Since 2018, the EU has been using the EU Law Enforcement Emergency Response Protocol (EU LE ERP) under the auspices of Europol.

32

 Council of the European Union, “Council Implementing Decision (EU) 2018/1993 of 11 December 2018 on the EU Inte­grated Political Crisis Response Arrangements”, Official Journal of the European Union, no. L 320/28 (17 December 2018), https://eur-lex.europa.eu/eli/dec_impl/2018/1993/oj (accessed 2 June 2021). Cybersecurity is also to be included in the “Integrated Political Crisis Response” (IPCR) at Council level.

33

 Council of the European Union, Draft Implementing Guide­lines for the Framework on a Joint EU Diplomatic Response to Mali­cious Cyber Activities (9 October 2017), https://data.consilium. europa.eu/doc/document/ST-13007-2017-INIT/en/pdf (accessed 2 June 2021).

34

Matthias Monroy, “EU beschließt System für Cyber-Sanktionen”, Telepolis, 20 May 2019, https://www.heise.de/ tp/features/EU-beschliesst-System-fuer-Cyber-Sanktionen-4426777.html (accessed 7 June 2021). The sanctions will be implemented by the Member States in accordance with the 2017 version of the Common Foreign and Security Policy of the EU (Document 15579/03).