Last update 13 October 2021
At: Annegret Bendiek, Matthias Schulze: »Attribution: A Major Challenge for EU Cyber Sanctions«, SWP Research Paper 2021/RP 11, 16.12.2021.
|
Criterion |
Required features |
WannaCry |
NotPetya |
Cloud Hopper 2016 |
Bundestag hack |
OPCW 2018 |
|
Cyberattack |
Actions involving any of the following |
|
|
|
|
|
|
|
a. access to information systems; |
yes |
yes |
yes |
yes |
no |
|
|
b. information system interference; |
yes |
yes |
yes |
yes |
no |
|
|
c. data interference; or |
yes |
yes |
yes |
yes |
no |
|
|
d. data interception |
no |
no |
yes |
yes |
yes |
|
|
where such actions are not duly authorised by the owner or by another right holder of the system or data, or of part of it, or are not permitted under the law of the Union or the Member State concerned. |
|
|
|
|
|
|
|
Including attempted cyberattacks |
|
|
|
|
yes |
|
Attacker determination |
Attackers are located outside the EU (natural/legal persons, entities or bodies) or operate from outside the EU |
yes |
yes |
yes |
yes |
yes |
|
|
Attackers use infrastructure outside the EU |
yes |
yes |
yes |
yes |
no |
|
|
Victims: within the EU (critical infrastructures, including submarine cables and objects launched into space as part of critical infrastructure) |
|
|
|
|
|
|
|
Cyberattacks constituting an external threat include those which: |
|
|
|
|
|
|
|
a. originate, or are carried out, from outside the Union; |
yes |
yes |
yes |
yes |
no |
|
|
b. use infrastructure outside the Union; |
yes |
yes |
yes |
yes |
yes |
|
|
c. are carried out by any natural or legal person, entity or body established or operating outside the Union; or |
yes |
yes |
yes |
yes |
yes |
|
|
d. are carried out with the support, at the direction or under the control of any natural or legal person, entity or body operating outside the Union. |
yes |
yes |
yes |
yes |
yes |
|
Damage and scope |
a. the scope, scale, impact or severity of disruption caused, including to economic and societal activities, essential services, critical state functions, public order or public safety; |
approx. 150 countries |
approx. 65 countries |
unknown |
Germany only |
Netherlands only |
|
|
approx. 23,000 systems, including critical infrastructure |
approx. 49,000 systems |
unknown |
approx. 50 systems |
approx. 1 system |
|
|
|
Economic costs |
|
|
|
|
|
|
|
b. the number of natural or legal persons, entities or bodies affected; |
among others, Télefonica and O2 (Spain and EU), DB Schenker of Deutsche Bahn (Germany), Renault (France), Banco Bilbao Vizcaya Argentaria (Spain), Sandvik (Sweden) |
among others Maersk (Denmark), Rosneft (Russia), Merck Sharp & Dohme (USA), Mondelez (USA), FedEx/TNT (USA/ Germany), Reckitt Benckiser (UK), Saint-Gobain (France) and Beiersdorf (Germany), as well as 80 hospitals & medical facilities of the Heritage Valley Health System (USA) |
IBM, HPE (both USA), Ericsson, SKF (both Sweden), Valmet (Finland), Fujitsu (Japan), Tata Consultancy Services (India), NTT Data (Japan), Dimension Data (South Africa), Computer Sciences Corporation, DXC Technology, Sabre Corp, Huntington Ingalls Industries (all USA), as well as NASA (USA) and the U.S. Navy |
1 Bundestag |
1 OPCW |
|
|
c. the number of Member States concerned; |
at least 6 |
at least 3 |
at least 2 |
1 |
1 |
|
|
d. the amount of economic loss caused, such as through large-scale theft of funds, eco-nomic resources or intellectual property; |
approx. US$4 billion |
approx. US$10 billion |
unknown, approx. several million USD |
approx. US$1 billion |
none |
|
|
e. the economic benefit gained by the perpetrator for himself or for others; |
approx. US$70,000 |
unknown |
unknown |
unknown |
unknown |
|
|
f. the amount or nature of data stolen or the scale of data breaches; or |
unknown |
unknown |
intellectual property |
unknown |
none |
|
|
g. the nature of commercially sensitive data accessed |
|
|
|
|
|
|
Target or victim |
|
inconclusive |
sabotage and disruption |
industrial and political espionage |
political espionage |
political espionage |
|
|
|
disruption |
“tacit bargaining” towards Ukraine |
|
allegation of influence operation |
|
|
|
|
“signalling” towards the NSA |
|
|
|
|
|
|
|
Profit |
|
|
|
|
|
|
|
diversionary tactics |
|
|
|
|
|
|
a. critical infrastructure, including submarine cables and objects launched into outer space, which is essential for the maintenance of vital functions of society, or the health, safety, security and people’s economic or social well-being; |
yes |
no |
no |
no |
no |
|
|
b. services necessary for the maintenance of essential social and/or economic activities, in particular in the following sectors: |
unknown |
no |
no |
unknown |
no |
|
|
1. energy (electricity, oil and gas); |
unknown |
unknown |
no |
no |
no |
|
|
2. transport (air, rail, water and road); |
yes |
yes |
no |
no |
no |
|
|
3. banking, financial market infra-structures; |
yes |
yes (but outside the EU) |
no |
no |
no |
|
|
4. health (healthcare providers, hospitals and private clinics); |
yes |
yes |
no |
no |
no |
|
|
5. drinking water supply and distri-bution; |
unknown |
unknown |
no |
no |
no |
|
|
6. digital infrastructure; and any other sector which is essential for the Member State concerned; |
unknown |
unknown |
yes |
no |
no |
|
|
c. critical state functions, particularly in the areas of: |
|
yes (but outside the EU) |
no |
no |
no |
|
|
1. defence; |
unknown |
unknown |
yes (but outside the EU) |
no |
no |
|
|
2. governance; |
yes |
unknown |
no |
yes |
no |
|
|
3. the functioning of institutions, including those required for public elections or the voting process; |
no |
unknown |
no |
indirectly |
no |
|
|
4. the functioning of economic and civil in-frastructure; |
unknown |
yes (but outside the EU) |
yes |
no |
no |
|
|
5. internal security; |
unknown |
unknown |
no |
no |
no |
|
|
6. external relations, including diplomatic missions; |
no |
unknown |
no |
no |
yes |
|
|
d. the storage or processing of classified information; |
no |
unknown |
no |
presumably |
no |
|
|
e. government emergency response teams. |
no |
unknown |
no |
no |
no |
|
Attribution |
|
June 2017: NSA and GCHQ suspect military intelligence RGB in North Korea |
April 2018: ESET sees similarities with Industroyer |
December 2010: U.S. attributes to APT 10 |
June 2015: C. Guarnieri suspects APT 28 |
October 2018: Dutch make political attribution |
|
|
|
18/12/2017: public attribution by UK and U.S. with “high probability” |
January 2018: CIA with “high certainty” |
|
July 2017: ThreatConnect discovers similarities with DNC hack |
NCSC (UK) supports: “almost certainly responsible” |
|
|
|
16/04/2018: EU Council condemns |
15/02/2018: political attribution via Five Eyes |
|
2016: German Agency for the Protection of the Constitution (BfV) designates Russia |
October 2018: European Council, Commission and HR publicly attribute |
|
|
|
|
February 2020: UK & US attribute legally to Russia |
|
January 2018: AIVD publicises APT 29 |
|
|
|
|
|
|
|
July 2018: U.S. indictment for DNC hack |
|
|
|
|
|
|
|
March 2019: Mueller Report names 12 GRU officials |
|
|
|
|
|
|
|
October 2019: federal government publicly attributes to Russia |
|
|
Significance & scope of public evidence |
|
medium |
medium |
low |
medium |
high |
|
Sanctions/Reaction |
|
September 2018: U.S. indictment |
15/10/2020: U.S. indictment against 6 Russian citizens |
December 2010: DoJ indictment |
July 2018: DoJ indictment against 12 Russian hackers, DNC hack |
October 2018: U.S. indictment |
|
|
|
30/07/2020: EU sanctions (2020/1125) |
July 2020: EU sanctions (2020/1125) |
12/04/2019: statement of the EU HR |
October 2020: EU sanctions (EU 2020/1536) |
July 2020: EU sanctions (EU 2020/1125) |
|
|
|
|
|
July 2020: EU sanctions (EU 2020/1125 and 2020/1744) |
|
|
|
Sanctioned individuals/ defendants based in the USA |
|
Park Jin Hyok |
Yuri Sergeyevich Andrienko |
Zhu Hua |
Viktor Borisovich Netyksho |
Aleksei Sergeyevich Morenets |
|
|
|
Jon Chang Hyok |
Sergey Vladimirovich Detistov |
Zhang Shilong |
Boris Alekseyevich Antonov |
Evgenii Mikhaylovich Serebriakov |
|
|
|
Kim Il |
Pavel Valeryevich Frolov |
|
Dimitry Sergeyevich Yermakov |
Artem Andreyevich Malyshev |
|
|
|
|
Anatoliy Sergeyevich Kovalev |
|
Aleksey Viktorovich Lukashev |
Dimitry Sergeyevich Badin |
|
|
|
|
Artem Valeryevich Ochichenko |
|
Sergey Aleksandrovich Morgachev |
Oleg Mikhaylovich Sotnikov |
|
|
|
|
Petr Nikolayevich Pliskin |
|
Nikolay Yuryebich Kozachek |
Alexey Valerevich Minin |
|
|
|
|
|
|
Pavel Vyacheslavovich Yershov |
|
|
|
|
|
|
|
Artem Andreyevich Malyshev |
|
|
|
|
|
|
|
Aleksandr Vladimirovich Osadchuk |
|
|
|
|
|
|
|
Aleksey Aleksandrovich Potemkin |
|
|
|
|
|
|
|
Anatoliy Sergeyevich Kovalev |
|
|
Sanctioned individuals/ defendants of the EU |
|
Chosun Expo |
Main Centre for Special Technologies (GTsST) of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GU/GRU) |
Tianjin Huaying Haitai Science and Technology Development |
85th Main Centre for Special Services (GTsSS) of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GU/GRU) |
85th Main Centre for Special Services (GTsSS) of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GU/GRU) |
|
|
|
|
|
Gao Quiang |
Dimitry Sergeyevich Badin |
Aleksei Sergeyevich Morenets |
|
|
|
|
|
Zhang Shilong |
Igor Olegovich Kostyukov |
Evgenii Mikhaylovich Serebriakov |
|
|
|
|
|
|
|
Oleg Mikhaylovich Sotnikov |
|
|
|
|
|
|
|
Alexey Valerevich Minin |
|
Political support of attribution |
|
Estonia |
Denmark |
UK |
unknown |
UK |
|
|
|
Netherlands |
Latvia |
Canada |
|
|
|
|
|
France |
Sweden |
Australia |
|
|
|
|
|
UK |
Finland supports U.S. attribution |
New Zealand |
|
|
|
|
|
Canada |
|
USA |
|
|
|
|
|
Australia |
|
Germany |
|
|
|
|
|
New Zealand |
|
|
|
|
|
|
|
Japan |
|
|
|
|
|
|
|
USA also welcomed the EU’s restrictive measures |
|
|
|
|