Inside the Fourth EU Cyber Sanctions Package

On Jan. 27, the European Council imposed the EU’s fourth cyber sanctions package, which encompassed restrictive measures against three officers working for Unit 29155 of Russia’s military intelligence service (GRU). Nikolay Korchagin, Vitaly Shevchenko, and Yuriy Denisov were sanctioned for “conducting intelligence activities directed against Estonia and gaining access to a computer system illegally.” Notably, these intelligence activities took place more than four years ago, in November 2020, when Unit 29155 breached the servers of the Estonian Ministry of Foreign Affairs, the Ministry of Social Affairs, and the Ministry of Economics and Communication.

But why did the European Union impose sanctions so late after the fact? Much of the answer lies in Estonian domestic politics rather than the speed of the sanctions process on the EU level. Additionally, the U.S. and other allies played an unprecedented role in sharing crucial intelligence for attribution purposes with Estonia and other EU members that these states would have had difficulty collecting by themselves. The Estonian case has the potential to reshape the EU cyber sanctions regime by encouraging more public attribution statements from member states, pushing for tangible impacts on adversarial operators, and streamlining international intelligence coordination efforts.

Background

On Dec. 1, 2020, Estonia’s Information System Authority (RIA) announced that three government ministries’ systems were breached, including the Ministry of Foreign Affairs and the Ministry of Social Affairs. In addition, 350 gigabytes of data were exfiltrated from systems of the Transport Administration, the Maritime Administration, the Geological Survey, and the Consumer Protection and Technical Regulatory Authority.

On Dec. 15, RIA informed the public that all “three attacks shared a similar pattern: the servers hosting the websites were attacked in an attempt to exploit vulnerabilities in their configuration.” In “one case, the attackers managed to access the servers in the administration field. In the other two cases, they were unable to get past the web server.”

In its annual review, RIA described the breaches as the “most painful lesson of the year” and elaborated further on the attacker’s techniques. First, “the web servers were scanned. If a vulnerability was discovered through a technical .git catalogue which had remained public by accident, malicious code was uploaded through that. After gaining access to the servers, the attacker stole all the data that they could and started to look for more ways to take advantage of the server.” RIA also highlighted that “the Ministry of Foreign Affairs escaped with the least damage: the attacker got stuck on their homepage and did not receive any sensitive information.”

According to Ago Ambur, the current head of the Cybercrime Bureau within Estonia’s National Criminal Police, the Estonian government “identified the first leads and the suspect already in the early stages of the investigation, which allowed [them], in cooperation with other agencies, to prevent greater damage and further spread.”

International Coordination

In 2020, Unit 29155 was not known for conducting cyber campaigns. Instead, the unit gained global notoriety for its physical operations, including the explosion of an ammunition warehouse in Czechia in 2014, the failed coup d’etat in Montenegro in 2016, and the Novichok poisoning of Sergei Skripal in the United Kingdom in 2018. It is believed that, starting in 2020, Unit 29155 received additional resources to form its own specialized cyber team, likely as a reward for its successful physical operations and to foster internal competition with other GRU cyber units.

From November 2020 to August 2024, little to no information was publicly available on Unit 29155’s cyber operations. Then, on Sept. 5, 2024, a grand jury in the U.S. District Court for the District of Maryland unsealed a superseding indictment against five Unit 29155 members for engaging “in cyber operations that among other things, involved the destruction of computer systems in foreign countries through computer intrusions.” The indictment alleged that “from in or around December 2020 to the present, Unit 29155 conducted large-scale cyber operations to harm computer systems in Ukraine prior to the 2022 Russian invasion [the so-called WhisperGate campaign]. Beginning in or about August 2021, Unit 29155 also probed a variety of protected computer systems including those associated with twenty-six NATO member countries, searching for potential vulnerabilities.”

On the same day, the Estonian government publicly attributed the November 2020 cyberattacks against Estonia to three members of Unit 29155. This was the first time in Estonia’s history that the government publicly attributed a cyber campaign to a foreign perpetrator. Few countries in Europe have ever published a public attribution assessment, particularly one that specifically identifies individual adversarial operators by name and affiliation. The majority of EU and NATO member states simply do not have the necessary investigative resources or lack the global intelligence network necessary to identify specific individuals abroad. In most cases, governments also do not have an institutionalized public attribution process in place or cannot maintain political support domestically to pursue an investigation to its natural conclusion.

Following the announcement, Tanel Sepp, director general of the Cyber Diplomacy Department within Estonia’s Ministry of Foreign Affairs, noted that “attribution in cyberspace is not an easy task but today we can clearly show that we can do this and we will continue identifying the perpetrators of attacks against us in the future.” Estonia’s Harju County Court subsequently issued arrest warrants for the three GRU officers.

The unsealing of the U.S. indictment and Estonia’s public attribution statement were the culmination of “Operation Toy Soldier”—an unprecedented, coordinated counterintelligence effort of 14 services hailing from 10 countries, including Australia, Canada, Czechia, Estonia, Germany, Latvia, the Netherlands, the U.K., Ukraine, and the U.S.—which linked Unit 29155 to numerous cyber operations against Ukraine and its NATO and EU allies. The operation was directly related to the war in Ukraine, with a unique ability to facilitate intelligence sharing between military and law enforcement services to trace Unit 29155’s cyber mission footprint over the past four years.

On Sept. 5, the Toy Soldier group also published a joint cybersecurity advisory on tactics, techniques, and procedures associated with Unit 29155. In it, the FBI assessed that Unit 29155 is composed “of junior active-duty GRU officers [who work] under the direction of experienced Unit 29155 leadership. These individuals appear to be gaining cyber experience and enhancing their technical skills through conducting cyber operations and intrusions.” The joint advisory also connects Unit 29155 to a threat actor that CrowdStrike has named Ember Bear and that Microsoft has been tracking as Cadet Blizzard. On March 30, 2022, CrowdStrike assessed that while Ember Bear “does not present known links with previously tracked adversaries,” the group’s “target profile, assessed intent, and their technical tactics, techniques and procedures (TTPs) are consistent with other GRU cyber operations.” In June 2023, Microsoft similarly noted that “Cadet Blizzard operations are associated with the Russian General Staff Main Intelligence Directorate (GRU) but are separate from other known and more established GRU-affiliated groups.”

It is unclear why the Estonian government waited until Sept. 5, 2024, to release its investigative findings. It could be that as part of Operation Toy Soldier, Tallinn signed up to intelligence collection efforts and international sharing commitments that prevented it from going public in an uncoordinated fashion. It could also be that the Estonian government was simply not willing to butt heads with Moscow on its own over a cyber campaign that falls squarely into the realm of traditional espionage. Or it could be that Estonia’s national attribution process was simply new and cumbersome in 2020, making a comprehensive attribution assessment difficult until several years later (after its international partners provided assistance through Operation Toy Soldier).

Domestic Politics and EU Cyber Sanctions

It seems likely that the Estonian push for cyber sanctions against GRU operatives was coordinated with former Prime Minister Kaja Kallas’s bid to become the next high representative of the European Union for foreign affairs and security policy. Kallas served as Estonia’s prime minister from January 2021 to July 2024 and resigned as head of the Estonian Reform Party on Sept. 8, 2024—three days after Estonia’s public attribution statement. On Nov. 21, Kallas was confirmed as high representative; on her first day in office on Dec. 1 she visited Kyiv.

For the EU Council, the imposition of cyber sanctions is mostly a question of process. The body can take action only once an EU member state has decided for itself whether it wants to bring an incident to the EU level and push for cyber sanctions. The Estonian government must have made its push between September and November 2024. Four days after Kallas assumed her post as high representative, the Horizontal Working Party on Cyber Issues reached an agreement to include the three GRU operatives on the EU cyber sanctions list. On Jan. 10, Kallas—in her new capacity as high representative—submitted a proposal to the EU Council to add the three GRU officers to the EU cyber sanctions list. Three days later, the Foreign Relations Counsellors Working Party agreed to the draft text. The Committee of the Permanent Representatives of the Governments of the Member States to the European Union positively voted on its acceptance. And on Jan. 27, the EU Council announced the adoption of “additional restrictive measures against three Russian individuals responsible for a series of cyberattacks carried out against the Republic of Estonia in 2020.”

On the EU level, the cyber sanctions process worked rapidly, despite the Christmas and New Year break; the initial impression that the EU was sluggish in its imposition of sanctions is somewhat misleading. Indeed, the pace of the fourth EU cyber sanctions package likely had more to do with Estonian domestic politics than with the EU cyber sanctions regime itself.

In the Estonian case it seems likely that, rather than doing it alone, Tallinn approached the U.S. government early on with its investigative findings. When the U.S. Department of Justice then started its own investigation into the 2021-2022 intrusions into U.S. government agencies in the state of Maryland, more and more linkages across Europe were established—including WhisperGate—and Operation Toy Soldier was subsequently formed.

For Estonia, the public statement of Sept. 5 has catapulted Tallinn into an exclusive group of EU and NATO member states that have shown their willingness and ability to publicly attribute. Within the EU, Estonia is one of only three countries, including Germany and the Netherlands, that have successfully pushed through their own EU cyber sanctions packages. And with Kallas on the EU level, the Estonian government now has an EU high representative who is invested in cyber issues and is acutely aware that the EU cyber sanctions regime can provide value only when member states step forward and actively use it.

While it is unclear how important U.S. intelligence collection and sharing efforts have been for Estonia to complete its attribution assessment, and whether Operation Toy Soldier would have come about without the involvement of U.S., Australian, and U.K. government agencies, there are certainly lessons to draw from the Estonian case. First, proactive intelligence sharing in cyberspace can facilitate common foreign policy goals; and second, the involvement of the Five Eyes nations on the European continent is likely indispensable to the EU and its member states for cyber sanctions to work as intended.

It remains to be seen whether the Estonian government, in concert with Kallas, can inspire more member states to share their intelligence and bring forward cases for the potential imposition of EU cyber sanctions. It also remains to be seen whether this alliance can make cyber sanctions more impactful by, for example, automatically issuing international arrest warrants, imposing sanctions on family members, confiscating personal and employer assets globally, or offering substantial rewards that lead to the delivery and arrest of the sanctioned person in EU territory. Only time will tell whether the next EU cyber sanctions package is just around the corner.