On Jan. 27, the European Council imposed the EU’s fourth cyber sanctions package, which encompassed restrictive measures against three officers working for Unit 29155 of Russia’s military intelligence service (GRU). Nikolay Korchagin, Vitaly Shevchenko, and Yuriy Denisov were sanctioned for “conducting intelligence activities directed against Estonia and gaining access to a computer system illegally.” Notably, these intelligence activities took place more than four years ago, in November 2020, when Unit 29155 breached the servers of the Estonian Ministry of Foreign Affairs, the Ministry of Social Affairs, and the Ministry of Economics and Communication. But why did the European Union impose sanctions so late after the fact? Much of the answer lies in Estonian domestic politics rather than the speed of the sanctions process on the EU level. Additionally, the U.S. and other allies played an unprecedented role in sharing crucial intelligence for attribution purposes with Estonia and other EU members that these states would have had difficulty collecting by themselves. The Estonian case has the potential to reshape the EU cyber sanctions regime by encouraging more public attribution statements from member states, pushing for tangible impacts on adversarial operators, and streamlining international intelligence coordination efforts.
Inside the Fourth EU Cyber Sanctions Package (Stefan Soesanto, Lawfare)
Related articles