EU blames ‘clerical error’ after misattributing hacks to wrong Russian spy agency

The European Council has blamed a “clerical error” after issuing a legal document blaming the wrong Russian intelligence agency for a series of cyberattacks targeting member states alongside Ukraine, and is seeking to have the document amended.

Six hackers who have previously been connected to either Russian state-sponsored or financially motivated cyberattacks targeting the European Union and Ukraine were added to the EU’s sanctions list on Monday.

Two of the newly listed individuals, Ruslan Peretyatko and Andrey Korinets, had previously been sanctioned by the United States and United Kingdom under a different designation.

The pair were previously charged by the Department of Justice with targeting U.S. government and military officials as part of the Callisto Group hacking campaign — also aimed at the United Kingdom, Ukraine and NATO — and were identified as working for the FSB, Russia’s Federal Security Service.

The Callisto Group was described as an FSB operation, while Peretyatko was described as an FSB officer. The description for Korinets indicated he was not an FSB officer but may have been a contractor or a criminal hacker tasked with assisting the intelligence service.

However, the European Council instead identified the Callisto Group as “a group of Russian military intelligence officers,” which would typically be understood to mean a separate agency in Russia, the GRU. It identified Peretyatko as a military intelligence officer, and Korinets as an FSB officer.

On Wednesday, a spokesperson for the European Council confirmed to Recorded Future News that these descriptions were due to a clerical error and the word “military” was being removed from the description of the Callisto Group. They added that the Council is seeking to amend the legal acts enacting the sanctions.

The error was one of several aspects of the Council’s sanctions that raised questions. Two of the individuals added to the list, Mikhail Tsarev and Maksim Galochkin, were first sanctioned by the United States and United Kingdom last year — but both were part of a tranche of 11 individuals accused of being part of the criminal group operating the Trickbot malware and Conti ransomware.

It is not clear why just those two out of the 11 were sanctioned, nor why the sanctions were announced now rather than in a coordinated fashion with those from Washington and London last year.

Bart Groothuis, a Dutch MEP and former Ministry of Defence employee, as well as a rapporteur on several of the European Union’s cybersecurity laws, previously told Recorded Future News that the bloc’s lack of a robust attribution policy was impacting its ability to “make a fist on the world stage,” and called for such a capability to help the EU become more aligned with the Five Eyes intelligence alliance.

The error follows the European Council last June agreeing that new measures were needed to strengthen its Cyber Diplomacy Toolbox to “increase the EU’s ability to prevent, discourage, deter and respond to malicious cyber activities.”