EU blames ‘clerical error’ after misattributing hacks to wrong Russian spy agency

Avatar

The European Council has blamed a “clerical error” after issuing a legal document blaming the wrong Russian intelligence agency for a series of cyberattacks targeting member states alongside Ukraine, and is seeking to have the document amended.

Six hackers who have previously been connected to either Russian state-sponsored or financially motivated cyberattacks targeting the European Union and Ukraine were added to the EU’s sanctions list on Monday.

Two of the newly listed individuals, Ruslan Peretyatko and Andrey Korinets, had previously been sanctioned by the United States and United Kingdom under a different designation.

The pair were previously charged by the Department of Justice with targeting U.S. government and military officials as part of the Callisto Group hacking campaign — also aimed at the United Kingdom, Ukraine and NATO — and were identified as working for the FSB, Russia’s Federal Security Service.

The Callisto Group was described as an FSB operation, while Peretyatko was described as an FSB officer. The description for Korinets indicated he was not an FSB officer but may have been a contractor or a criminal hacker tasked with assisting the intelligence service.

However, the European Council instead identified the Callisto Group as “a group of Russian military intelligence officers,” which would typically be understood to mean a separate agency in Russia, the GRU. It identified Peretyatko as a military intelligence officer, and Korinets as an FSB officer.

On Wednesday, a spokesperson for the European Council confirmed to Recorded Future News that these descriptions were due to a clerical error and the word “military” was being removed from the description of the Callisto Group. They added that the Council is seeking to amend the legal acts enacting the sanctions.

The error was one of several aspects of the Council’s sanctions that raised questions. Two of the individuals added to the list, Mikhail Tsarev and Maksim Galochkin, were first sanctioned by the United States and United Kingdom last year — but both were part of a tranche of 11 individuals accused of being part of the criminal group operating the Trickbot malware and Conti ransomware.

It is not clear why just those two out of the 11 were sanctioned, nor why the sanctions were announced now rather than in a coordinated fashion with those from Washington and London last year.

Bart Groothuis, a Dutch MEP and former Ministry of Defence employee, as well as a rapporteur on several of the European Union’s cybersecurity laws, previously told Recorded Future News that the bloc’s lack of a robust attribution policy was impacting its ability to “make a fist on the world stage,” and called for such a capability to help the EU become more aligned with the Five Eyes intelligence alliance.

The error follows the European Council last June agreeing that new measures were needed to strengthen its Cyber Diplomacy Toolbox to “increase the EU’s ability to prevent, discourage, deter and respond to malicious cyber activities.”

GovernmentNation-stateNews
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Alexander Martin

is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research Initiative.

 

Total
0
Shares
Previous Post

US accuses Russian of helping Kremlin hack Ukraine’s state computer systems

Next Post

Russia to ban 81 foreign media outlets in response to Europe’s sanctions

Related Posts

Learn How Experts Secure Privileged Accounts—Proven PAS Strategies Webinar

Cybercriminals know that privileged accounts are the keys to your kingdom. One compromised account can lead to stolen data, disrupted operations, and massive business losses. Even top organizations struggle to secure privileged accounts. Why? Traditional Privileged Access Management (PAM) solutions often fall short, leaving: Blind spots that limit full visibility. Complex deployment processes.
Avatar
Read More