{ "id": "b55570c5-4635-4aa9-b962-38223d413685", "created_at": "2026-04-06T00:11:57.13923Z", "updated_at": "2026-04-10T13:12:17.873393Z", "deleted_at": null, "sha1_hash": "d066f1435c3177de017ab38048977f6e12904cd4", "title": "Russian hackers sanctioned by European Council for attacks on EU and Ukraine", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 88026, "plain_text": "Russian hackers sanctioned by European Council for attacks on\r\nEU and Ukraine\r\nBy Alexander Martin\r\nPublished: 2024-06-24 · Archived: 2026-04-05 18:32:05 UTC\r\nSix hackers who have previously been connected to either Russian state-sponsored or financially motivated\r\ncyberattacks targeting the European Union and Ukraine were added to the EU’s sanctions list on Monday.\r\nThe move marks the bloc’s growing use of its so-called “Cyber Diplomacy Toolbox” which attempts to discourage\r\ncyberattacks against member states. Despite similar coordinated actions by Western states in recent years, these\r\nmeasures do not obviously appear to have impacted the volume and impact of Russian cyberattacks.\r\nThe EU’s sanctions require all funds and economic resources within EU member states controlled by the listed\r\nindividuals to be frozen. The sanctions also prevent any funds or economic resources being made to the sanctioned\r\nentities — although EU member states are allowed to make exceptions.\r\nFour of the individuals added to the Council’s list are Russian nationals currently covered by existing sanctions\r\nimposed by the United States and United Kingdom. Ruslan Peretyatko, Andrey Korinets, Mikhail Tsarev and\r\nMaksim Galochkin all currently face charges in the U.S. for alleged cybercrimes.\r\nHowever two others, Oleksandr Sklianko and Mykola Chernykh, have not been publicly charged in the United\r\nStates. The pair were first alleged to be officers in the counterintelligence branch of Russian Federal Security\r\nService (FSB) operating from occupied Crimea back in 2021, by the Ukrainian Security Service (SSU).\r\nAccording to the SSU, the pair are connected to a hacking group tracked as Armageddon or Gamaredon. The\r\nEuropean Council’s sanctions accuse them of conducting cyberattacks “with a significant impact on the\r\ngovernments of EU member states and Ukraine, including by using phishing emails and malware campaigns.”\r\nThere are discrepancies between the European Council’s sanctions against Peretyatko and Korinets and those of\r\nthe United States and United Kingdom. When the Department of Justice charged the pair with targeting U.S.\r\ngovernment and military officials as part of the Callisto Group hacking campaign — also aimed at the United\r\nKingdom, Ukraine and NATO — it identified them as working for the FSB.\r\nThe European Council instead identified the Callisto Group as “a group of Russian military intelligence officers,”\r\nwhich would typically be understood to mean a separate agency in Russia, the GRU. A spokesperson for the\r\nEuropean Council did not respond to clarify whether the discrepancy was an error on the Council’s part or due to a\r\ngenuine difference in assessment.\r\nThe sanctions against Tsarev and Galochkin are the first the European Council has made against alleged criminal\r\nhackers. The pair were among 11 individuals sanctioned by the United States and United Kingdom last year for\r\ntheir roles in a criminal group behind the Trickbot malware and Conti ransomware schemes.\r\nhttps://therecord.media/six-russian-hackers-sanctioned-european-council-eu-ukraine\r\nPage 1 of 3\n\nWhat’s the point of sanctions?\r\nThe effectiveness of cyber sanctions in deterring malicious hacking, as deployed by the European Union, has been\r\nquestioned. Law enforcement agencies in the United States and United Kingdom have told Recorded Future News\r\nthat they view sanctions more as an operational tactic than as a direct mechanism for tackling attackers’ finances.\r\nAs revealed by Recorded Future News earlier this year, the agency responsible for monitoring cyber sanctions in\r\nBritain has never detected an illicit payment to an entity embargoed under the country’s counter-ransomware\r\nregime.\r\nMultiple operational sources involved in the fight against ransomware said that the fact missed the true use that\r\nlaw enforcement is putting the sanctions to, which is not simply about frustrating the payments.\r\nWhile officials in Britain “assessed that sanctions have hampered the ability of cyber threat actors to monetise\r\ntheir cyber criminal activities,” more significantly law enforcement agencies deployed sanctions because they\r\n“contributed to sowing discord within certain groups.”\r\nIn particular, naming previously anonymous cybercriminals undermines their operational security and adds stress\r\nto potential relationships between them and colleagues, as well as with corrupt officials in jurisdictions such as the\r\nRussian Federation where they may be expected to provide kickbacks or to receive tasking from the security\r\nservices.\r\nChoosing who to sanction also offers flexibility for a range of covert actions. Keeping a name off of the sanctions\r\nlist can allow suspects a false sense of security to travel abroad if an arrest is planned, or it can provide leeway if a\r\nsuspect is cooperating, officials have told Recorded Future News. A sense of injustice between those who have\r\nbeen sanctioned and any co-conspirators left off the list can also cause divisions within the organized crime\r\ngroups.\r\nLast June, the European Council agreed that new measures were needed to strengthen its Cyber Diplomacy\r\nToolbox to “increase the EU's ability to prevent, discourage, deter and respond to malicious cyber activities.”\r\nNo previous article\r\nNo new articles\r\nhttps://therecord.media/six-russian-hackers-sanctioned-european-council-eu-ukraine\r\nPage 2 of 3\n\nAlexander Martin\r\nis the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and a fellow\r\nat the European Cyber Conflict Research Initiative, now Virtual Routes. He can be reached securely using Signal\r\non: AlexanderMartin.79\r\nSource: https://therecord.media/six-russian-hackers-sanctioned-european-council-eu-ukraine\r\nhttps://therecord.media/six-russian-hackers-sanctioned-european-council-eu-ukraine\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://therecord.media/six-russian-hackers-sanctioned-european-council-eu-ukraine" ], "report_names": [ "six-russian-hackers-sanctioned-european-council-eu-ukraine" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "5dae3c71-8be1-4591-a2fb-b851ea6f083d", "created_at": "2022-10-25T16:07:23.432642Z", "updated_at": "2026-04-10T02:00:04.600341Z", "deleted_at": null, "main_name": "Callisto Group", "aliases": [], "source_name": "ETDA:Callisto Group", "tools": [ "RCS Galileo" ], "source_id": "ETDA", "reports": null }, { "id": "79bd28a6-dc10-419b-bee7-25511ae9d3d4", "created_at": "2023-01-06T13:46:38.581534Z", "updated_at": "2026-04-10T02:00:03.029872Z", "deleted_at": null, "main_name": "Callisto", "aliases": [ "BlueCharlie", "Star Blizzard", "TAG-53", "Blue Callisto", "TA446", "IRON FRONTIER", "UNC4057", "COLDRIVER", "SEABORGIUM", "GOSSAMER BEAR" ], "source_name": "MISPGALAXY:Callisto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3aedca2f-6f6c-4470-af26-a46097d3eab5", "created_at": "2024-11-01T02:00:52.689773Z", "updated_at": "2026-04-10T02:00:05.396502Z", "deleted_at": null, "main_name": "Star Blizzard", "aliases": [ "Star Blizzard", "SEABORGIUM", "Callisto Group", "TA446", "COLDRIVER" ], "source_name": "MITRE:Star Blizzard", "tools": [ "Spica" ], "source_id": "MITRE", "reports": null }, { "id": "3a057a97-db21-4261-804b-4b071a03c124", "created_at": "2024-06-04T02:03:07.953282Z", "updated_at": "2026-04-10T02:00:03.813595Z", "deleted_at": null, "main_name": "IRON FRONTIER", "aliases": [ "Blue Callisto ", "BlueCharlie ", "CALISTO ", "COLDRIVER ", "Callisto Group ", "GOSSAMER BEAR ", "SEABORGIUM ", "Star Blizzard ", "TA446 " ], "source_name": "Secureworks:IRON FRONTIER", "tools": [ "Evilginx2", "Galileo RCS", "SPICA" ], "source_id": "Secureworks", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434317, "ts_updated_at": 1775826737, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d066f1435c3177de017ab38048977f6e12904cd4.pdf", "text": "https://archive.orkl.eu/d066f1435c3177de017ab38048977f6e12904cd4.txt", "img": "https://archive.orkl.eu/d066f1435c3177de017ab38048977f6e12904cd4.jpg" } }