EU Sanctions Chinese and Iranian Firms for Cyberattacks in 2026
Executive Summary
In March 2026, the European Union imposed sanctions on three companies—two Chinese and one Iranian—and two individuals for their involvement in cyberattacks targeting devices and critical infrastructure across multiple EU member states. Integrity Technology Group, a Beijing-based firm, provided technical support that led to the compromise of over 65,000 devices between 2022 and 2023. Anxun Information Technology, also from China, offered hacking services aimed at critical infrastructure. The Iranian company, Emennet Pasargad, was implicated in influence campaigns and the compromise of an SMS service in Sweden. The two sanctioned individuals are co-founders of Anxun Information Technology, believed to have played significant roles in these cyberattacks.
This action underscores the EU's commitment to addressing state-sponsored cyber threats and protecting its member states' critical infrastructure. The sanctions include asset freezes and travel bans, reflecting the severity of the offenses and the EU's resolve to deter future cyberattacks.
Why This Matters Now
The EU's sanctions highlight the escalating threat of state-sponsored cyberattacks on critical infrastructure, emphasizing the need for robust cybersecurity measures and international cooperation to mitigate such risks.
Attack Path Analysis
The adversaries initiated the attack by exploiting vulnerabilities in internet-facing devices to gain initial access. They then escalated privileges by leveraging compromised credentials to access sensitive systems. Subsequently, they moved laterally across the network to identify and access critical infrastructure components. The attackers established command and control channels to maintain persistent access and exfiltrate data. They exfiltrated sensitive information, including personal data of subscribers, to external servers. Finally, they utilized the exfiltrated data to conduct influence campaigns and spread misinformation.
Kill Chain Progression
Initial Compromise
Description
The adversaries exploited vulnerabilities in internet-facing devices, such as routers and IP cameras, to gain unauthorized access to the network.
MITRE ATT&CK® Techniques
Valid Accounts
Command and Scripting Interpreter
Boot or Logon Autostart Execution
Process Injection
Impair Defenses
Data from Local System
Application Layer Protocol
Dynamic Resolution
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Cyber Resilience Act – Security by Design and Default
Control ID: Article 10
Cyber Solidarity Act – Coordinated Response to Cyber Threats
Control ID: Article 5
European Programme for Critical Infrastructure Protection (EPCIP) – Identification and Designation of European Critical Infrastructures
Control ID: Directive 2008/114/EC
NIST Cybersecurity Framework – Identity Management and Access Control
Control ID: PR.AC-1
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Telecommunications
State-sponsored APT groups compromised 65,000+ network devices including routers and IP cameras, enabling lateral movement and encrypted traffic interception capabilities.
Utilities
Critical infrastructure targeting by Chinese and Iranian firms exposes power grids to egress security breaches and east-west traffic manipulation risks.
Government Administration
EU member states directly targeted by Flax Typhoon botnet operations, requiring zero trust segmentation and multicloud visibility controls for protection.
Financial Services
Banking systems face heightened exfiltration risks from compromised infrastructure devices used for command and control by sanctioned threat actors.
Sources
- Europe sanctions Chinese and Iranian firms for cyberattackshttps://www.bleepingcomputer.com/news/security/europe-sanctions-chinese-and-iranian-firms-for-cyberattacks/Verified
- Treasury Sanctions Technology Company for Support to Malicious Cyber Grouphttps://home.treasury.gov/news/press-releases/jy2769Verified
- Court-Authorized Operation Disrupts Worldwide Botnet Used by People’s Republic of China State-Sponsored Hackershttps://www.justice.gov/usao-wdpa/pr/court-authorized-operation-disrupts-worldwide-botnet-used-peoples-republic-china-stateVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to exploit vulnerabilities, escalate privileges, move laterally, establish command and control channels, and exfiltrate sensitive data, thereby reducing the overall blast radius.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Implementing Aviatrix CNSF may have limited the attacker's ability to exploit vulnerabilities in internet-facing devices by enforcing strict access controls and segmenting network traffic.
Control: Zero Trust Segmentation
Mitigation: Zero Trust Segmentation would likely have constrained the attacker's ability to escalate privileges by enforcing least-privilege access controls and limiting access to sensitive systems.
Control: East-West Traffic Security
Mitigation: East-West Traffic Security may have reduced the attacker's ability to move laterally by monitoring and controlling internal traffic between workloads.
Control: Multicloud Visibility & Control
Mitigation: Multicloud Visibility & Control would likely have constrained the establishment of command and control channels by providing comprehensive monitoring and control over network traffic.
Control: Egress Security & Policy Enforcement
Mitigation: Egress Security & Policy Enforcement may have limited data exfiltration by enforcing strict policies on outbound traffic.
By constraining data exfiltration, the potential for misuse of sensitive information in influence campaigns and misinformation efforts would likely have been reduced.
Impact at a Glance
Affected Business Functions
- Critical Infrastructure Operations
- Public Communication Systems
- Media and Publishing
- Government Services
Estimated downtime: 14 days
Estimated loss: $5,000,000
Personal information of 230,000 subscribers of the French magazine Charlie Hebdo; potential compromise of critical infrastructure systems in multiple EU member states.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement within the network.
- • Deploy East-West Traffic Security measures to monitor and control internal traffic flows.
- • Utilize Encrypted Traffic (HPE) solutions to protect data in transit and prevent packet sniffing.
- • Establish Multicloud Visibility & Control to detect and respond to anomalous interactions across cloud environments.
- • Enforce Egress Security & Policy Enforcement to control outbound traffic and prevent unauthorized data exfiltration.
