The European Council has imposed sanctions on three ostensibly private companies, two based in China and one in Iran—for facilitating and executing unauthorized access operations against organizations in European countries.
One of the organizations, Integrity Technology Group, is a mid-size publicly traded corporation in China. Investigations showed the company supplied tools that threat actors used to compromise systems globally. The European Council linked the firm's software to 65,000 compromised devices across six European Union (EU) countries between 2022 and 2023.
The Council also sanctioned Anxun Information Technology, widely known as iSoon. While presenting itself as a cybersecurity training company, iSoon operates as a contract-based intrusion group supporting China's government and military. The EU also sanctioned the company's two founders as individuals.
The Iranian company, Emennet Pasargad, faces sanctions for gaining unauthorized access to a Swedish SMS service, exposing data from a French organization, and distributing disinformation via advertising billboards during the 2024 Paris Olympic Games.
These three organizations were previously sanctioned by the US and UK governments. Under the new European restrictions, they are prohibited from conducting business within the EU, their regional assets are frozen, and the two sanctioned individuals face travel bans across EU member states.
Why nations leverage private sector entities
State-level operations frequently rely on private sector companies for support. Adam Meyers, head of counter adversary operations at CrowdStrike, notes that this operational model is common across several nations. Corporations provide military units with necessary technical capabilities, infrastructure development, and planning resources.
In China, the People's Liberation Army (PLA) has maintained close connections with the private sector and academia since the 1990s. Iran followed a different trajectory. Following the discovery of the Stuxnet malware, Iranian operators began shifting including informal networks and professional corporate structures. These newly formed companies provided training and met the demand for technical capabilities at the Ministry of Intelligence and Security (MOIS) and the Islamic Revolutionary Guard Corps (IRGC).
Running operations through quasi-private institutions provides nation-states with plausible deniability. Crystal Morin, senior cybersecurity strategist at Sysdig, explains that maintaining a legitimate commercial offering complicates law enforcement efforts to distinguish standard business practices including unauthorized behavior.
Corporate structures also provide access to resources that might be restricted for state entities. Operating as a company simplifies talent recruitment. It also allows groups and purchase infrastructure and tools through the global supply chain using legitimate tax IDs and credentials. Furthermore, privatized workforces generally operate with fewer bureaucratic constraints than direct government agencies.
Evaluating the impact of sanctions
The recent sanctions stem from regulatory frameworks developed over several years. Following a series of severe global security incidents in the mid-2010s, including the WannaCry and NotPetya malware events—the European Council established a "Cyber Diplomacy Toolbox" in June 2017. This framework outlined diplomatic and regulatory responses to infrastructure threats. The council formalized the specific mechanics of these sanctions in May 2019 and has since applied them to seven entities and 19 individuals.
For publicly traded organizations like Integrity Technology Group, sanctions carry tangible business consequences. Legitimate partners and customers typically sever ties to avoid regulatory penalties, which restricts the organization's access to funding, infrastructure, and global supply chains. While these measures do not completely neutralize a threat group's operations, they force operators out of standard commercial environments and affect their reputation.
For organizations functioning primarily as front companies, such as iSoon, the direct commercial impact is less severe. However, the restrictions still impose personal consequences on leadership, limiting their international mobility and freezing any assets held in cooperating jurisdictions.