On January 27, 2025, the Council of the European Union adopted Council Decision (CFSP) 2025/171 and Council Implementing Regulation (EU) 2025/173 to designate three Russian individuals involved in cyberattacks against certain government entities in the Republic of Estonia. The individuals, who are officers in Unit 29155 of the General Staff of the Armed Forces of the Russian Federation (“GRU”), allegedly conducted cyberattacks on several government ministries, including the Ministries of Economic Affairs and Communications and Social Affairs. According to the Council, the cyberattacks enabled the designees to gain unauthorized access to nonpublic information and sensitive data stored on government networks and led to the theft of thousands of confidential documents, including business secrets and health records. While the Ministry of Foreign Affairs was also targeted, the Council reported that no sensitive or nonpublic information was successfully accessed.
These designations were imposed pursuant to the EU horizontal cyber sanctions regime, which subjects listed persons to assets freezes and travel bans in the European Union and prohibits EU persons and entities from making funds available to them.
Council of the EU Press Release | Council Decision (CFSP) 2025/171 | Council Implementing Regulation (EU) 2025/173