EU Sanctions Chinese and Iranian Firms Over 65K Compromised Devices

The European Union imposed sanctions on three companies and two individuals for conducting cyberattacks against EU member states. The March 16 Council decision targets Chinese firms Integrity Technology Group and Anxun Information Technology, along with Iranian company Emennet Pasargad.

The sanctions include asset freezes for all listed entities, with EU citizens and companies prohibited from providing them funds or economic resources. The two sanctioned individuals also face travel bans.

The Chinese Companies

Integrity Technology Group provided products used to compromise devices across six EU member states between 2022 and 2023. The operation compromised more than 65,000 devices—a scale that suggests systematic targeting rather than opportunistic activity.

The company appears to operate as a front for state-directed operations, providing offensive cyber capabilities while maintaining commercial cover. This mirrors the model US authorities have documented with other Chinese tech firms that blur the line between private enterprise and state intelligence.

Anxun Information Technology (also known as i-SOON) offered hacking-as-a-service targeting critical infrastructure in EU member states and third countries. Two co-founders of the company were individually sanctioned for their involvement.

Anxun gained notoriety in early 2024 when leaked documents exposed its operations, revealing contracts with Chinese security services and tools designed to target specific countries and industries. The EU sanctions formalize what the leaked materials already demonstrated: the company functions as an arm of Chinese state cyber operations.

The China-nexus PlugX campaign we covered last week used techniques consistent with the broader ecosystem these companies support.

The Iranian Company

Emennet Pasargad engaged in multiple operations against EU interests. According to the Council statement, the company accessed a French subscriber database and offered its contents for sale on dark web markets.

More dramatically, Emennet compromised advertising billboards to spread disinformation during the 2024 Paris Olympic Games. The operation exploited digital signage systems to display unauthorized content—a hybrid attack combining cyber intrusion with information warfare.

The company also compromised a Swedish SMS service, impacting a large number of EU citizens through what appears to have been either a data theft or communication disruption operation.

Iranian threat actors have grown increasingly aggressive against Western targets. The APT42 WhatsApp campaign targeting Middle East espionage operations demonstrates the breadth of Iranian cyber capabilities, and Emennet Pasargad fits within that broader pattern.

Sanctions Regime Expansion

With these additions, the EU cyber sanctions regime now covers 19 individuals and 7 entities. The program allows the EU to target individuals and organizations responsible for cyberattacks that threaten the EU, its member states, or its institutions.

The sanctions represent economic and reputational consequences rather than criminal prosecution. Listed entities cannot conduct business with EU companies, receive EU funding, or access EU financial systems. For companies with international business interests, these restrictions create meaningful operational obstacles.

Whether sanctions actually deter nation-state cyber operations remains debatable. Chinese and Iranian entities often operate primarily within domestic markets or through intermediaries that can evade sanctions requirements. But the designations do provide legal frameworks for seizing assets and blocking transactions that might otherwise proceed unchallenged.

Attribution Confidence

The EU's willingness to publicly name these companies reflects growing confidence in cyber attribution capabilities. Historically, governments hedged their language around nation-state attacks. Direct sanctions require a higher evidentiary standard and suggest intelligence agencies have documentary evidence connecting these entities to specific operations.

For the private sector, this matters because it validates threat intelligence that security teams already use for defense. When your threat intel feed flags Integrity Technology Group or Emennet Pasargad infrastructure, the EU sanctions provide institutional confirmation that these are legitimate concerns rather than vendor speculation.

Organizations operating in Europe should review their supply chains and vendor relationships against the sanctions list. Any business connections to sanctioned entities—even indirect ones through subsidiaries or partners—could create legal exposure.

The Bigger Picture

These sanctions arrive amid broader geopolitical tension over cyber operations. China continues to deny state involvement in commercial hacking, while Iran has escalated operations against perceived adversaries across the Middle East and Europe.

The focus on companies rather than just government agencies reflects modern reality: nation-state cyber operations increasingly flow through nominally private entities that provide plausible deniability and operational flexibility. Sanctioning these front companies targets the business model rather than just individual attacks.

For European organizations, the takeaway is straightforward: threat actors linked to Chinese and Iranian intelligence services actively target EU infrastructure, and governments are responding with the tools available to them. Network defenders should ensure their detection capabilities cover the TTPs associated with these threat actors and their known tooling.

The INTERPOL Synergia III operation from last week and these EU sanctions together signal increased international coordination against cyber threats—a trend that should continue as governments recognize that individual national responses are insufficient against organized state-backed operations.