EU Sanctions Chinese and Iranian Cyber Firms Over Critical Infrastructure Attacks and 65,000-Device Compromise

The European Union has moved to sharpen its cyber deterrence posture, imposing sanctions on three companies and two individuals it says were responsible for cyberattacks against EU member states and partner countries. The decision sends a broader signal than the legal action alone. Brussels is making clear that cyber operations targeting critical infrastructure, public systems, and civilian digital services will increasingly draw not just technical response and diplomatic protest, but concrete economic and travel restrictions.

The measures target two China-based companies, Integrity Technology Group and Anxun Information Technology, along with Iranian firm Emennet Pasargad. Two Chinese individuals linked to Anxun were also designated. Together, the sanctions reflect the EU’s growing willingness to publicly identify and punish not only state-linked operators, but also the commercial entities and service providers that enable cyber campaigns at scale.

What the EU sanctioned and why it matters

According to the Council of the European Union, the sanctions were imposed on three entities and two individuals held responsible for cyberattacks carried out against EU member states and EU partners. That may sound procedural, but the implications are strategic. These are not symbolic listings detached from real-world harm. The EU tied the companies to activity ranging from large-scale device compromise to attacks on critical infrastructure and disinformation-linked disruption that affected European citizens directly.

Under the sanctions, assets of the listed entities and individuals are frozen within the EU. EU citizens and companies are prohibited from making funds or economic resources available to them, directly or indirectly. The individuals are also subject to travel bans within the bloc. In practical terms, the move is meant to isolate the targets financially, limit their room to operate internationally, and increase the reputational and operational cost of acting as enablers of malicious cyber activity.

With these additions, the EU cyber sanctions regime now covers 19 individuals and 7 entities. That number is important because it shows this is no longer a niche or rarely used mechanism. It is becoming part of Europe’s standard response toolkit for significant malicious cyber activity.

Integrity Technology Group and the 65,000-device compromise

The most eye-catching figure in the announcement is the EU’s claim that Integrity Technology Group supported operations that compromised more than 65,000 devices across six EU member states between 2022 and 2023. That scale matters. It suggests not a one-off intrusion or a narrow espionage case, but an industrialized operation capable of using infrastructure and tooling to affect thousands of systems across multiple countries.

Integrity Technology Group has already been under international scrutiny. In January 2025, the U.S. Treasury sanctioned the company for links to Flax Typhoon, a China-linked threat group also known as Ethereal Panda or RedJuliett. Public reporting and previous government action have described Flax Typhoon as a state-backed actor targeting critical infrastructure and maintaining persistent access through known vulnerability exploitation and follow-on network abuse.

What makes the EU action notable is that it moves beyond general concern about China-linked cyber activity and points to a specific support structure. Instead of talking only about threat actors in abstract terms, the bloc is naming the company it says routinely provided products used to compromise and access targeted systems. That is a meaningful shift in how cyber accountability is being framed. The ecosystem around the attacker is now part of the enforcement picture.

Anxun, i-Soon, and the commercialization of offensive cyber services

The second Chinese company sanctioned by the EU is Anxun Information Technology, widely known as i-Soon. The firm has been associated with hack-for-hire activity and offensive cyber services aimed at governments, dissidents, and critical infrastructure targets. The EU said Anxun provided hacking services targeting critical infrastructure, and it also sanctioned two of the company’s co-founders for directly participating in cyberattacks against member states.

Anxun’s name has carried unusual visibility over the past two years because of the 2024 leak that exposed internal company data, tool references, operational materials, and apparent evidence of the market structure behind parts of China’s offensive cyber ecosystem. That leak helped pull back the curtain on a model that security researchers have discussed for years: the blending of state interest, contractor support, and commercial intrusion services.

In March 2025, the United States also sanctioned Anxun for offering hacker-for-hire services and conducting cyberattacks over a long period. The EU’s move now reinforces the view that such companies are not simply private-sector gray-zone actors operating in isolation. In the eyes of Western governments, they are increasingly being treated as accountable nodes in state-aligned cyber campaigns.

The Iranian angle: Emennet Pasargad and cyber-enabled disruption

The third sanctioned entity, Emennet Pasargad, brings a different but equally important dimension to the EU’s cyber sanctions regime. The company was linked to the breach of a French subscriber database and an attempt to sell that data online. It was also tied to disinformation activity during the Paris 2024 Olympic Games after advertising billboards were hacked and manipulated, as well as disruption of a Swedish SMS service that affected large numbers of EU citizens.

This matters because it expands the conversation beyond traditional critical infrastructure attacks in the strict technical sense. Cyber operations today are not limited to industrial systems, power grids, or telecom backbones. They also include public influence operations, digital vandalism, citizen-facing service disruption, and attacks designed to create psychological effect during high-profile events. The Olympic billboard incidents underline how cyber operations can be staged for public visibility and narrative impact, not just quiet access or espionage.

In that sense, Emennet Pasargad represents the increasingly blurred line between cyber intrusion, information operations, and coercive state messaging. By sanctioning it under the same regime, the EU is signaling that it sees these acts as part of the same broader threat environment.

Why the EU is escalating now

The latest action sits within the framework of the EU’s “cyber diplomacy toolbox,” first established in 2017 to give the bloc diplomatic and restrictive options for preventing, discouraging, deterring, and responding to malicious cyber activities. In 2019, the EU added a dedicated sanctions framework for cyberattacks that constitute an external threat to the Union or its member states.

That architecture has existed for years, but this latest round shows it becoming more active and more pointed. There are several reasons for that. First, the scale and persistence of cyber operations against Europe have continued to rise. Second, the EU is under growing pressure to show that it can respond in a coordinated way rather than leaving member states to act individually. Third, attribution and public exposure now often come with far more technical confidence and international partner alignment than they did several years ago.

In other words, the sanctions are not simply punishment. They are also strategic signaling. They tell adversaries that Europe intends to impose recurring cost, however incremental, on the companies and individuals it believes make hostile cyber operations possible.

A warning to the private sector and critical infrastructure operators

For organizations across the EU, this is not just a geopolitical story. It is a practical one. The Integrity Technology Group designation, in particular, underscores how large-scale compromise campaigns can unfold through support infrastructure, managed access, and exploitation chains that touch tens of thousands of devices before many victims even realize the pattern is regional rather than local.

Critical infrastructure operators should read these sanctions as a reminder that threat actors do not always appear as a single branded APT knocking on the front door. Sometimes the more relevant operational question is which enabling firms, leased infrastructure, supply-chain intermediaries, or contractor-style offensive services sit behind the visible intrusion activity. That matters for detection, vendor risk review, and threat intelligence correlation.

The i-Soon angle is equally instructive. Organizations should not think only in terms of “state actor” versus “criminal actor.” Increasingly, cyber ecosystems contain hybrids: commercial intrusion providers, semi-official contractors, patriotic intermediaries, and influence operators whose work can align with state priorities without always looking like classic government cyber units. Defenders need a wider mental model than the old categories allow.

Why sanctions alone will not stop cyber operations

Sanctions can raise cost, restrict access to finance, and increase political pressure, but they are not a kill switch for offensive cyber activity. Many of the entities involved in such campaigns are designed to operate in opaque networks, use domestic support systems, or work through layers of front companies and shifting infrastructure. Some will treat sanctions as a manageable business risk rather than an existential blow.

Still, that does not make the sanctions unimportant. Their value lies in three areas. First, they create official attribution and legal clarity. Second, they support international coordination by aligning EU actions with prior U.S. moves against related actors. Third, they help the market understand which companies and individuals European authorities consider part of the hostile cyber landscape.

For defenders, that intelligence value is significant. Once a company or individual is publicly designated, their infrastructure patterns, commercial relationships, and technical fingerprints become more actionable for threat hunting, supplier risk analysis, and strategic exposure management.

The larger message from Brussels

The EU’s latest cyber sanctions are not just about three companies and two individuals. They are about changing the economics and legitimacy of cyber aggression against Europe. By targeting China-based firms tied to large-scale compromise and hack-for-hire services, and an Iranian firm tied to disruptive intrusion and disinformation activity, Brussels is broadening the accountability net around modern cyber conflict.

That is the deeper significance of this move. Europe is no longer treating hostile cyber activity solely as a technical nuisance to be mitigated quietly in the background. It is treating it as a policy, security, and geopolitical issue that deserves public response, legal consequence, and coordinated pressure with allies.

Whether that meaningfully deters future operations remains to be seen. But the direction is clear. The era of naming threat actors without touching the companies and people around them is giving way to something firmer. For adversaries and enablers alike, that raises the cost of doing business.