Continue your mission
A comprehensive review of U.S. and allied government cyber sanctions frameworks, including OFAC designations, DOJ indictments, the Commerce Entity List, and coordinated allied attribution, with analysis of their effectiveness and the compliance obligations they create for private sector organizations.
# Cyber Sanctions: How Governments Respond
Cyber sanctions are legally binding economic and financial restrictions imposed by governments on individuals, organizations, and states in response to malicious cyber activity. Unlike voluntary norms or diplomatic statements, sanctions carry legal force: they prohibit financial transactions, freeze assets, and can create criminal liability for violations. For private sector organizations, cyber sanctions create compliance obligations that are direct and enforceable, regardless of whether the organization was the target of the underlying cyber operation.
The United States maintains the most developed and active cyber sanctions regime in the world, administered primarily through the Department of the Treasury's Office of Foreign Assets Control (OFAC). Allied governments including the United Kingdom, the European Union, Canada, and Australia have developed parallel frameworks that are frequently coordinated with U.S. actions. The resulting ecosystem of coordinated sanctions represents one of the primary tools through which democratic governments impose costs on cyber adversaries short of military action.
For risk governance practitioners, cyber sanctions are not merely a geopolitical topic. They define the boundaries of legally permissible incident response: a ransomware victim paying a designated group commits a federal offense. They shape which vendors, service providers, and technology products can be used. And they provide an intelligence signal, since the act of designation reveals government attribution assessments that inform threat intelligence. Within the Planetary Defense Model, the RGA domain tracks the sanctions environment as a core element of the compliance landscape, and the TID domain uses designation actions as attribution data points within the Predictive Defense Intelligence (PDI) methodology.
The U.S. cyber sanctions framework was created by Executive Order, not by Congress, which gave the President broad authority to move quickly as the threat landscape evolved. Executive Order 13694, signed by President Obama in April 2015, established the framework by declaring a national emergency with respect to significant malicious cyber-enabled activities and authorizing the Secretary of the Treasury, in consultation with the Attorney General and Secretary of State, to block the property and interests of persons responsible for or complicit in those activities.
The threshold for designation under EO 13694 was significant malicious cyber-enabled activities, defined to include harm to critical infrastructure or to computer systems supporting the financial sector, theft of trade secrets or sensitive financial information for commercial advantage, or disruption of computer networks where the disruption could result in significant damage. Executive Order 13757, signed in December 2016 following the Russian interference in the 2016 U.S. election, expanded the framework to cover cyber-enabled interference with elections and democratic processes.
These executive orders remain the legal foundation of the U.S. cyber sanctions regime. They are implemented through OFAC designations that place named individuals and entities on the Specially Designated Nationals and Blocked Persons (SDN) list. Once an individual or entity is on the SDN list, U.S. persons are generally prohibited from engaging in any transaction with them, their property in the United States or controlled by U.S. persons is blocked, and non-U.S. persons face secondary sanctions risk for dealing with them.
The framework developed steadily through the Obama, Trump, and Biden administrations, with designations targeting Russian, North Korean, Iranian, and Chinese cyber actors, as well as criminal ransomware and fraud groups across multiple nationalities. The framework has become a standard tool in the diplomatic response toolkit to major cyber incidents.
The cyber sanctions regime matters to private sector organizations for reasons that go beyond geopolitical interest.
The most direct compliance obligation arises from ransomware. When an organization is hit by ransomware, its instinct may be to pay the ransom to recover its data and resume operations. But if the ransomware group operating against it has been designated by OFAC, paying the ransom is a federal crime. OFAC issued guidance in September 2020 specifically addressing ransomware payments, warning that organizations that pay ransomware demands to designated entities, or entities with substantial nexus to a sanctioned jurisdiction, may be liable even if they did not know the group was designated. The guidance encouraged organizations to contact OFAC and relevant law enforcement before making payments. This creates a compliance imperative that intersects directly with incident response planning.
Beyond ransomware, OFAC designations affect supply chain decisions. Security researchers, penetration testing firms, and vendors that use tools or infrastructure overlapping with designated entities face sanctions exposure. The designation of Positive Technologies, a Russian cybersecurity firm, in April 2021 forced organizations using its products or maintaining professional relationships with its staff to reassess those relationships.
The Commerce Department's Entity List creates a parallel set of restrictions. Unlike OFAC's asset-blocking authority, the Entity List restricts export of U.S. goods, software, and technology to listed entities. When NSO Group was added to the Entity List in November 2021, U.S. companies were prohibited from selling to NSO Group without a license, which had the practical effect of cutting NSO Group off from U.S.-origin software development tools, cloud infrastructure, and other technology inputs.
OFAC has pursued several categories of cyber-related designations since 2015.
Russian government cyber actors have been among the most prominent targets. Following the NotPetya attacks and the 2016 election interference, OFAC designated the GRU's Sandworm team, specific FSB units including the one responsible for the Triton/TRISIS malware targeting industrial control systems in Saudi Arabia, and the Internet Research Agency troll farm. These designations were coordinated with criminal indictments and allied diplomatic actions to maximize the reputational and operational impact.
North Korean cyber actors, primarily those associated with the Lazarus Group and its sub-clusters Bluenoroff and Andariel, were designated in September 2019. The designations acknowledged that these groups were responsible for generating cryptocurrency and foreign currency revenues for the North Korean weapons program, making them among the first designations to explicitly address the nexus between state-directed cybercrime and weapons of mass destruction financing.
Ransomware operators have been a growing focus since 2020. Evil Corp, the Russia-based criminal organization responsible for the Dridex malware and later WastedLocker ransomware, was designated in December 2019 along with its leader Maksim Yakubets. The designation created an immediate compliance complication for any organization hit by Evil Corp variants, since paying ransom would violate OFAC rules. OFAC subsequently designated the Trickbot developers, the Conti operators, and individuals associated with the Darkside group responsible for the Colonial Pipeline attack.
Cryptocurrency infrastructure has become an important target vector. OFAC designated Garantex, a Russia-based cryptocurrency exchange, in April 2022 for facilitating ransomware payments and sanctions evasion. The designation of Tornado Cash, an Ethereum mixing protocol, in August 2022 raised novel legal questions about whether software code could be designated as property of a sanctioned entity, questions that were subsequently litigated in federal court.
The Department of Justice has pursued a parallel strategy of criminal indictments against named foreign government cyber operators, a practice sometimes called "naming and shaming." These indictments serve several functions: they provide public attribution in an authoritative legal forum, they create warrants that allow arrests if indicted individuals travel to or through cooperating jurisdictions, and they impose reputational costs even when arrest is practically impossible.
The 2018 indictment of seven GRU officers for APT28 operations, including the intrusions into the World Anti-Doping Agency and other sporting bodies, the 2016 election interference, and the SWIFT banking system attacks, was a landmark action. The 2020 indictment of six GRU officers for Sandworm operations, covering NotPetya, the 2018 Winter Olympics disruption, and the BlackEnergy attacks on Ukrainian power infrastructure, demonstrated that the DOJ was willing to charge Russian military officers for operations conducted in furtherance of Russian foreign policy objectives. Multiple indictments have been brought against Lazarus Group members, Iranian APT operators, and Chinese government hackers.
The United States has progressively moved from unilateral attribution statements to coordinated allied attribution actions, typically involving the Five Eyes partnership (U.S., UK, Canada, Australia, New Zealand) and sometimes broader coalitions including the EU, Japan, and NATO allies. Coordinated attribution serves to amplify the diplomatic signal, demonstrate that the attribution is not merely a U.S. political judgment, and create pressure for multilateral sanctions actions that are harder for targeted states to dismiss.
The coordinated attribution of the Microsoft Exchange Server vulnerabilities to Chinese state actors in July 2021, involving statements from the EU, NATO, and more than thirty countries, was the most extensive coordinated attribution action to that point. It was notable for being accompanied by a DOJ indictment of four MSS officers and a formal designation of the MSS unit responsible.
The effectiveness of cyber sanctions is contested. For major state actors including Russia, China, Iran, and North Korea, the evidence that sanctions have deterred cyber operations is weak. These states have continued to conduct major cyber operations against Western targets despite accumulating designations, indictments, and allied attribution statements. The operational tempo of Russian cyber operations did not visibly decrease following any specific round of sanctions.
The picture is more nuanced for secondary actors. The designation of Evil Corp demonstrably disrupted that group's operations: the group shifted from Dridex to WastedLocker to Hades to PayloadBin, with each rebranding partially motivated by the need to escape the compliance complications that the OFAC designation created for ransomware victims. The designation of NSO Group limited its access to U.S.-origin technology and accelerated its financial deterioration. Commercial spyware vendors, unlike sovereign states, depend on the global financial and technology system in ways that make them meaningfully vulnerable to U.S. and allied sanctions.
CDA's RGA domain, through the Perpetual Compliance Assurance (PCA) methodology, treats the sanctions environment as a live compliance landscape that requires continuous monitoring, not periodic review. The SDN list and Entity List are updated without advance notice. An organization's incident response retainer, its security vendor relationships, and its cloud infrastructure providers can all develop sanctions exposure between policy reviews.
The most acute compliance risk for most CDA clients is ransomware payment compliance. Incident response planning must include a sanctions check protocol activated at the moment a ransomware demand is received, before any payment decision is made. This protocol should include immediate OFAC consultation resources, law enforcement notification procedures, and pre-established legal counsel relationships with sanctions expertise. PCA engagements that include ransomware preparedness assessments build this protocol into client playbooks as a standard element.
CDA's TID domain uses OFAC designation and DOJ indictment actions as authoritative attribution signals within the PDI framework. When OFAC designates a specific individual or entity, it publishes supporting documentation that often includes technical indicators, infrastructure details, and organizational relationships that enrich threat intelligence assessments. PDI analysts treat designation actions as primary source intelligence inputs alongside commercial threat intelligence feeds and government advisories.
The practical intelligence value of monitoring OFAC actions extends beyond compliance. The pattern of designations reveals government assessment of which threat actors are considered most operationally significant, which criminal groups have achieved a level of impact that triggers interagency action, and which cryptocurrency infrastructure is being used at scale for sanctions evasion. These signals help CDA clients prioritize defensive investments and update threat models on a near-real-time basis.
Executive Order 13694 (2015) and EO 13757 (2016) established the U.S. cyber sanctions framework, authorizing Treasury to designate individuals and entities responsible for significant malicious cyber activities and election interference. OFAC administers the Specially Designated Nationals list under this authority.
OFAC designations create direct compliance obligations for private sector organizations. Most critically: paying ransom to a designated ransomware group is a federal offense, even if the paying organization did not know of the designation at the time of payment.
DOJ indictments of named foreign government cyber operators serve as authoritative public attribution and diplomatic cost-imposition tools, even when arrest is practically impossible.
The Commerce Department Entity List (NSO Group, Positive Technologies, Candiru) restricts U.S. technology exports to listed entities and forces supply chain review for organizations with relationships to listed companies.
Coordinated allied attribution (Five Eyes plus) amplifies diplomatic impact and creates pressure for multilateral sanctions actions that are harder for targeted states to dismiss unilaterally.
The effectiveness of cyber sanctions against major state actors (Russia, China, North Korea, Iran) is limited. Their effectiveness against commercial spyware vendors and criminal operators who depend on the global financial system is more meaningful.
CDA's PCA methodology requires continuous sanctions monitoring as a live compliance function, and CDA's PDI methodology treats designation actions as primary source threat intelligence inputs.
CDA Theater missions that address topics covered in this article.
A GRC platform is software that centralizes governance, risk, and compliance operations into a single system of record.
Internal audit is an independent, objective assurance function that evaluates whether an organization's controls are designed appropriately and operating effectively.
Board-level cybersecurity reporting is the practice of translating an organization's security posture, risk profile, and material incidents into the language of governance: financial exposure, liability, regulatory standing, and competitive position.
Written by Evan Morgan
Found an issue? Help improve this article.