EU Sanctions Chinese and Iranian Hack-for-Hire Firms for Cyberattacks

EU Imposes Sanctions on iSoon, Integrity Technology Group, and Emennet Pasargad for Cyber Espionage and Attacks

MEDIUM
March 17, 2026
4m read
Policy and ComplianceThreat ActorRegulatory

Impact Scope

Affected Companies

Charlie Hebdo

Industries Affected

GovernmentCritical InfrastructureMedia and Entertainment

Geographic Impact

ChinaIranFranceSwedenUnited States (regional)

Related Entities

Threat Actors

Emennet PasargadAnxun Information Technology (iSoon)Flax Typhoon

Organizations

European UnionMicrosoft FBI

Other

Integrity Technology GroupCharlie HebdoChinaIran

MITRE ATT&CK Techniques

T1589Reconnaissance

Gather Victim Identity Information

T1203Execution

Exploitation for Client Execution

T1189Initial Access

Drive-by Compromise

T1056Credential Access

Input Capture

Full Report

Executive Summary

On March 17, 2026, the Council of the European Union announced new sanctions against three companies and two individuals based in China and Iran for their participation in malicious cyber activities. The restrictive measures, which include asset freezes and travel bans, target entities responsible for cyberattacks on EU critical infrastructure, media organizations, and democratic processes. The sanctioned firms are Iran's Emennet Pasargad and China's Anxun Information Technology (iSoon) and Integrity Technology Group. This action underscores the EU's commitment to using diplomatic and economic tools to deter and respond to malicious behavior in cyberspace.

Regulatory Details

The sanctions were adopted under the EU's cyber sanctions framework, which allows the Union to impose targeted restrictive measures on persons and entities responsible for cyberattacks that threaten the EU or its member states. The measures include:

  • An asset freeze on all funds and economic resources belonging to the listed individuals and entities.
  • A prohibition on making funds or economic resources available to them.
  • A travel ban preventing the listed individuals from entering or transiting through EU territories.

Affected Organizations

Emennet Pasargad (Iran)

This Tehran-based company is identified as a front for Iranian state-sponsored cyber operations. The EU Council linked Emennet to several malicious campaigns:

  • Charlie Hebdo Data Leak (2023): A data breach against the French satirical magazine where the subscriber database of over 200,000 individuals was stolen and offered for sale.
  • Disinformation Campaigns: Hacking a Swedish SMS service and spreading disinformation during the 2024 Paris Olympic Games.
  • U.S. Election Interference (2020): The FBI had previously connected the group to efforts to interfere in the 2020 U.S. presidential election.

Anxun Information Technology / iSoon (China)

Known as iSoon, this company was identified as a hack-for-hire contractor working for the Chinese government and military. Despite claiming to be a cybersecurity training firm, iSoon was sanctioned for developing and providing offensive cyber capabilities used in attacks targeting critical infrastructure within the EU. The two co-founders of iSoon were also sanctioned individually.

Integrity Technology Group (China)

This Chinese firm was sanctioned for supporting cyber operations that compromised over 65,000 devices across six EU member states between 2022 and 2023. The U.S. Treasury had previously sanctioned Integrity Technology in January 2025 for its connections to the Chinese state-backed threat actor Flax Typhoon (also known as Ethereal Panda).

Impact Assessment

The sanctions are designed to have a significant financial and operational impact on the targeted entities by cutting off their access to the EU's financial system and restricting the travel of key personnel. More broadly, the action serves as a strong geopolitical signal to China and Iran, demonstrating the EU's willingness to attribute and impose costs for malicious cyber activities. For businesses within the EU, the sanctions create a compliance obligation, as they are now prohibited from conducting any transactions with the listed entities. This move aims to disrupt the business model of hack-for-hire groups and state-sponsored front companies.

Compliance Guidance

EU citizens and companies must immediately cease all financial dealings with the sanctioned entities and individuals. This includes:

  1. Screening: Update and screen all customer, vendor, and partner lists against the new EU sanctions list.
  2. Asset Freezing: Any funds or economic resources held on behalf of the sanctioned parties must be frozen, and the relevant national authorities must be notified.
  3. Due Diligence: Enhance due diligence processes, particularly for partners operating in or connected to the cybersecurity sectors in China and Iran, to avoid inadvertently engaging with sanctioned entities or their affiliates.
  4. Reporting: Report any identified links or transactions to the appropriate national competent authority.

Timeline of Events

1
January 1, 2020
Emennet Pasargad allegedly engages in interference efforts in the U.S. election.
2
January 1, 2023
Emennet Pasargad is linked to a data leak attack against Charlie Hebdo.
3
January 1, 2025
The U.S. Treasury sanctions Integrity Technology Group for its links to Flax Typhoon.
4
March 17, 2026
The European Union adopts new sanctions against Emennet Pasargad, iSoon, and Integrity Technology Group.
5
March 17, 2026
This article was published

MITRE ATT&CK Mitigations

User Training

M1017enterprise

Training users to recognize and report phishing attempts and social engineering can help prevent initial compromise by these threat actors.

Network Intrusion Prevention

M1031enterprise

Deploying network intrusion prevention systems can help detect and block command and control traffic or exploitation attempts from known malicious infrastructure.

Update Software

M1051enterprise

Keeping software and systems patched is crucial to prevent exploitation of known vulnerabilities, a common tactic for these groups.

Mapped D3FEND Techniques:

D3-SU

Sources & References

EU sanctions Iranian cyber front over election meddling, Charlie Hebdo breach
The Register (theregister.com) March 17, 2026
Cybersecurity – The EU sanctions several private cyber offensive ecosystem actors (March 17, 2026)
France Diplomatie (francebleu.fr) March 17, 2026
EU sanctions Chinese and Iranian actors over cyberattacks on critical infrastructure
Security Affairs (securityaffairs.co) March 17, 2026
EU adopts cyber-related sanctions on companies based in China and Iran
Digital Watch Observatory (dig.watch) March 17, 2026
EU Sanctions Companies in China & Iran for Cyberattacks
Dark Reading (darkreading.com) March 19, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

SanctionsEuropean UnionHack-for-HireiSoonEmennet PasargadFlax TyphoonCyber EspionageChinaIran

📢 Share This Article

Help others stay informed about cybersecurity threats