In a strong response to rising cyber threats, the European Council has imposed sanctions on three ostensibly private companies, including two from China and one from Iran, for aiding and executing cyberattacks across European countries. 

Integrity Technology Group, one of the sanctioned firms from China, is a mid-sized publicly traded company identified by the European Council for enabling cyberattacks. Its products were regularly used by threat actors to breach devices not only in Europe but worldwide. Investigations revealed that the company was connected to around 65,000 compromised devices across six European Union countries during the 2022–2023 period. 

Anxun Information Technology, or “iSoon” as it is known internationally, stands out as the most notorious among the listed firms. While it claims to operate as a cybersecurity training provider, investigations have revealed it functions as a hack-for-hire group working in support of China’s government and military. The sanctions extend beyond the company itself, with its two founders also being targeted as individuals. 

“Emennet Pasargad,” an Iranian firm, is facing penalties for a series of coordinated cyber and disinformation activities. The company was found responsible for breaching a Swedish SMS service, executing a data leak targeting a French organization, and using advertising billboards to disseminate false information during the 2024 Paris Olympic Games, demonstrating a multi-pronged approach to disruption. 

The three companies were already under sanctions from both the US and the UK, and have now been added to Europe’s sanctions list. As a result, they are barred from operating within the EU, while any assets they maintain there will be subject to freezing. The measures also extend to the two co-founders, who are now restricted from entering any EU countries. 

Why Governments Rely on Private Firms for Cyberattacks  

If public evidence is any indication, China and Iran are among the more active users of private companies to conduct or assist in state-level cyber operations. Yet they are far from alone in adopting this strategy, as countries such as Russia, Israel, and the United States have also been linked to similar approaches. This reflects a broader global pattern where governments rely on third-party actors to expand their cyber capabilities. 

"This is common," says Adam Meyers, head of counter adversary operations at CrowdStrike. "They're all kind of doing the same thing, where they're effectively supporting the need for technical capabilities, infrastructure development capabilities, exploit development, planning, etc., for the military units in those countries" through corporations. 

Meyers explains that China’s People's Liberation Army (PLA) has, since the 1990s, maintained deep-rooted connections with both academia and private enterprises, enabling a steady integration of civilian expertise into cyber operations. Iran’s evolution, by contrast, was shaped significantly by the Stuxnet attack, which revealed the strategic potential of cyber warfare. Following this realization, many Iranian hackers shifted toward professionalization—abandoning pseudonyms, establishing companies, and showcasing credentials on platforms like LinkedIn. Over time, these entities began fulfilling cyber capability demands for institutions such as the Ministry of Intelligence and Security and the Islamic Revolutionary Guard Corps. 

Using quasi-private organizations to carry out cyber operations allows governments to maintain a degree of plausible deniability. This is particularly effective when such entities are more than just superficial shell companies and instead function as credible institutions with established operations. "Ultimately, having a legitimate commercial offering strengthens an organization's cover and makes it more challenging for law enforcement to discern legitimate work from malicious behavior," says Crystal Morin, senior cybersecurity strategist at Sysdig. 

According to Morin, functioning as a private company allows state-linked actors to tap into a broader and more accessible pool of resources, particularly in cases where governments face sanctions or international scrutiny. This structure simplifies talent recruitment, often without employees being fully aware of covert operations. It also enables the acquisition of tools and infrastructure through standard global supply chains using valid business identities, which might otherwise be restricted. Moreover, such privatized setups benefit from reduced bureaucratic constraints, allowing for more agile operations than government bodies.