Threat Intelligence
12/29/2016
04:01 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

White House Announces Retaliatory Measures For Russian Election-Related Hacking

35 Russian intelligence operatives ejected from the US, and two of the "Cyber Most Wanted" are frozen out by Treasury Department.

UPDATED 4:00 PM E.T. THURSDAY -- The US, today, formally ejected 35 Russian intelligence operatives from the United States and imposed sanctions on nine entities and individuals: Russia's two leading intelligence services (the G.R.U. and the F.S.B.), four individual GRU officers, and three other organizations. The actions are the Obama administration's response to a Russian hacking and disinformation campaign used to interfere in the American election process.

The FBI and Department of Homeland Security also released new declassified technical information on Russian civilian and military intelligence service cyber activity, in an effort to help network defenders protect against these threats. (The report implicates Russian threat groups Cozy Bear and Fancy Bear, and includes extensive mitigation advice for cybersecurity professionals.)

Further, the State Department is shutting down two Russian compounds, in Maryland and New York, used by Russian personnel for intelligence-related purposes.

Plus, the US Department of Treasury sanctioned two members of the FBI's Cyber Most Wanted List, Evgeniy Mikhailovich Bogachev and Aleksey Alekseyevich Belan. Infosec pros will recognize Bogachev as the alleged head of the GameOver Zeus botnet. A $3 million reward for info leading to his arrest has been available for some time.

Treasury sanctioned Bogachev and Belan "for their activities related to the significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for private financial gain. As a result of today’s action, any property or interests in property of [Bogachev and Belan] within U.S. jurisdiction must be blocked and U.S. persons are generally prohibited from engaging in transactions with them."

This is the first time sanctions are being issued under an Executive Order first signed by President Obama in April 2015, and expanded today. The original Executive Order gives the president authorization to impose retribution or response to cyberattacks, and also allows the Secretary of Treasury, in consultation with the Attorney General and Secretary of State, to institute sanctions against entities behind cybercrime, cyber espionage, and other damaging cyberattacks. That includes freezing the assets of attackers.

The sanctions announced today are not expected to be the Obama administration's complete response to the Russian operations. In a statement, the president said "These actions are not the sum total of our response to Russia’s aggressive activities. We will continue to take a variety of actions at a time and place of our choosing, some of which will not be publicized."

The moves will put pressure on president-elect Donald Trump to either support, or attempt to lift, the sanctions on Russian officials and entities. Trump has expressed skepticism at the validity of American intelligence agencies' assertions that such a campaign occurred at all. When asked by reporters Wednesday night about the fact that these sanctions were set to be announced, Trump said, "I think we ought to get on with our lives. I think that computers have complicated lives very greatly. The whole age of computer has made it where nobody knows exactly what is going on."

The NY Times reported today that immediate sanctions are being imposed on four Russian intelligence officials: Igor Valentinovich Korobov, the current chief of the G.R.U., as well as three deputies: Sergey Aleksandrovich Gizunov, the deputy chief of the G.R.U.; Igor Olegovich Kostyukov, a first deputy chief, and Vladimir Stepanovich Alekseyev, also a first deputy chief of the G.R.U.

From the Times:

The administration also put sanctions on three companies and organizations that it said supported the hacking operations: the Special Technologies Center, a signals intelligence operation in St. Petersburg; a firm called Zor Security that is also known as Esage Lab; and the Autonomous Non-commercial Organization Professional Association of Designers of Data Processing Systems, whose lengthy name, American officials said, was cover for a group that provided special training for the hacking.

Wednesday, The Russian Ministry of Foreign Affairs' official representative, Maria Zakharova, said in a statement on the ministry's website: "If Washington really does take new hostile steps, they will be answered ... any action against Russian diplomatic missions in the US will immediately bounce back on US diplomats in Russia."

"Today’s actions by the Obama administration are diplomatically tough, supportive of the private sector, and tactically discrete," Intel Security CTO Steve Grobman, in a statement. "They not only arm the private sector with technical information for cyber defense, but also protect sensitive methods related to intelligence operations. The disclosure also reiterates the importance of utilizing the combination of technical forensics and traditional intelligence in order to attribute a cyber-attack to a particular entity. By utilizing well understood, non-cyber sanctions as a key component of a response, the government reduces the risk of an escalating offensive cyber exchange."

"The covert offensive cyber component," adds Grobman, "must be well thought out and executed such that it is precise and does not inflict collateral damage on non-target systems. Escalation of offensive cyber activities by either party could lead to a kinetic conflict."

 

'Proportional' response

The news comes after President Obama stated in October that the US would issue a "proportional" response to Russian cyber attacks on the Democratic National Committee. 

The administration has used the word "proportional" when discussing cyber attacks before. In December 2014, while officially naming North Korea as the culprit behind the attacks at Sony Pictures Entertainment, President Obama said the US would "respond proportionately." That attack was against one entertainment company, however, and not a nation's election system, so the proportions are surely different.

"We have never been here before," said security expert Cris Thomas, aka Space Rogue, in a Dark Reading interview in October. "No one really knows what is socially acceptable and what is not when it comes to cyber. We have no 'Geneva Convention' for cyber." 

According to Reuters reports, "One decision that has been made, [officials] said, speaking on the condition of anonymity, is to avoid any moves that exceed the Russian election hacking and risk an escalating cyber conflict."

As Christopher Porter, manager of the Horizons team at FireEye explained in a Dark Reading interview in October, Russian doctrine supports escalation as a way to de-escalate tensions or conflict. "If the US administration puts in place a proportional response, Moscow could do something even worse to stop a future response … I think that is very dangerous."

"The administration, fellow lawmakers and general public must understand the potentially catastrophic consequences of a digital cyber conflict escalating into a kinetic, conventional shooting-war," said Intel Security CTO Steve Grobman, in a statement. "While offensive cyber operations can be highly precise munitions, in that they can be directed to only impact specific targets, the global and interconnected nature of computing systems can lead to unintended consequences. Impacting digital infrastructure beyond the intended target opens the door to draw additional nation states into a conflict. This increases risk to civilian populations as countries see the need to retaliate or escalate."

 

ORIGINAL STORY:

Officials stated Wednesday that the White House will announce, as early as today, a series of measures the US will use to respond to Russian interference in the American election process. The news comes after President Obama stated in October that the US would issue a "proportional" response to Russian cyber attacks on the Democratic National Committee. 

Not all the measures will be announced publicly. According to CNN, "The federal government plans some unannounced actions taken through covert means at a time of its choosing."

Wednesday, CNN reported that as part of the public response, the administration is expected to name names -- specifically, individuals associated with a Russian disinformation operation against the Hillary Clinton presidential campaign.

The actions announced are expected to include expanded sanctions and diplomatic actions. Reuters reported Wednesday that "targeted economic sanctions, indictments, leaking information to embarrass Russian officials or oligarchs, and restrictions on Russian diplomats in the United States are among steps that have been discussed."

In April 2015, President Obama signed an Executive Order, which gives the president authorization to impose some sort of retribution or response to cyberattacks. The EO has not yet been used. It allows the Secretary of Treasury, in consultation with the Attorney General and Secretary of State, to institute sanctions against entities behind cybercrime, cyber espionage, and other damaging cyberattacks. That includes freezing the assets of attackers.

The Russian Ministry of Foreign Affairs' official representative, Maria Zakharova, said in a statement on the ministry's website: "If Washington really does take new hostile steps, they will be answered ... any action against Russian diplomatic missions in the US will immediately bounce back on US diplomats in Russia."

 

'Proportional' response

The administration has used the word "proportional" when discussing cyber attacks before. In December 2014, while officially naming North Korea as the culprit behind the attacks at Sony Pictures Entertainment, President Obama said the US would "respond proportionately." That attack was against one entertainment company, however, and not a nation's election system, so the proportions are surely different.

"We have never been here before," said security expert Cris Thomas, aka Space Rogue, in a Dark Reading interview in October. "No one really knows what is socially acceptable and what is not when it comes to cyber. We have no 'Geneva Convention' for cyber." 

According to Reuters reports, "One decision that has been made, [officials] said, speaking on the condition of anonymity, is to avoid any moves that exceed the Russian election hacking and risk an escalating cyber conflict."

As Christopher Porter, manager of the Horizons team at FireEye explained in a Dark Reading interview in October, Russian doctrine supports escalation as a way to de-escalate tensions or conflict. "If the US administration puts in place a proportional response, Moscow could do something even worse to stop a future response … I think that is very dangerous."

"The administration, fellow lawmakers and general public must understand the potentially catastrophic consequences of a digital cyber conflict escalating into a kinetic, conventional shooting-war," said Intel Security CTO Steve Grobman, in a statement. "While offensive cyber operations can be highly precise munitions, in that they can be directed to only impact specific targets, the global and interconnected nature of computing systems can lead to unintended consequences. Impacting digital infrastructure beyond the intended target opens the door to draw additional nation states into a conflict. This increases risk to civilian populations as countries see the need to retaliate or escalate."

 

Related Content:

 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
garrytroomen
50%
50%
garrytroomen,
User Rank: Apprentice
1/4/2017 | 11:02:02 AM
good story
Very inretesting article, thank you!
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
1/3/2017 | 6:01:53 PM
Re: Can we get real for a moment?
Joe, I meant also to note that as long as the intent of the hackers was to affect election results, we can call it an election hack.  No, the actions causing an affect on the election alone don't qualify - the intent needs to be there, too.  Why is the distinction important to me?  Because as cyberlaw matures and the criminalization of acts of hackers evolves, I think it is important to - as clearly as is possible - "properly" label acts of cybercrime.  The prupose for this is to better serve hacktivists whose crimes are based upon good-intent rather than malicious-intent (how we get the government to acknowledge hactivism as borne from "good-intent" is an entirely different conversation).  In time we want to be sure that the "time fits the crime".  Electoral manipulation by hacking needs to be more closely examined, defined and committed to the law books.  IMHO.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/3/2017 | 3:21:32 PM
Re: Can we get real for a moment?
So, by that logic, the person(s) who hacked Mitt Romney's tax returns and released them in 2012 and the person(s) who hacked Donald Trump's tax returns last year were likewise hacking the election.

And nary an eyebrow was batted then.

Also, by this same logic, any email hack related to any political figure, potential political figure, or political entity (e.g., a PAC, Super PAC, political party, etc.) is necessarily an election hack -- regardless of when it takes place.  (After all, voters do have memories.)

Incidentally, I question if the ultimate end result on Election Day would have been different even without the John Podesta/HRC email leaks.
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
1/1/2017 | 7:58:32 PM
Re: Can we get real for a moment?
I'm usually on the same page as you, Joe, but in this case I think one could argue for this being election system hacking simply from the perspective of the effect on popular opinion, the use of the incident as leverage in political arguments, etc.  However, to what extent this incident produced negative impact upon the US election process has yet to be properly measured.  But I also think that because this was not a hack upon actual voting software that could directly impact vote numbers, the event registers at the same level as any other politically-motivated spin we are used to seeing from either candidate; if and only if the hackers responsible were not hired by any US players, and no US players were resposible for motivating the hackers to do what they did (in other words, if the hack wasn't on the table before someone from the US in a significant political role "inspired" it).
michaelfillin
100%
0%
michaelfillin,
User Rank: Apprentice
1/1/2017 | 4:46:27 PM
Re: White House Announces Retaliatory Measures
"The administration, fellow lawmakers and general public must understand the potentially catastrophic consequences of a digital cyber conflict escalating into a kinetic, conventional shooting-war"

> Do you think they didn't ? Not being sarcastic, just asking.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
12/31/2016 | 12:31:25 PM
Can we get real for a moment?
> That attack was against one entertainment company, however, and not a nation's election system

Hacking emails and giving them to Wikileaks is malicious hacking indeed -- but it is NOT hacking a nation's election system.
Lefty_John
50%
50%
Lefty_John,
User Rank: Apprentice
12/30/2016 | 10:19:36 AM
Donald Trump
What did Trump know and when did he know it?
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.