35 Russian intelligence operatives ejected from the US, and two of the "Cyber Most Wanted" are frozen out by Treasury Department.

Sara Peters, Senior Editor

December 29, 2016

9 Min Read

UPDATED 4:00 PM E.T. THURSDAY -- The US, today, formally ejected 35 Russian intelligence operatives from the United States and imposed sanctions on nine entities and individuals: Russia's two leading intelligence services (the G.R.U. and the F.S.B.), four individual GRU officers, and three other organizations. The actions are the Obama administration's response to a Russian hacking and disinformation campaign used to interfere in the American election process.

The FBI and Department of Homeland Security also released new declassified technical information on Russian civilian and military intelligence service cyber activity, in an effort to help network defenders protect against these threats. (The report implicates Russian threat groups Cozy Bear and Fancy Bear, and includes extensive mitigation advice for cybersecurity professionals.)

Further, the State Department is shutting down two Russian compounds, in Maryland and New York, used by Russian personnel for intelligence-related purposes.

Plus, the US Department of Treasury sanctioned two members of the FBI's Cyber Most Wanted List, Evgeniy Mikhailovich Bogachev and Aleksey Alekseyevich Belan. Infosec pros will recognize Bogachev as the alleged head of the GameOver Zeus botnet. A $3 million reward for info leading to his arrest has been available for some time.

Treasury sanctioned Bogachev and Belan "for their activities related to the significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for private financial gain. As a result of today’s action, any property or interests in property of [Bogachev and Belan] within U.S. jurisdiction must be blocked and U.S. persons are generally prohibited from engaging in transactions with them."

This is the first time sanctions are being issued under an Executive Order first signed by President Obama in April 2015, and expanded today. The original Executive Order gives the president authorization to impose retribution or response to cyberattacks, and also allows the Secretary of Treasury, in consultation with the Attorney General and Secretary of State, to institute sanctions against entities behind cybercrime, cyber espionage, and other damaging cyberattacks. That includes freezing the assets of attackers.

The sanctions announced today are not expected to be the Obama administration's complete response to the Russian operations. In a statement, the president said "These actions are not the sum total of our response to Russia’s aggressive activities. We will continue to take a variety of actions at a time and place of our choosing, some of which will not be publicized."

The moves will put pressure on president-elect Donald Trump to either support, or attempt to lift, the sanctions on Russian officials and entities. Trump has expressed skepticism at the validity of American intelligence agencies' assertions that such a campaign occurred at all. When asked by reporters Wednesday night about the fact that these sanctions were set to be announced, Trump said, "I think we ought to get on with our lives. I think that computers have complicated lives very greatly. The whole age of computer has made it where nobody knows exactly what is going on."

The NY Times reported today that immediate sanctions are being imposed on four Russian intelligence officials: Igor Valentinovich Korobov, the current chief of the G.R.U., as well as three deputies: Sergey Aleksandrovich Gizunov, the deputy chief of the G.R.U.; Igor Olegovich Kostyukov, a first deputy chief, and Vladimir Stepanovich Alekseyev, also a first deputy chief of the G.R.U.

From the Times:

The administration also put sanctions on three companies and organizations that it said supported the hacking operations: the Special Technologies Center, a signals intelligence operation in St. Petersburg; a firm called Zor Security that is also known as Esage Lab; and the Autonomous Non-commercial Organization Professional Association of Designers of Data Processing Systems, whose lengthy name, American officials said, was cover for a group that provided special training for the hacking.

Wednesday, The Russian Ministry of Foreign Affairs' official representative, Maria Zakharova, said in a statement on the ministry's website: "If Washington really does take new hostile steps, they will be answered ... any action against Russian diplomatic missions in the US will immediately bounce back on US diplomats in Russia."

"Today’s actions by the Obama administration are diplomatically tough, supportive of the private sector, and tactically discrete," Intel Security CTO Steve Grobman, in a statement. "They not only arm the private sector with technical information for cyber defense, but also protect sensitive methods related to intelligence operations. The disclosure also reiterates the importance of utilizing the combination of technical forensics and traditional intelligence in order to attribute a cyber-attack to a particular entity. By utilizing well understood, non-cyber sanctions as a key component of a response, the government reduces the risk of an escalating offensive cyber exchange."

"The covert offensive cyber component," adds Grobman, "must be well thought out and executed such that it is precise and does not inflict collateral damage on non-target systems. Escalation of offensive cyber activities by either party could lead to a kinetic conflict."

 

'Proportional' response

The news comes after President Obama stated in October that the US would issue a "proportional" response to Russian cyber attacks on the Democratic National Committee. 

The administration has used the word "proportional" when discussing cyber attacks before. In December 2014, while officially naming North Korea as the culprit behind the attacks at Sony Pictures Entertainment, President Obama said the US would "respond proportionately." That attack was against one entertainment company, however, and not a nation's election system, so the proportions are surely different.

"We have never been here before," said security expert Cris Thomas, aka Space Rogue, in a Dark Reading interview in October. "No one really knows what is socially acceptable and what is not when it comes to cyber. We have no 'Geneva Convention' for cyber." 

According to Reuters reports, "One decision that has been made, [officials] said, speaking on the condition of anonymity, is to avoid any moves that exceed the Russian election hacking and risk an escalating cyber conflict."

As Christopher Porter, manager of the Horizons team at FireEye explained in a Dark Reading interview in October, Russian doctrine supports escalation as a way to de-escalate tensions or conflict. "If the US administration puts in place a proportional response, Moscow could do something even worse to stop a future response … I think that is very dangerous."

"The administration, fellow lawmakers and general public must understand the potentially catastrophic consequences of a digital cyber conflict escalating into a kinetic, conventional shooting-war," said Intel Security CTO Steve Grobman, in a statement. "While offensive cyber operations can be highly precise munitions, in that they can be directed to only impact specific targets, the global and interconnected nature of computing systems can lead to unintended consequences. Impacting digital infrastructure beyond the intended target opens the door to draw additional nation states into a conflict. This increases risk to civilian populations as countries see the need to retaliate or escalate."

 

ORIGINAL STORY:

Officials stated Wednesday that the White House will announce, as early as today, a series of measures the US will use to respond to Russian interference in the American election process. The news comes after President Obama stated in October that the US would issue a "proportional" response to Russian cyber attacks on the Democratic National Committee. 

Not all the measures will be announced publicly. According to CNN, "The federal government plans some unannounced actions taken through covert means at a time of its choosing."

Wednesday, CNN reported that as part of the public response, the administration is expected to name names -- specifically, individuals associated with a Russian disinformation operation against the Hillary Clinton presidential campaign.

The actions announced are expected to include expanded sanctions and diplomatic actions. Reuters reported Wednesday that "targeted economic sanctions, indictments, leaking information to embarrass Russian officials or oligarchs, and restrictions on Russian diplomats in the United States are among steps that have been discussed."

In April 2015, President Obama signed an Executive Order, which gives the president authorization to impose some sort of retribution or response to cyberattacks. The EO has not yet been used. It allows the Secretary of Treasury, in consultation with the Attorney General and Secretary of State, to institute sanctions against entities behind cybercrime, cyber espionage, and other damaging cyberattacks. That includes freezing the assets of attackers.

The Russian Ministry of Foreign Affairs' official representative, Maria Zakharova, said in a statement on the ministry's website: "If Washington really does take new hostile steps, they will be answered ... any action against Russian diplomatic missions in the US will immediately bounce back on US diplomats in Russia."

 

'Proportional' response

The administration has used the word "proportional" when discussing cyber attacks before. In December 2014, while officially naming North Korea as the culprit behind the attacks at Sony Pictures Entertainment, President Obama said the US would "respond proportionately." That attack was against one entertainment company, however, and not a nation's election system, so the proportions are surely different.

"We have never been here before," said security expert Cris Thomas, aka Space Rogue, in a Dark Reading interview in October. "No one really knows what is socially acceptable and what is not when it comes to cyber. We have no 'Geneva Convention' for cyber." 

According to Reuters reports, "One decision that has been made, [officials] said, speaking on the condition of anonymity, is to avoid any moves that exceed the Russian election hacking and risk an escalating cyber conflict."

As Christopher Porter, manager of the Horizons team at FireEye explained in a Dark Reading interview in October, Russian doctrine supports escalation as a way to de-escalate tensions or conflict. "If the US administration puts in place a proportional response, Moscow could do something even worse to stop a future response … I think that is very dangerous."

"The administration, fellow lawmakers and general public must understand the potentially catastrophic consequences of a digital cyber conflict escalating into a kinetic, conventional shooting-war," said Intel Security CTO Steve Grobman, in a statement. "While offensive cyber operations can be highly precise munitions, in that they can be directed to only impact specific targets, the global and interconnected nature of computing systems can lead to unintended consequences. Impacting digital infrastructure beyond the intended target opens the door to draw additional nation states into a conflict. This increases risk to civilian populations as countries see the need to retaliate or escalate."

 

Related Content:

 

About the Author(s)

Sara Peters

Senior Editor

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad of other topics. She authored the 2009 CSI Computer Crime and Security Survey and founded the CSI Working Group on Web Security Research Law -- a collaborative project that investigated the dichotomy between laws regulating software vulnerability disclosure and those regulating Web vulnerability disclosure.


Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights