Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12/29/2016
04:01 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

White House Announces Retaliatory Measures For Russian Election-Related Hacking

35 Russian intelligence operatives ejected from the US, and two of the "Cyber Most Wanted" are frozen out by Treasury Department.

UPDATED 4:00 PM E.T. THURSDAY -- The US, today, formally ejected 35 Russian intelligence operatives from the United States and imposed sanctions on nine entities and individuals: Russia's two leading intelligence services (the G.R.U. and the F.S.B.), four individual GRU officers, and three other organizations. The actions are the Obama administration's response to a Russian hacking and disinformation campaign used to interfere in the American election process.

The FBI and Department of Homeland Security also released new declassified technical information on Russian civilian and military intelligence service cyber activity, in an effort to help network defenders protect against these threats. (The report implicates Russian threat groups Cozy Bear and Fancy Bear, and includes extensive mitigation advice for cybersecurity professionals.)

Further, the State Department is shutting down two Russian compounds, in Maryland and New York, used by Russian personnel for intelligence-related purposes.

Plus, the US Department of Treasury sanctioned two members of the FBI's Cyber Most Wanted List, Evgeniy Mikhailovich Bogachev and Aleksey Alekseyevich Belan. Infosec pros will recognize Bogachev as the alleged head of the GameOver Zeus botnet. A $3 million reward for info leading to his arrest has been available for some time.

Treasury sanctioned Bogachev and Belan "for their activities related to the significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for private financial gain. As a result of today’s action, any property or interests in property of [Bogachev and Belan] within U.S. jurisdiction must be blocked and U.S. persons are generally prohibited from engaging in transactions with them."

This is the first time sanctions are being issued under an Executive Order first signed by President Obama in April 2015, and expanded today. The original Executive Order gives the president authorization to impose retribution or response to cyberattacks, and also allows the Secretary of Treasury, in consultation with the Attorney General and Secretary of State, to institute sanctions against entities behind cybercrime, cyber espionage, and other damaging cyberattacks. That includes freezing the assets of attackers.

The sanctions announced today are not expected to be the Obama administration's complete response to the Russian operations. In a statement, the president said "These actions are not the sum total of our response to Russia’s aggressive activities. We will continue to take a variety of actions at a time and place of our choosing, some of which will not be publicized."

The moves will put pressure on president-elect Donald Trump to either support, or attempt to lift, the sanctions on Russian officials and entities. Trump has expressed skepticism at the validity of American intelligence agencies' assertions that such a campaign occurred at all. When asked by reporters Wednesday night about the fact that these sanctions were set to be announced, Trump said, "I think we ought to get on with our lives. I think that computers have complicated lives very greatly. The whole age of computer has made it where nobody knows exactly what is going on."

The NY Times reported today that immediate sanctions are being imposed on four Russian intelligence officials: Igor Valentinovich Korobov, the current chief of the G.R.U., as well as three deputies: Sergey Aleksandrovich Gizunov, the deputy chief of the G.R.U.; Igor Olegovich Kostyukov, a first deputy chief, and Vladimir Stepanovich Alekseyev, also a first deputy chief of the G.R.U.

From the Times:

The administration also put sanctions on three companies and organizations that it said supported the hacking operations: the Special Technologies Center, a signals intelligence operation in St. Petersburg; a firm called Zor Security that is also known as Esage Lab; and the Autonomous Non-commercial Organization Professional Association of Designers of Data Processing Systems, whose lengthy name, American officials said, was cover for a group that provided special training for the hacking.

Wednesday, The Russian Ministry of Foreign Affairs' official representative, Maria Zakharova, said in a statement on the ministry's website: "If Washington really does take new hostile steps, they will be answered ... any action against Russian diplomatic missions in the US will immediately bounce back on US diplomats in Russia."

"Today’s actions by the Obama administration are diplomatically tough, supportive of the private sector, and tactically discrete," Intel Security CTO Steve Grobman, in a statement. "They not only arm the private sector with technical information for cyber defense, but also protect sensitive methods related to intelligence operations. The disclosure also reiterates the importance of utilizing the combination of technical forensics and traditional intelligence in order to attribute a cyber-attack to a particular entity. By utilizing well understood, non-cyber sanctions as a key component of a response, the government reduces the risk of an escalating offensive cyber exchange."

"The covert offensive cyber component," adds Grobman, "must be well thought out and executed such that it is precise and does not inflict collateral damage on non-target systems. Escalation of offensive cyber activities by either party could lead to a kinetic conflict."

 

'Proportional' response

The news comes after President Obama stated in October that the US would issue a "proportional" response to Russian cyber attacks on the Democratic National Committee. 

The administration has used the word "proportional" when discussing cyber attacks before. In December 2014, while officially naming North Korea as the culprit behind the attacks at Sony Pictures Entertainment, President Obama said the US would "respond proportionately." That attack was against one entertainment company, however, and not a nation's election system, so the proportions are surely different.

"We have never been here before," said security expert Cris Thomas, aka Space Rogue, in a Dark Reading interview in October. "No one really knows what is socially acceptable and what is not when it comes to cyber. We have no 'Geneva Convention' for cyber." 

According to Reuters reports, "One decision that has been made, [officials] said, speaking on the condition of anonymity, is to avoid any moves that exceed the Russian election hacking and risk an escalating cyber conflict."

As Christopher Porter, manager of the Horizons team at FireEye explained in a Dark Reading interview in October, Russian doctrine supports escalation as a way to de-escalate tensions or conflict. "If the US administration puts in place a proportional response, Moscow could do something even worse to stop a future response … I think that is very dangerous."

"The administration, fellow lawmakers and general public must understand the potentially catastrophic consequences of a digital cyber conflict escalating into a kinetic, conventional shooting-war," said Intel Security CTO Steve Grobman, in a statement. "While offensive cyber operations can be highly precise munitions, in that they can be directed to only impact specific targets, the global and interconnected nature of computing systems can lead to unintended consequences. Impacting digital infrastructure beyond the intended target opens the door to draw additional nation states into a conflict. This increases risk to civilian populations as countries see the need to retaliate or escalate."

 

ORIGINAL STORY:

Officials stated Wednesday that the White House will announce, as early as today, a series of measures the US will use to respond to Russian interference in the American election process. The news comes after President Obama stated in October that the US would issue a "proportional" response to Russian cyber attacks on the Democratic National Committee. 

Not all the measures will be announced publicly. According to CNN, "The federal government plans some unannounced actions taken through covert means at a time of its choosing."

Wednesday, CNN reported that as part of the public response, the administration is expected to name names -- specifically, individuals associated with a Russian disinformation operation against the Hillary Clinton presidential campaign.

The actions announced are expected to include expanded sanctions and diplomatic actions. Reuters reported Wednesday that "targeted economic sanctions, indictments, leaking information to embarrass Russian officials or oligarchs, and restrictions on Russian diplomats in the United States are among steps that have been discussed."

In April 2015, President Obama signed an Executive Order, which gives the president authorization to impose some sort of retribution or response to cyberattacks. The EO has not yet been used. It allows the Secretary of Treasury, in consultation with the Attorney General and Secretary of State, to institute sanctions against entities behind cybercrime, cyber espionage, and other damaging cyberattacks. That includes freezing the assets of attackers.

The Russian Ministry of Foreign Affairs' official representative, Maria Zakharova, said in a statement on the ministry's website: "If Washington really does take new hostile steps, they will be answered ... any action against Russian diplomatic missions in the US will immediately bounce back on US diplomats in Russia."

 

'Proportional' response

The administration has used the word "proportional" when discussing cyber attacks before. In December 2014, while officially naming North Korea as the culprit behind the attacks at Sony Pictures Entertainment, President Obama said the US would "respond proportionately." That attack was against one entertainment company, however, and not a nation's election system, so the proportions are surely different.

"We have never been here before," said security expert Cris Thomas, aka Space Rogue, in a Dark Reading interview in October. "No one really knows what is socially acceptable and what is not when it comes to cyber. We have no 'Geneva Convention' for cyber." 

According to Reuters reports, "One decision that has been made, [officials] said, speaking on the condition of anonymity, is to avoid any moves that exceed the Russian election hacking and risk an escalating cyber conflict."

As Christopher Porter, manager of the Horizons team at FireEye explained in a Dark Reading interview in October, Russian doctrine supports escalation as a way to de-escalate tensions or conflict. "If the US administration puts in place a proportional response, Moscow could do something even worse to stop a future response … I think that is very dangerous."

"The administration, fellow lawmakers and general public must understand the potentially catastrophic consequences of a digital cyber conflict escalating into a kinetic, conventional shooting-war," said Intel Security CTO Steve Grobman, in a statement. "While offensive cyber operations can be highly precise munitions, in that they can be directed to only impact specific targets, the global and interconnected nature of computing systems can lead to unintended consequences. Impacting digital infrastructure beyond the intended target opens the door to draw additional nation states into a conflict. This increases risk to civilian populations as countries see the need to retaliate or escalate."

 

Related Content:

 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Lefty_John
50%
50%
Lefty_John,
User Rank: Apprentice
12/30/2016 | 10:19:36 AM
Donald Trump
What did Trump know and when did he know it?
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
12/31/2016 | 12:31:25 PM
Can we get real for a moment?
> That attack was against one entertainment company, however, and not a nation's election system

Hacking emails and giving them to Wikileaks is malicious hacking indeed -- but it is NOT hacking a nation's election system.
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
1/1/2017 | 7:58:32 PM
Re: Can we get real for a moment?
I'm usually on the same page as you, Joe, but in this case I think one could argue for this being election system hacking simply from the perspective of the effect on popular opinion, the use of the incident as leverage in political arguments, etc.  However, to what extent this incident produced negative impact upon the US election process has yet to be properly measured.  But I also think that because this was not a hack upon actual voting software that could directly impact vote numbers, the event registers at the same level as any other politically-motivated spin we are used to seeing from either candidate; if and only if the hackers responsible were not hired by any US players, and no US players were resposible for motivating the hackers to do what they did (in other words, if the hack wasn't on the table before someone from the US in a significant political role "inspired" it).
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/3/2017 | 3:21:32 PM
Re: Can we get real for a moment?
So, by that logic, the person(s) who hacked Mitt Romney's tax returns and released them in 2012 and the person(s) who hacked Donald Trump's tax returns last year were likewise hacking the election.

And nary an eyebrow was batted then.

Also, by this same logic, any email hack related to any political figure, potential political figure, or political entity (e.g., a PAC, Super PAC, political party, etc.) is necessarily an election hack -- regardless of when it takes place.  (After all, voters do have memories.)

Incidentally, I question if the ultimate end result on Election Day would have been different even without the John Podesta/HRC email leaks.
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
1/3/2017 | 6:01:53 PM
Re: Can we get real for a moment?
Joe, I meant also to note that as long as the intent of the hackers was to affect election results, we can call it an election hack.  No, the actions causing an affect on the election alone don't qualify - the intent needs to be there, too.  Why is the distinction important to me?  Because as cyberlaw matures and the criminalization of acts of hackers evolves, I think it is important to - as clearly as is possible - "properly" label acts of cybercrime.  The prupose for this is to better serve hacktivists whose crimes are based upon good-intent rather than malicious-intent (how we get the government to acknowledge hactivism as borne from "good-intent" is an entirely different conversation).  In time we want to be sure that the "time fits the crime".  Electoral manipulation by hacking needs to be more closely examined, defined and committed to the law books.  IMHO.
michaelfillin
100%
0%
michaelfillin,
User Rank: Apprentice
1/1/2017 | 4:46:27 PM
Re: White House Announces Retaliatory Measures
"The administration, fellow lawmakers and general public must understand the potentially catastrophic consequences of a digital cyber conflict escalating into a kinetic, conventional shooting-war"

> Do you think they didn't ? Not being sarcastic, just asking.
garrytroomen
50%
50%
garrytroomen,
User Rank: Apprentice
1/4/2017 | 11:02:02 AM
good story
Very inretesting article, thank you!
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
5 Common Errors That Allow Attackers to Go Undetected
Matt Middleton-Leal, General Manager and Chief Security Strategist, Netwrix,  2/12/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20477
PUBLISHED: 2020-02-19
PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.
CVE-2019-20478
PUBLISHED: 2020-02-19
In ruamel.yaml through 0.16.7, the load method allows remote code execution if the application calls this method with an untrusted argument. In other words, this issue affects developers who are unaware of the need to use methods such as safe_load in these use cases.
CVE-2011-2054
PUBLISHED: 2020-02-19
A vulnerability in the Cisco ASA that could allow a remote attacker to successfully authenticate using the Cisco AnyConnect VPN client if the Secondary Authentication type is LDAP and the password is left blank, providing the primary credentials are correct. The vulnerabilities is due to improper in...
CVE-2015-0749
PUBLISHED: 2020-02-19
A vulnerability in Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on the affected software. The vulnerabilities is due to improper input validation of certain parameters passed to the affected software. An attacker ...
CVE-2015-9543
PUBLISHED: 2020-02-19
An issue was discovered in OpenStack Nova before 18.2.4, 19.x before 19.1.0, and 20.x before 20.1.0. It can leak consoleauth tokens into log files. An attacker with read access to the service's logs may obtain tokens used for console access. All Nova setups using novncproxy are affected. This is rel...