Russian President Vladimir Putin sought to play the cyber-statesman Friday, ruling out tit-for-tat expulsions of American diplomats in response to U.S. financial sanctions for alleged election hacking.
“We won’t descend to [that] level of irresponsible, kitchen diplomacy,” he said in a statement.
It comes as questions arise about the evidence linking some of those sanctioned to the campaign hacking, allegedly by Moscow’s intelligence agencies.
The Russian Foreign Ministry formally requested the expulsion of 35 U.S. personnel after a similar number of Moscow’s envoys were given 72 hours to leave on Thursday. The American move was part of a sweeping response to alleged Russian interference in the U.S. election campaign that also hit the Kremlin’s civilian and military foreign intelligence agencies — plus four senior officials and three cyber contractors — with newly authorized financial sanctions.
But in a shock move Friday, Putin rejected his own foreign minister’s advice, saying he would wait to resolve the issue with incoming President-elect Donald Trump.
Two Russian diplomatic compounds — one in Maryland and one in New York — also were shuttered in retaliation for the harassment of U.S. diplomats in Moscow, and two Russians accused of unrelated financial cybercrimes were sanctioned under existing powers, according to a fact sheet issued by the White House.
In an angry response to early reports about the sanctions, Foreign Ministry Spokesperson Maria Zakharova said Russia was “tired of lies about Russian hackers that continue to be spread in the U.S. from the very top.”
She accused the outgoing Obama administration of using “misinformation” to try and influence the election and of sabotaging Russian-US relations.
Fancy Bear and Cozy Bear
Two Russian hacker gangs were found lurking in the computer network of the Democratic National Committee earlier this year. Subsequently, emails and other documents from DNC leaders and John Podesta, a Democratic official who ran Hilary Clinton’s election campaign, were published on the web. The gang known as Fancy Bear, or APT28, has been linked to Moscow’s Main Intelligence Directorate, known as the GRU; while Cozy Bear, or Cozy Duke or APT29, has been linked to Russia’s Federal Security Service, or FSB.
But existing law, an Obama executive order from April 2015 — responding to the Thanksgiving 2014 cyberattack against Sony Pictures that was blamed on North Korean hackers — covered only destructive cyberattacks and hacks against critical infrastructure as well as financial cybercrime.
Am amendment to that EO, asserting new powers to combat online election-tampering had to be asserted because the existing EO didn’t cover it. officials explained in a conference call.
According to the fact sheet, Thursday’s amendment adds “Tamper[ing] with, alter[ing], or caus[ing] a misappropriation of information with the purpose or effect of interfering with or undermining election processes or institutions,” to the list of sanctionable activities under the order.
It’s under these new powers that three entities — two private cybersecurity companies and a nonprofit professional association — alleged to be contractors for the GRU, have been sanctioned:
- The Special Technology Center Ltd. “assisted the GRU in conducting signals intelligence operations,” the fact sheet states.
- Zorsecurity, a.k.a. Esage Lab, another private sector cyber company “provided the GRU with technical research and development” services.
- The Professional Association of Designers of Data Processing Systems, better known by Russian initials ANO PO KSI, “provided specialized training to the GRU.”
The founder of ZorSecurity said on Twitter Friday that she “Woke up to tons of media inquiry about some kind of ‘0-f**k’ list that I have never heard of…”
Alisa Shevchenko, a security researcher who specializes in zero-days and penetration testing tools, has previously denied to Forbes that she wrote malware for the Russian government. Friday, she pronounced herself mystified as why her company, which she said has been closed anyway, “could possibly appear on the same list with the FSB and international terrorists.”
The week’s events capped a hurly-burly since the election during which the issue of Russian interference in the campaign — and most especially the bombshell allegation that the Kremlin tried to help president-elect Donald Trump to his victory — has become a political battleground.
Thursday evening, Trump reiterated his contention that the allegations were no big deal — although he refrained from dismissing or contradicting, as he has in the past, the U.S. assessment that Moscow was behind the DNC and Podesta dumps.
“It’s time for our country to move on to bigger and better things,” he said in a statement. “Nevertheless, in the interest of our country and its great people, I will meet with leaders of the intelligence community next week in order to be updated on the facts of this situation.”
Envoys expelled, assets frozen
“There has to be a cost and consequence for what Russia has done,” said a senior administration official, who insisted on anonymity despite speaking in a conference call with reporters arranged by the White House press office. “It was an extraordinary step for them to interfere in the democratic process here in the U.S. and there needs to be a price for that, they need to be held accountable for that … attack on our democratic system.”
The sanctions freeze any assets the sanctioned companies, agencies or people might have in the U.S. or in U.S. banks overseas, and bars any U.S. company, including banks, from doing business with them. It also bars them from entry to the U.S.
Alleged cybercriminals Bogachev and Belan are both on the FBI’s cyber most-wanted list, having first been indicted in 2012. Bogachev is accused of being the author of GameOverZeus, one of the most successful pieces of cybercrime banking malware ever written.
The expulsion of 35 Russian diplomats and the shuttering of the two recreational compounds, described by U.S. officials as “intelligence gathering facilities,” was said to be a response to a two year-long campaign of harassment against U.S. diplomats in Russia.
One senior official on the call called the Russian campaign “unprecedented in the post-Cold war era.”
Building a ‘bigger picture’
Separately Thursday, the DHS and the FBI published what they called a Joint Analysis Report outlining some of the malware signatures, command and control infrastructure and other so-called “indicators of compromise,” that cybersecurity specialists could use to detect malicious cyber activity on their systems by Russian intelligence agencies.
But some cybersecurity specialists criticized the report, saying it just lumped together a whole host of Russian hacking campaigns without sufficient context — and made no distinction between individual pieces of malware and larger campaigns.
Former Air Force cyber-warrior Robert Lee, while expressing admiration for the hard work by government analysts, called it “a very confusing report trying to cover too much while saying too little.”
U.S. intelligence officials publicly stated in October what they said was a consensus view of the nation’s espionage agencies — that Russian intelligence services were behind the hacking. Since then, some media outlets reports have reported that the CIA has concluded the hacking was done to help Trump.
“What we’re asking companies to do,” said another senior official on the call, “is to go back through their logs and see if they see any indication of this activity in the past … knowledge of these historical incidents, even if the bad actors are no longer active in your system, [will help the government] build up a bigger picture.”
Officials said the GRU “is involved in external collection using human intelligence officers and a variety of technical tools, and is designated for tampering, altering, or causing a misappropriation of information with the purpose or effect of interfering with the 2016 U.S. election processes,” according to the fact sheet. The FSB “assisted the GRU in conducting the activities described above.”
Four GRU officials have been designated for sanctions under the new election-tampering powers:
- Igor Valentinovich Korobov, the current head of the GRU.
- Sergey Aleksandrovich Gizunov, deputy head of the GRU.
- Igor Olegovich Kostyukov, a first deputy chief of the GRU.
- Vladimir Stepanovich Alexseyev, also a first deputy chief of the GRU.