Sanctioning GRU … and FSB

While I was out and about today, President Obama rolled out his sanctions against Russia to retaliate for the Russian hack of Democrats this year. Effectively, the White House sanctioned two Russian intelligence agencies (GRU — Main Intelligence, and FSB –Federal Security Service), top leaders from one of them, and two named hackers.

In addition to sanctioning GRU, the White House also sanctioned FSB. I find that interesting because (as I laid out here), GRU has always been blamed for the theft of the DNC and John Podesta documents that got leaked to WikiLeaks. While FSB also hacked the DNC, there’s no public indication that it did anything aside from collect information — the kind of hacking the NSA and CIA do all the time (and have done during other countries’ elections). Indeed, as the original Crowdstrike report described, FSB and GRU weren’t coordinating while snooping around the DNC server.

At DNC, COZY BEAR intrusion has been identified going back to summer of 2015, while FANCY BEAR separately breached the network in April 2016. We have identified no collaboration between the two actors, or even an awareness of one by the other. Instead, we observed the two Russian espionage groups compromise the same systems and engage separately in the theft of identical credentials. While you would virtually never see Western intelligence agencies going after the same target without de-confliction for fear of compromising each other’s operations, in Russia this is not an uncommon scenario. “Putin’s Hydra: Inside Russia’s Intelligence Services”, a recent paper from European Council on Foreign Relations, does an excellent job outlining the highly adversarial relationship between Russia’s main intelligence services – Федеральная Служба Безопасности (FSB), the primary domestic intelligence agency but one with also significant external collection and ‘active measures’ remit, Служба Внешней Разведки (SVR), the primary foreign intelligence agency, and the aforementioned GRU. Not only do they have overlapping areas of responsibility, but also rarely share intelligence and even occasionally steal sources from each other and compromise operations. Thus, it is not surprising to see them engage in intrusions against the same victim, even when it may be a waste of resources and lead to the discovery and potential compromise of mutual operations.

Data provided by FireEye to War on the Rocks much later in the year suggested that the DNC hack was the only time both showed up in a server, which it took to mean the opposite of what Crowdstrike had, particularly high degree of coordination.

According to data provided for this article by the private cybersecurity company, FireEye, two separate but coordinated teams under the Kremlin are running the campaign. APT 28, also known as “FancyBear,” has been tied to Russia’s foreign military intelligence agency, the Main Intelligence Agency or GRU. APT 29, aka “CozyBear,” has been tied to the Federal Security Service or FSB. Both have been actively targeting the United States. According to FireEye, they have only appeared in the same systems once, which suggests a high level of coordination — a departure from what we have seen and come to expect from Russian intelligence.

The sanctioning materials offers only this explanation for the FSB sanction: “The Federal Security Service (a.k.a. Federalnaya Sluzhba Bezopasnosti) (a.k.a FSB) assisted the GRU in conducting the activities described above.”

So I’m not sure what to make of the fact that FSB was sanctioned along with GRU. Perhaps it means there was some kind of serial hack, with FSB identifying an opportunity that GRU then implemented — the more extensive coordination that FireEye claims. Perhaps it means the US has decided it’s going to start sanctioning garden variety information collection of the type the US does.

But I do find it an interesting aspect of the sanctions.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

7 replies
  1. martin says:

    Can someone please explain

    a.  what a “sanction” is?

    b.  how would the US apply “sanctions” against the intelligence agencies of Russia?

    c.  why I’m hearing a loud, raucous, gut splitting laughter coming from somewhere west of the Pacific coast all the way to Michigan, followed by very loud…”fuck you Obama”?

  2. lefty665 says:

    Despite the headlines it is curious that much of what was announced seemed to have little to do with election hacking. It was expulsions that settled other scores and things like closing retreats used largely by Russian diplomats on the Eastern Shore and Long Island. That’ll show them pesky Ruskies, and seems almost gratuitous. Suppose we’re just not privy to “sanctions” aimed at the Russian equivalents of NSA and CIA?

    I see the Russians have chosen not to respond tit for tat on expulsions, January 20th is coming real soon now.  They could make Brennan persona non grata and a lot of Americans would probably agree.

    • greengiant says:

      For entertainment,  did the TLAs pull back and “hide” any people prior to the “sanction”  expecting Russia to retaliate in kind.    Maybe Russia prefers to keep the TLAs it knows rather than get the next shift.

  3. lefty665 says:

    “The New York Times, which has been busy flogging the latest reasons to hate Russia and its President Vladimir Putin, asserted, “The F.B.I. and Department of Homeland Security released a report on Thursday detailing the ways that Russia acted to influence the American election through cyberespionage.”…

    Most of the 13-page FBI/DHS report was devoted to suggestions on how Internet users can protect their emails from malware, but there was little new that proved that the Russians were the source of the Democratic emails given to WikiLeaks.”

    https://consortiumnews.com/2016/12/29/details-still-lacking-on-russian-hack/

    So what do you think, did the Russians really do it all, or did the leaks come from other breaches of the DNC and Podesta’s emails? Seems those could be separate issues that have been conflated in the rush to blame Putin for Hillary’s loss.

     

  4. bevin says:

    This, irresponsible to the point of treachery, partisan ruse has the purpose of defending the position within the Democratic Party of the DLC from the inevitable, almost automatic, charge that, had it not rigged the primaries and ensured the nomination of an unpopular candidate running on a Republican platform, Bernie Sanders, or one of the other candidates dissuaded from running by arm-twisters in the White House and Wall St, would be preparing for Inauguration ceremonies.

    And, further that Congress would contain considerably more Democrats than the ineffective rumps which will caucus next year.

    Democrats allow this narrative to develop at their peril: they lost the election because they had a bad candidate, a worse platform and an eight year long record of government on behalf of the 1% to live down. The Russians had no more to do with it than my dog Clyde-and he’s dead.

  5. wayoutwest says:

    This farce has gone beyond ludicrous with the Homeland Security report on supposed Russian hacking being headed by a disclaimer statement claiming they can’t be held responsible for the accuracy of its contents.

    Putin has cleverly defused the situation by inviting all the US spies in Moscow and their families to the New Years’ Eve party at the Kremlin while Obama and the Clintonites are left to spin around on the floor jabbering like the Three Stooges.

  6. Evangelista says:

    Since Obama signed his recent Increase Cyber-Spying For Cyber-“Security” Executive Order, based on his “conviction” that Russians, under Vladimir Putin’s personal over-the-shoulder directing and on-the-podium baton-waving have been conducting the Incompetents’ Orchestras performing in the USA’s 2016 Elections Excess Festival, I have experienced four computer system intrusions, and was on-hand for a fifth, against a public internet provider.  First, in caveat, the number in a bunch is the only odd-out thing about this;  I do bait and chum to draw official (grumpy bureaucrat agencies and what call themselves “domestic intelligence operations”, and sort of count attractions as ‘scores’.  One was an almost exact copy to the asserted Podesta phishing, and one (my favorite) was a completely amateur, apparently over-excited new operator monitoring me specifically and my email in which I receive reports of Dakota Water Protector relevant legal proceedings, where, as soon as I brought up the file containing four or five new informations, the whole file content disappeared (not anything exotic, all public and easy to get from the source)…  Wha- Happen-?  The over-excited ‘Pspy-Op’ hit his ‘move’ instead of ‘copy’ key…

    Why is any of this interesting?  Because all of the four I was positioned to review were of positively local source.  Not a Russian in the lot.  And at minimum two were specifically targeting, triggered by my computer attaching to a local public access network, or computing characteristics triggering a flag-and-attach hook in to monitor.  This means local office FBI or “‘law’ enforcement” using available-from feds toys (they call them ‘tools’), or, less likely, but possible, HLS or NSA, most likely if practicing on known local pains to work up to speed for ‘real work’ (Oh, my, but they do need the practice).

    This, along with the lack of evidence, and “keep our arses covered” wordings of the “Russian Hacking” allegations and reiterations of “We’re surer and surer, and really really sure, but not, you know, positive-like really positive sure…” rhetoric in regard to Our President’s In-My-Heart-of-Hearts-Certain-As-A-DA-Dreaming-Of-A-Higher-Office Certainty Based Conviction that the “Russian Hacking” Narrative is True, is pretty strong evidence that the “Russian Hacking” narrative was cooked up to provide a ‘back’ for a ‘need for more cyber-security, even if it does mean less personal security and, you know, inadvertent-like intrudings into Americans’ privacies.

    It is standard model methodology in building a police-state:  Manufacture a bullshit-balloon spectre and then introduce the increase of surveillance “needed” to “combat” the “Ugly Reality” of the Enemy’s Nefariousity…

    We are being jacked.  It’s our Christmas Goose.  A last goose gift of the Obama-era.  Ushered in with whistle-blower prosecutions, what else could it go out on?

Comments are closed.