The New Russian Hack Sanctions

The Treasury Department issued new Russian sanctions today, partly fulfilling the congressionally-mandated requirement it do so, but also adding to the retaliatory sanctions President Obama imposed in December 2016. Effectively, this applied the Countering America’s Adversaries Through Sanctions Act of 2017 (CAATSA) sanctions ordered by Congress to the Russian spooks (but not the private hackers) Obama sanctioned, and applies the Obama EO-based sanctions to the Russians and companies listed in the Internet Research Agency indictment.

The breadth of accused activities

Given the limited number of people actually newly sanctioned (and the symbolic nature of sanctions imposed on people who are unlikely to travel to or have money in the US), this may be just Steve Mnuchin’s effort to buy time for the Administration; the Treasury press release even includes a promise for more CAATSA sanctions at a later date.

“The Administration is confronting and countering malign Russian cyber activity, including their attempted interference in U.S. elections, destructive cyber-attacks, and intrusions targeting critical infrastructure,” said Treasury Secretary Steven T. Mnuchin. “These targeted sanctions are a part of a broader effort to address the ongoing nefarious attacks emanating from Russia. Treasury intends to impose additional CAATSA sanctions, informed by our intelligence community, to hold Russian government officials and oligarchs accountable for their destabilizing activities by severing their access to the U.S. financial system.”

That said, the press release for the sanctions is rather interesting in the breadth of activities these sanctions are said to be retaliation for. It includes the election hack, the NotPetya attack recently attributed to GRU (the rough equivalent to DIA) by the UK and US, and ongoing attacks on American critical infrastructure. (DHS and FBI issued a report on the latter.)

Today’s action counters Russia’s continuing destabilizing activities, ranging from interference in the 2016 U.S. election to conducting destructive cyber-attacks, including the NotPetya attack, a cyber-attack attributed to the Russian military on February 15, 2018 in statements released by the White House and the British Government. This cyber-attack was the most destructive and costly cyber-attack in history. The attack resulted in billions of dollars in damage across Europe, Asia, and the United States, and significantly disrupted global shipping, trade, and the production of medicines. Additionally, several hospitals in the United States were unable to create electronic records for more than a week.

Since at least March 2016, Russian government cyber actors have also targeted U.S. government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors. Indicators of compromise, and technical details on the tactics, techniques, and procedures, are provided in the recent technical alert issued by the Department of Homeland Security and Federal Bureau of Investigation.

The move happens to come when the White House issued both a formal statement joining European allies in pinning the attempted assassination of former GRU officer Sergei Skripal on Russia and Trump endorsing that view in statements to the press.

FSB not SVR sanctions

In addition to not resanctioning the private individuals named in December 2016, today’s sanctions are interesting in that they continue to blame FSB (a more thuggish equivalent of FBI) alongside GRU for the hack. I described why the inclusion of FSB was interesting here.

But it’s interesting for another reason: recent reporting. Both Dutch reporting on how its intelligence service caught Russian hackers in real time and a recent David Sanger article have instead credited SVR (the rough equivalent of CIA) with the hack. The head of SVR is already sanctioned, but it would seem that if the most up to date intelligence says SVR did the hack, they might be included here.

Two new GRU sanctionees — of the age they might have overlapped with Skripal

The sanctions also add two new GRU officers described only as senior GRU officers.

AFANASYEV, Sergei (a.k.a. AFANASYEV, Sergey), Russia; DOB 16 May 1963; Gender Male (individual) [CAATSA – RUSSIA] (Linked To: MAIN INTELLIGENCE DIRECTORATE).

MOLCHANOV, Grigoriy Viktorovich; DOB 01 Jan 1956 to 31 Dec 1956; citizen Russia; Gender Male (individual) [CAATSA – RUSSIA] (Linked To: MAIN INTELLIGENCE DIRECTORATE).

At roughly 55 and 62, these guys may have overlapped with Skripal (as would the others, whom the US obviously has more information on).

The last known dates

Perhaps most interesting, however, the Treasury press release description of the targeted GRU officers includes fascinating “as of” dates that would seem to indicate the last time it’s willing to admit we’ve gotten intelligence on these people.

Korobov came to the US in late January (and he’s a public figure that our own intelligence services would coordinate with), so it’s unsurprising his information is the most up-to-date, to that same time.

But we apparently (admit to having) more recent data, dating to last February, on one of the people newly added to this list — Afanasyev — than on the First Deputies originally sanctioned. That precedes the NotPetya activity being sanctioned here.

Most interesting is Molchanov. We not only don’t have passport information for him (though that’s not definitive, as none of the IRA people have passports listed, and we must have passport numbers for the ones that traveled to the US), but we don’t even have a solid date of birth. The “as of” date for him, April 2016, comes before the DNC hack was public, but around the time George Papadopoulos was learning about it. It also comes from before the sanctions in December 2016. Clearly, we’ve learned something about him since then that has won him significantly more focus, even if we don’t know when to send his birthday greetings.

These two new additions are both pretty old to be doing any hacking themselves (indeed, they’re contemporaries of all the top brass). But their addition may suggest we’ve learned more about how GRU’s hacking operates.

19 replies
  1. pdaly says:

    The date range for Molchanov’s birthday is strange, because in the absence of the details of month or day of month, the YEAR is so specific. Since Treasury does not give a year range, this suggests they are sure of the year of birth (somehow), and they are not basing it on a reported age–else 12/31/1955 should be just as likely as 01/01/1956.

    If he’s a spy, I assume he can have multiple identities with a different birthdate (but all in the year 1956)?

  2. Anne says:

    Is it right to interpret this section in the press release as an “in” for Team Mueller to figure out who laundered money through trumps empty hotels and condos?

    As a result of today’s action, all property and interests in property of the designated persons subject to U.S. jurisdiction are blocked, and U.S. persons are generally prohibited from engaging in transactions with them.  

    Can they really not trace who is behind all the fake LLC’s?  I really hope this takes down trump and kushner.

    I’m thinking the press release also reveals who’s getting the boot next.

  3. `tinao says:

    Has there been any more info on the visit of the two russian top intelligence officers, I believe under sanctions not to be able to visit us, meeting with let see who was that again-head of our cia soon to be secretary of state pompeo. That was one weird scene, and has been really bugging me. Somebody better have some very good questions ready at that confirmation hearing.

    • Rayne says:

      Very good question. (BTW, you have two accounts here — this one has an accent mark in front of your username, the other does not. Please try to stick to one of them, thanks.)

      • tinao says:

        Thanks for the link. I wonder if pompeo has responded to schumer’s questions yet and if mueller has reviewed. pompeo is every bit as stupid as trump. Something tells me with the investigation in place back channels needed to be set up with a face to face among other things on russia’s agenda. I think putin has stepped in it big time using trump and is being exposed. Hence the chest thumping about nuclear toys and killing the russians in britain. Repubs better get their koched-up-heads out their asses and realize the danger oligarchic behavior causes. They have put an unfit, compromised person in the president’s office. The longer they let it continue the worse its going to get.

        Oh yeah, btw i’m from the pennsylvania 18th.

  4. SpaceLifeForm says:

    Guessing RW feeling a bit better.

    But those conclusions were quickly overshadowed by Conaway’s indication that the committee wouldn’t support the intelligence community’s unanimous finding [link redacted] that Russia favored a Trump victory in the election. The FBI, CIA and National Security Agency have stood by this finding repeatedly over the past 14 months, even after Trump’s appointees took the helm.

    Conaway said an exhaustive review by the panel found that the agencies failed to apply proper “tradecraft” to their decision.

    “There are standards that CIA analysts, and other intelligence analysts, hold themselves to,” Conaway said. “Ninety-eight percent of the tradecraft was just fine, but we believe that on this one narrow piece of the [agencies’ findings], the standards were not upheld.”

  5. matt says:

    Is it great that USA and Britain, and NATO are moving aggressively to isolate Russia? Yea! send all the diplomats packing!! This is the same fucking thing England and France did to Germany leading up to WWI. Because there were no lines of communication, the worst war in the history of mankind happened almost automatically.

    There is no way to know in a few days if Russian State/Putin really was behind the Skripal attack. Awfully convenient to scapegoat those Ruski bastards who would dare use a “nerve agent.” (why would Putin put a hit on an inconsequential ex-spy with his fingerprints all over the murder weapon?) Its the same narrative in Syria… look those White Hats found evidence of chemical attack! Chemical weapons have no strategic benefit in battlefield ops- they are equally dangerous to both sides and have no use/advantage whatsoever over conventional warfare… unless you are the opposition who wants to paint your enemy as a monster. Wars are won in the hearts and minds…

    I about puked today, listening to NPR “On Point”- ex us Russian ambassador blabbing how Russia started aggression in Ukraine and Crimea. No, they did not. the USA went in first to meddle in elections, install missile defense, and pull Eastern Europe into NATO- who’s expressed purpose is the defense against Russia.

    My point? there are two separate issues. Trump administration sleazebags… and the foreign policy agenda towards Russia. We can gloat over the downfall of Trump, but I would be very, very careful about ending diplomatic relations with Russia. Like it or not they are a serious rival, and are much, much more of a threat to the United States than ridiculous IS or N. Korea.

    • emptywheel says:

      Like you I’m alarmed by the escalation. These sanctions are not escalation, however. And I think the bigger problem is that the US was simultaneously doing stupid stuff yet not shoring up its own weaknesses. We’re pretty fucking vulnerable right now and Putin knows it.

      Though FWIW, under Trump, I think NK may be as big of a threat.

      • Trip says:

        This is why I think it is a distinct possibility that the Kremlin could be behind the assassination attempt. Putin feels emboldened to push toward his own imperialistic goals with Trump at the wheel, leaving the EU floundering.

        The Kremlin has also provided support for NK’s nukes.

      • matt says:

        Very true, we are vulnerable and N. Korea is a wildcard.  I just hope we are all not putting our head in the sand… and that there are lines of communication open, no matter how frustrating it is dealing with Russia.

    • Trip says:

      The sanctions targeted the actors of the cyber attacks.

      The Treasury Department announced sanctions against the GRU, the Russian military intelligence organization, and 13 Russian citizens. Those individuals already face charges as a result of a special U.S. investigation of Russian activities during the election campaign.

      The measures also target the Internet Research Agency, a company based in Saint Petersburg, Russia. Officials say it sought to divide Americans with misleading stories and commentary on American issues during the campaign.

      It really doesn’t come across as anything other than tepid symbolism.

      I think your immediate response that there is no way Putin/the Kremlin would do something like make an assassination attempt in daylight is naive. I’m not saying that the case is closed, but you seem to have made up your mind toward no way, no how that the Kremlin was behind it; When there has been escalation on all sides and this is not outside the realm of past Kremlin modus operandi.

      Booting the diplomats doesn’t mean no communication, as far as the UK is concerned. When Obama kicked them out, it was essentially a moderate response.

      • matt says:

        Putin could well be the culprit- if so, it would be a brazen thumb in the eye.  It just seems like he still has traction with the trump administration, and a dominant position in Syria.  If you take his words at face value, that he does want to bring Russia into the club of the West, why send a royal F-you now?

        (Or, maybe he’s a fatalistic, murderous sack of shit- that’s a possibility too).

        I get the tit for tat hacking/meddling, and our mitigation/sanctions for that… but the talk of retaliation for “chemical warfare” on European soil was disturbing.

  6. SpaceLifeForm says:

    It’s always the Ruskies!

    But, some disagree at Porton Down.

    … received confirmation from a well placed FCO source that Porton Down scientists are not able to identify the nerve gas as being of Russian manufacture, and have been resentful of the pressure being placed on them to do so. Porton Down would only sign up to the formulation “of a type developed by Russia” after a rather difficult meeting where this was agreed as a compromise formulation. 

    Porton Down is still not certain it is the Russians who have apparently synthesised a “Novichok”. Hence “Of a type developed by Russia”. Note developed, not made, produced or manufactured.
    It is very carefully worded propaganda.

    • SpaceLifeForm says:

      To clarify:

      It could have happened at UK airport.

      Injected via hypodermic needle into suitcase.

      Do not even need the combo even if one.

      No obvious tampering.

      But the same could have happened in Moscow.

      Why is there so much certainty that it really happened in Moscow?

      • Rayne says:

        I hope you realize you may not get the answers you want if there is an active counterintelligence investigation underway in the UK, as disclosure of some of the information you want may also disclose sources and methods the UK relies on to do CI work. Not to mention the fact that if this is indeed a Novichok agent, this is some serious shit about which intelligence agencies in the UK and in the US are going to act rather aggressively (not to be confused or conflated with political action by UK or US). It took years to come to a public conclusion about the Litvinenko case, even with the broad swath of radioactive evidence left from Russia to the UK. This case is much worse.

Comments are closed.