The New Cyber Sanctions

Even as Trump was working hard to get Russia admitted back into the G-7, Treasury was preparing new cyber sanctions against a number of “Russian” entities. This appears to be an effort to apply sanctions for activities exploiting routers and other network infrastructure (activities that the US and its partners engage in too) that US-CERT released a warning about in April.

One of the designated entities in controlled by and has provided material and technological support to Russia’s Federal Security Service (FSB), while two others have provided the FSB with material and technological support.  OFAC is also designating several entities and individuals for being owned or controlled by, or acting for or on behalf of, the three entities that have enabled the FSB.


Examples of Russia’s malign and destabilizing cyber activities include the destructive NotPetya cyber-attack; cyber intrusions against the U.S. energy grid to potentially enable future offensive operations; and global compromises of network infrastructure devices, including routers and switches, also to potentially enable disruptive cyber-attacks.  Today’s action also targets the Russian government’s underwater capabilities.  Russia has been active in tracking undersea communication cables, which carry the bulk of the world’s telecommunications data.

I’ve included the entire list of sanction targets below.

On paper, at least, it looks like Treasury is sanctioning:

  • An entity, Divetechnoservices, that helps Russia tap into submarine cables along with three of its employees (another thing our spooks do, but one the US and especially UK have been increasingly worried about from Russia); the Treasury release notes that Divetechnoservices got the contract for a FSB submersible craft way back in 2011
  • An entity, Kvant Scientific Research Institute, that has been a research institute for FSB since August 2015 and, since April 2017, the prime contractor on an FSB project
  • An entity, Digital Security, that as of 2015 worked on a project that would expand Russia’s offensive cyber capabilities; the sanctions also include two companies the release claims are Digital Security subsidiaries, both which have US and Israeli locations

All of these were sanctioned under E.O. 13694, which, as amended, included attacks on election processes; given the dates, they might be implicated in the election year hacks, or might just be deemed a threat to national security. Just Kvant was also sanctioned under CAATSA, which is the more general sanctions program forced onto Trump by Congress. I’ve also put the language for the two of those below.

And, as Lorenzo F-B notes, the heads of two of the sanctioned alleged subsidiaries of Digital Security, ERPScan and Embedi, say they have nothing to do with the company.

But one of the security companies named in the new sanctions, ERPScan, denied having anything to do with the Russian government in an email to Motherboard.

“The only issue is that I and some of my peers were born in Russia, oh, cmon, I’m sorry but I can’t change it,” ERPScan’s founder Alexander Polyakov told me. “We don’t have any ties to Russian government.”

ERPScan is mostly known for its product that hunts for vulnerabilities in companies’ systems provided by SAP, a popular German enterprise software maker. Cyber Defense Magazine gave ERPScan an award this year for “best product” in its artificial intelligence and machine learning category.


Polyakov, however, claimed that as of 2014, ERPScan is a “private company registered in the Netherlands” and that it has no connections “with other companies listed in this document.”


“The news came to us as an unpleasant surprize. We never worked for Russian government, but indeed we have some former Russian researchers in our Research Team (some of them are former employees of Digital Security),” Alex Kruglov, Embedi’s head of marketing, told Motherboard in an email. “It is the only reason we can figure out to be added to a sanctions list.”

And they’re both legit cybersecurity companies, which at the very least raises questions (as the Kaspersky targeting did) about whether this is just infosec protectionism. If these protestations are correct, however, it renews real questions about the accuracy of sanction claims made under Treasury Secretary Steve Mnuchin.

The first indication that Mnuchin’s Treasury Department was offering bullshit to fulfill Congress’ demand for sanctions came when Treasury released a list of Russian oligarchs in January that was basically just the Forbes list of richest Russians, including a number that oppose Putin.

President Trump’s Treasury Department releaseda list of prominent Russian political figures and business leaders who have prospered while Vladimir Putin has led Russia.

The list features 210 people, including politicians such as Prime Minister Medvedev and Minister of Defense Sergey Shoygu. Also on the list are 96 “oligarchs.” Within hours of the list’s posting , media organizations began pointing out the similarity between the 96 billionaires listed and the Russians that appear on Forbes’ 2017 list of the World’s Billionaires.

Forbes went through the lists and confirmed that indeed the Treasury Department’s list is an exact replica of the Russians on the 2017 billionaires list.

For a bit, I thought the list released in March, which added a few new GRU officers, might have reflected new knowledge about GRU officers involved in the targeting of the DNC. Except it turned out those officers were just people readily identifiable off public GRU records. Treasury basically could have gotten them from a spook phone book.

Treasury did better with non-cyber Ukraine-related sanctions in April. It actually named several figures — most obviously Oleg Deripaska and Alexander Torshin — suspected of having played key roles in the election interference. Since then, Deripaska and his aluminum company Rusal have pursued financial games to shield Rusal from sanctions. He’s doing this with the help of Mercury Public Affairs — the Vin Weber lobbying group that shows up in a lot of Manafort’s indictments — and former Trump aide Brian Lanza, who now works there. So it’s not clear whether Deripaska will be significantly impacted.

With that history in mind, it’s worth asking whether Treasury simply can’t do cyber sanctions well, both because it’s hard to distinguish infosec from hacking (it would be equally difficult to do so for any of a number of contractors with close ties to FBI, the analogue of the companies that got sanctioned yesterday), and perhaps because Treasury doesn’t have good intelligence on who is hacking for Russia. Or perhaps Mnuchin is just obstinate.

But thus far, the history of Treasury’s selections on Russian related cyber sanctions leaves quite a bit to be desired.

Today’s action includes the designation of five Russian entities and three Russian individuals pursuant to E.O. 13694, as amended, as well as a concurrent designation pursuant to Section 224 of CAATSA.

Digital Security was designated pursuant to E.O. 13694, as amended, for providing material and technological support to the FSB.  As of 2015, Digital Security worked on a project that would increase Russia’s offensive cyber capabilities for the Russian Intelligence Services, to include the FSB.

ERPScan was designated pursuant to E.O. 13694, as amended, for being owned or controlled by Digital Security.  As of August 2016, ERPScan was a subsidiary of Digital Security.

Embedi was designated pursuant to E.O. 13694, as amended.  As of May 2017, Embedi was owned or controlled by Digital Security.

Kvant Scientific Research Institute (Kvant) was designated pursuant to E.O. 13694, as amended, and Section 224 of CAATSA for being owned or controlled by the FSB.  In August 2010, the Russian government issued a decree that identified Kvant as a federal state unitary enterprise that would be supervised by the FSB.

Kvant was also designated pursuant to E.O. 13694, as amended, for providing material and technological support to the FSB.  As of August 2015, Kvant was a research institute with extensive ties to the FSB.  Furthermore, as of April 2017, Kvant was the prime contractor on a project for which the FSB was the end user.

Divetechnoservices was designated pursuant to E.O. 13694, as amended, for providing material and technological support to the FSB.  Since 2007, Divetechnoservices has procured a variety of underwater equipment and diving systems for Russian government agencies, to include the FSB.  Further, in 2011, Divetechnoservices was awarded a contract to procure a submersible craft valued at $1.5 million for the FSB.

Aleksandr Lvovich Tribun (Tribun) was designated pursuant to E.O. 13694, as amended, for acting for or on behalf of Divetechnoservices.  As of December 2017, Tribun was Divetechnoservices’ General Director.

Oleg Sergeyevich Chirikov (Chirikov) was designated pursuant to E.O. 13694, as amended, for acting for or on behalf of Divetechnoservices.  As of March 2018, Chirikov was Divetechnoservices’ Program Manager.

Vladimir Yakovlevich Kaganskiy (Kaganskiy) was designated pursuant to E.O. 13694, as amended, for acting for or on behalf of Divetechnoservices.  As of December 2017, Kaganskiy was Divetechnoservices’ owner.  Previously, Kaganskiy also served as Divetechnoservices’ General Director.

EO 13694 as amended

E.O. 13694 authorized the imposition of sanctions on individuals and entities determined to be responsible for or complicit in malicious cyber-enabled activities that result in enumerated harms that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States.  The authority has been amended to also allow for the imposition of sanctions on individuals and entities determined to be responsible for tampering, altering, or causing the misappropriation of information with the purpose or effect of interfering with or undermining election processes or institutions.

CAATSA Section 224

IN GENERAL.—On and after the date that is 60 days after the date of the enactment of this Act, the President shall— (1) impose the sanctions described in subsection (b) with respect to any person that the President determines— (A) knowingly engages in significant activities undermining cybersecurity against any person, including a democratic institution, or government on behalf of the Government of the Russian Federation; or (B) is owned or controlled by, or acts or purports to act for or on behalf of, directly or indirectly, a person described in subparagraph (A);


SIGNIFICANT ACTIVITIES UNDERMINING CYBERSECURITY DEFINED.—In this section, the term ‘‘significant activities undermining cybersecurity’’ includes— (1) significant efforts— (A) to deny access to or degrade, disrupt, or destroy an information and communications technology system or network; or (B) to exfiltrate, degrade, corrupt, destroy, or release information from such a system or network without authorization for purposes of— (i) conducting influence operations; or (ii) causing a significant misappropriation of funds, economic resources, trade secrets, personal identifications, or financial information for commercial or competitive advantage or private financial gain; (2) significant destructive malware attacks; and (3) significant denial of service activities.

27 replies
  1. somecallmetim says:

    What, if any, has been the response from congressional oversight committee? Regarding the sanctions so far, from someone with only a superficial acquaintance with the subject, the phrase ‘half-@$$&d’ comes to mind.

  2. greengiant says:

    Department of redundancy The administration doing something stupid Lack of logic, arithmetic fail, 4th of July fireworks show of shiny objects to distract ( see slurs on Canada e.g. ), chest thumping, inhumane actions to excite the base, and provoked by Kim’s large envelope trick the new micro tables for measuring their penis sizes. That is what bogus fiats are, micro tables.

    • SpaceLifeForm says:

      Department of redundancy Department, no?

      Maybe I missed the memo on the name change.

      And the second memo. Obviously, I missed the tweet.

  3. orionATL says:

    ” it’s hard to distinguish infosec from hacking”

    what do the two terms mean? what is the difference between the two activities.

    and what would “infosec protectionism” involve?


    “perhaps because Treasury doesn’t have good intelligence on who is hacking for Russia.”

    surely treasury doesn’t have to work on its own, minus info from nsa and fbi?  or does it? 

     this a very helpful explainer, but i don’t get any sense that this is a serious sanction effort. what is the penalty? i would guess it is the usual, named organizations and businesses cannot do business in the u. s., cannot engage in transactions with americans, will have their properties and liquid assets frozen. 

    maybe a fair evaluation would be that this is a sensible sanction because it is targeted at certain activities, rather than being an attack on the russian economy. certainly these sanctions are limited.

    still, trump working to reduce sanctions that mean a lot to allies suggest this is a sanction release timed to counter that, at least domestically.

    • SpaceLifeForm says:

      Infosec vs hacking

      See Red Team vs Blue Team. Offense (hackers) vs Defense (Infosec)

      Then ask youself, is the Red Team the Bad Guys and the Blue Team the Good Guys?

      Or, is the reverse actually the case?

      Is the ploy to be Blue Team actually to collect infomation?

      Information *IS* Money.

      Maybe both bad.

  4. cfost says:

    “The bulk of the world’s telecommunications data.”

    So, which data? Whose data? Who/what is Treasury protecting?

    If I think of Putin as someone who was long ago freed of any ideological and political constraints; if I think of Trump as part of a group of people who are, in practice, assets being used and manipulated by others; if I think of Trump as being treated like any other oligarch, Russian or otherwise; if I note that this action was taken by and announced by Treasury; then I begin to wonder about the character of the war being fought here, and the identity and interests of the players behind the scenes. Judging by actions, Putin (either as himself or as a brand) seems, over and over again, more interested in money and how to get it (and launder it) than in traditional military or political prizes.

    In this newly emerging world, McLuhan’s Age of Information, control of data is control of everything.

  5. TheraP says:

    The news came to us as an unpleasant surprize (sic!).

    Um….  and I assume that quote was supposed to prove “no” connection with Russia?   Amazing how things like a misspelling can be a tipoff!

    As an aside, I notice how Trump used language which is not Trumpian to describe US/S. Korean joint military exercises:  “very provocative” and “inappropriate.”  

    Talk about picking up propaganda from your enemy!  (Lordy, Lordy!)

    • earlofhuntingdon says:

      “War games.”  Yep.  I’d say that North Korean “interpreter” was a busy bee.

      Strangely, the Don remembered some of it.  Odd, since the only thing he remembered about his briefing for the G7 was that it used to be the G8.  Motivation, I guess, and the bromance of one autocratic for another.

      • Trip says:

        What are the chances Canada will allow political asylum for some in the US trying to flee an insane dictator? I’m asking for a friend.

        • SpaceLifeForm says:

          They are not happy with Trump currently, so I doubt they would let him in again. (that is snark and a hint. He is a puppet)

          Do not panic. All will work out.

  6. Bobby Gladd says:

    I have my eye on a 96′ converted tug live-aboard boat now moored up Vancouver Island near Victoria BC. Wonder if I could just buy it and move there, keep it berthed where it is? Hmmmm…

    • earlofhuntingdon says:

      Good choice, as long as there’s not too much time on the engine and the electronics are updated.  Helps if you know how to navigate and operate a boat, though.  Or you can just keep it moored and hire a captain for an occasional trip out of the harbor.

    • SpaceLifeForm says:

      How many gold bars can it carry?

      You may get free financing from someone in Trump org.

  7. SpaceLifeForm says:

    I’d add Manafort as a Tag in light of the Mueller motion today. Surely, ABJ, even throwing Manafort a crumb (reveal some names), will also have to side with Mueller on the protection of sensitive data and protecting sources and methods.

    Mueller (if ABJ agrees) likely let Ellis avoid a big headache.

    1.5 to 2 Terabytes of discovery to go through in DC.

    And that is just a *current* estimate.

    Barbara Jones got a bunch of stuff to review, but not that much.

    So, not likely Manafort and Ellis will meet for some time, if ever again.


  8. Trip says:

    Donald J. Trump‏Verified account @realDonaldTrump

    Kim Jong Un of North Korea, who is obviously a madman who doesn’t mind starving or killing his people, will be tested like never before!
    3:28 AM – 22 Sep 2017

    “Well, he is very talented,” Trump said. “Anybody that takes over a situation like he did at 26 years of age and is able to run it and run it tough. I don’t say he was nice.”
    “Very few people at that age — you can take one out of ten thousand, probably couldn’t do it.”
    Speaking to reporters in Singapore after his landmark summit with Kim, Trump said that he found the North Korean premier to be a “very talented man” who “loves his country very much”.

    What a clown show.
    Cue up “Love hurts” by Nazareth.

    • Michael says:

      “Anybody that takes over a situation like he did at 26 years of age and is able to run it and run it tough.”

      (all together now) WHAT?!
      I would rather break trail in elephant grass than slog through Rump’s word salads.

      • Trip says:

        “Run it”, as one would in a corporation or company, is my translation of stupid gibberish.

        It didn’t occur to Trump, that Jong un was able to “run it” tough because he is a psychopath, in a line of psychopaths. Trump is probably one too.

        The Hare checklist:

        The twenty traits assessed by the PCL-R score are:

        glib and superficial charm
        grandiose (exaggeratedly high) estimation of self
        need for stimulation
        pathological lying
        cunning and manipulativeness
        lack of remorse or guilt
        shallow affect (superficial emotional responsiveness)
        callousness and lack of empathy
        parasitic lifestyle
        poor behavioral controls
        sexual promiscuity
        early behavior problems
        lack of realistic long-term goals
        failure to accept responsibility for own actions
        many short-term marital relationships
        juvenile delinquency
        revocation of conditional release
        criminal versatility

    • Trip says:

      Jackass clown got punked, looks like a moron:

      North Korea’s Media Tout Trump Concessions You Won’t Find In The Joint Statement

      The KCNA report — which was also carried by the Rodong Sinmun, official newspaper of the ruling Workers’ Party — also claimed that the president pledged to suspend military drills with South Korea, and lift sanctions on the North.

      What did the US get? The Fart of the Deal.


  9. earlofhuntingdon says:

    Best comprehensive analysis of the outcome of the Trump-Kim Singapore Summit, from tristero at digby:

    The following is an in-depth analysis of the substance of the deal the two dictators struck in Singapore:

    • Trip says:

      We are a fucking Nazi nation.  That Chris Hayes segment was beyond heartbreaking and infuriating. Even the lie about just giving the kids a bath and then taking them away permanently has parallels. Sessions is a garbage racist SS soldier. And now Trump just endorsed an actual white supremacist. His endorsement of Jong un as a great guy only demonstrates his role models.

      Aren’t we better than this? Maybe not.

Comments are closed.