Obama Sanctions Russian Spy Agencies, Expels 35 Officers for Election Hacking

Suggests counter-cyber attacks may be carried out

December 29, 2016

President Barack Obama hit back against Russia on Thursday for intelligence operations targeting the 2016 presidential election by imposing sanctions on two Russian intelligence services and expelling 35 officers from the country.

Additionally, the president and senior aides suggested covert counter-cyber attacks against Russia could be conducted in the coming days in a bid to punish Moscow for a large-scale intelligence program to influence the election.

"All Americans should be alarmed by Russia's actions," Obama said about attempts to influence the election. "These data theft and disclosure activities could only have been directed by the highest levels of the Russian government."

Additional covert intelligence activities could be launched against the Russians, although the president in the past has failed to take any cyber action against Chinese and North Korean hackers for cyber attacks.

The sanctions and expulsions "are not the sum total of our response to Russia's aggressive activities," the president said. "We will continue to take a variety of actions at a time and place of our choosing, some of which will not be publicized."

The president's announcement follows a decade of malicious activities by the Russian government via its GRU military intelligence service and the civilian Federal Security Service (FSB), and raises questions among critics about why the president waited so long to retaliate.

"The retaliatory measures announced by the Obama administration today are long overdue, but ultimately, they are a small price for Russia to pay for its brazen attack on American democracy," said Sens. John McCain (R., Ariz.) and Lindsey Graham (R., S.C.).

"We intend to lead the effort in the new Congress to impose stronger sanctions on Russia."

The Russian government vowed to retaliate for the new sanctions. Presidential spokesman Dmitri Peskov said Russian President Vladimir Putin would order an "appropriate" retaliation for the U.S. actions—a likely signal that U.S. intelligence personnel in Russia will be expelled in the coming days.

Russian intelligence operations against the election were likely aimed at seeking to bring to power an administration in Washington that would be more amenable to Moscow.

Russia has chafed under international sanctions imposed after the covert takeover of Ukraine's Crimean Peninsula.

President-Elect Donald Trump said in a statement from Florida, where he is vacationing, that he will meet with U.S. intelligence leaders next week to receive an update on the Russian hacking. But he appeared to play down the president's action.

"It's time for our country to move on to bigger and better things," Trump said.

The sanctions were targeted against nine organizations and people, including the FSB and GRU and four senior GRU leaders. They include Igor Valentinovich Korobov, current GRU director; Sergey Aleksandrovich Gizunov, GRU deputy director; and two other deputy directors, Igor Olegovich Kostyukov and Vladimir Stepanovich Alexseyev.

The GRU was sanctioned for "tampering, altering, or causing a misappropriation of information with the purpose or effect of interfering with the 2016 U.S. election processes." The FSB supported the GRU in conducting the activities.

Additionally, U.S. intelligence agencies identified three support groups used by the Russians in the election hacking. They include the St. Petersburg-based Special Technology Center that supported GRU signals intelligence operations. A company called Zorsecurity (also known as Esage Lab) conducted technical research for GRU hackers. Training for the GRU was supplied by the Autonomous Noncommercial Organization "Professional Association of Designers of Data Processing Systems," known as ANO PO KSI.

Two other Russians described by U.S. officials as notorious cyber criminals also were sanctioned. They are Evgeniy Bogachev and Aleksey Belan.

Bogachev conducted cyber attacks for financial gain, including theft of over $100 million from U.S. financial institutions and large corporations.

Belan used cyber attacks to steal personal information for financial gain, including penetrations of three large American e-commerce companies.

The State Department also took action to limit Russian diplomats by restricting the use of two diplomatic facilities—Russia's Pioneer Point residence near Centerville, Md., and a second facility in New York.

Both facilities are used for Russian intelligence activities, administration officials said. The officials declined to say whether the election hacking was linked directly to the two facilities.

The Russian officials expelled were based at the embassy in Washington and the consulate in San Francisco.

It was the largest mass expulsion of Russian intelligence officers since 1986, when 25 senior KGB and GRU intelligence officers were ordered out of the country.

Unlike the Reagan administration expulsions of 1986, the current 35 Russians who must leave the country by Sunday were not identified by name.

The Russian sanctions also were taken in response to the harassment of American diplomats in Russia over the past two years. The harassment has included mistreatment by Russian security personnel and police.

The FBI and Department of Homeland Security issued an intelligence analysis report outlining the technical details of the Russian cyber attacks, code named "Grizzly Steppe."

"This activity by Russian intelligence services is part of a decade-long campaign of cyber-enabled operations directed at the U.S. government and its citizens," the two agencies said in a statement.

"These cyber operations have included spearphishing, campaigns targeting government organizations, critical infrastructure, think tanks, universities, political organizations, and corporations; theft of information from these organizations; and the recent public release of some of this stolen information."

The report said the GRU and FSB, identified only as Advanced Persistent Threat (APT)-28 and APT-29 used tools and infrastructure "to compromise and exploit networks and endpoints associated with the U.S. election, as well as a range of U.S. government, political, and private sector entities."

The Russians also carried out damaging or disruptive cyber attacks on critical infrastructure overseas against American allies.

"In some cases, [Russian intelligence service] actors masqueraded as third parties, hiding behind false online personas designed to cause the victim to misattribute the source of the attack," the report said.

The GRU and FSB worked together to plant malicious software into targeted computer networks and then covertly extracted data that was released publicly.

The GRU broke into the Democratic National Committee computer system in the summer of 2015 by sending 1,000 emails containing a malicious link. The FSB then penetrated the DNC network against in the spring of 2016, using emails that tricked staff members into changing their passwords at a fake webmail domain that stole their login credentials.

"Using the harvested credentials, APT-28 was able to gain access and steal content, likely leading to the exfiltration of information from multiple senior party members," the report said.

Disclosures included sensitive details on how DNC Chairwoman Debbie Wasserman Shultz unfairly backed former Secretary of State Hillary Clinton over rival Sen. Bernie Sanders during the presidential primary race. Wasserman Shultz was forced to step down as a result of the email disclosures.

The Russian intelligence operations continue, despite a warning from President Obama to Russian President Vladimir Putin last fall to halt the cyber attacks.

"Actors likely associated with [Russian intelligence services] are continuing to engage in spearphishing campaigns, including one launched as recently as November 2016, just days after the U.S. election," the report said.

On Capitol Hill, House Homeland Security Committee Chairman Rep. Michael McCaul (R., Texas) said the action by the president was "long overdue."

"For many months I have urged the administration to respond to the election-related hacks, and for years I have pressed them to stand up to Russia and other cyber intruders," McCaul said.

"Instead, President Obama's 'look-the-other-way' foreign policy has emboldened Moscow time and again and opened us up to attack."

Asked why it took so long for the White House to take action against the Russians, a senior administration official said developing a response was a time-consuming, complex interagency process.

The official noted the October statement by the Department of Homeland Security and Office of the Director of National Intelligence blaming Russia for the hacking.

The official said the main concern prior to the election was to secure the nationwide voting system against foreign disruption.

"The president has been very deliberate," the official said. "Let’s gather the information; when we had enough confidence to put it out, we released it publicly. We issued a warning. We worked to secure our election. We worked to develop these responses. When the responses were complete, we aligned them so that we would be doing this as a package."

A State Department official said the actions announced Thursday followed a long-term diplomatic approach to the Russians—one that apparently was not successful.

"We will have to continue to deter and push back on this behavior," the official said.

Michelle Van Cleave, former DNI National Counterintelligence Executive, said the public reproach of Russian intelligence activities was "long overdue.

"But I hope it isn’t a case of too little too late," she said. "When Ronald Reagan expelled 80 GRU and KGB officers 30 years ago it was part of a purposeful counterintelligence strategy to stop them," Van Cleave said.

"Today, there are more Russian intelligence personnel operating on U.S. soil that at the height of the Cold War. So the 35 or so that have just been sent packing are but a drop in the bucket. The bigger question is now what?"

Published under: Russia