[Updated w/ Russian Response]: Obama Strikes Back at Russia for Election Hacks with Expulsions, Sanctions & FBI’s “Evidence”
“Today, I have ordered a number of actions in response to the Russian government’s aggressive harassment of U.S. officials and cyber operations aimed at the U.S. election,” President Obama said in a statement today. As threatened yesterday, the Obama administration has unveiled new sanctions against Russia over its efforts to influence the 2016 election.
Washington has decided to impose sanctions on Russia’s two leading intelligence services, including four officers of the military intelligence that the White House believes ordered the attacks on DNC and other political organizations. The Obama administration is also ejecting 35 Russian intelligence operatives from the United States, along with closing two Russian compounds in New York and Maryland.
“These actions are not the sum total of our response to Russia’s aggressive activities”
The move against the diplomats from the Russian embassy in Washington and consulate in San Francisco is part of a sweeping set of actions that the White House announced on Thursday to punish Russia for interference in the US election and for running a campaign of intimidation of American diplomats in Moscow. The Russian diplomats would have 72 hours to leave the United States, the officials said. As of noon on Friday, access to the two compounds, which are used by Russian officials for intelligence gathering, will be denied to all Russian officials.
“These actions follow repeated private and public warnings that we have issued to the Russian Government, and are a necessary and appropriate response to efforts to harm US interests in violation of established international norms of behavior. We will continue to take a variety of actions at a time and place of our choosing, some of which will not be publicised.”
Obama’s retaliation plan was expected to be announced to the public today after increased pressure from Congress and the public. “All Americans should be alarmed by Russia’s actions,” Obama’s statement said. “These data theft and disclosure activities could only have been directed by the highest levels of the Russian government. Moreover, our diplomats have experienced an unacceptable level of harassment in Moscow by Russian security services and police over the last year. Such activities have consequences.”
President-elect Donald Trump, who takes office on January 20, has repeatedly denied accusations of Russian hacking the political organizations. It isn’t clear if he will be able to immediately overturn the sanctions announced today.
DHS and FBI release declassified information
Obama’s statement had promised that the “Department of Homeland Security and the Federal Bureau of Investigation would be releasing declassified technical information on Russian civilian and military intelligence service cyber activity”.
The DHS and FBI released this report titled “GRIZZLY STEPPE – Russian Malicious Cyber Activity,” which starts with an interesting disclaimer that says: “The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within”. Who then will be providing the public warranties of this information, we can’t say. For those interested, here are some of the interesting excerpts from the document (emphasis is ours):
The U.S. Government confirms that two different RIS [Russian civilian and military intelligence Services] actors participated in the intrusion into a U.S. political party. The first actor group, known as Advanced Persistent Threat (APT) 29, entered into the party’s systems in summer 2015, while the second, known as APT28, entered in spring 2016.
Both groups have historically targeted government organizations, think tanks, universities, and corporations around the world. APT29 has been observed crafting targeted spearphishing campaigns leveraging web links to a malicious dropper; once executed, the code delivers Remote Access Tools (RATs) and evades detection using a range of techniques. APT28 is known for leveraging domains that closely mimic those of targeted organizations and tricking potential victims into entering legitimate credentials. APT28 actors relied heavily on shortened URLs in their spearphishing email campaigns. Once APT28 and APT29 have access to victims, both groups exfiltrate and analyze information to gain intelligence value. These groups use this information to craft highly targeted spearphishing campaigns. These actors set up operational infrastructure to obfuscate their source infrastructure, host domains and malware for targeting organizations, establish command and control nodes, and harvest credentials and other valuable information from their targets.
The document goes on to detail the mitigation steps that should be taken by network administrators. But, today’s release raises more questions than it answers. First, if both the attacks referred in the technical analysis (visit here) happened in 2015 and early 2016, why couldn’t the Obama government release this analysis before the election. Second, and more importantly, the analysis doesn’t add into what the private security community (including CrowdStrike) has been saying for months, mentioning APT 28 and APT 29.
Along with this report, the department has also released a STIX file for technical details. The JAR package (Joint Analysis Report) also includes a list of secret code names used by Russian hackers, including “SEADADDY,” “HAMMERTOSS,” “Energetic Bear,” and several others ending with “duke” or “bear.”
While we haven’t been able to find anything that could concretely pinpoint to Russia, except for what was already known from the private security sector, it should be noted that this is not the comprehensive report that Obama is yet to receive from the CIA before he leaves office.
Despite the political repercussions and Russia’s anger, it is yet to be seen whether today’s sanctions – similar to FBI’s evidence – carry any real meaning beyond just being symbolic.
[Updated, Dec 30]: Russian response to Obama’s sanctions
Russian President Vladimir Putin has released a statement today in response to new US sanctions and expulsions, saying that the country isn’t “going to downgrade to the level of irresponsible ‘kitchen’ diplomacy”.
Here’s the complete statement (translated):
New unfriendly steps of the US outgoing administration see as provocation aimed at further undermining the Russian-American relations. This is clearly contrary to the fundamental interests of both Russian and American peoples. With taking into account the special responsibility of Russia and the United States for the preservation of global security – inflicts damage and the whole complex of international relations.
According to the prevailing international practice, the Russian side there is every reason for an adequate response.
Reserving the right to retaliate, we will not stoop to the level of “kitchen” diplomacy and further steps towards the restoration of Russian-American relations will be build on the basis of the policy, which will carry out the administration of President D. Trump.
Returning to his homeland, Russian diplomats will spend the New Year holidays in the circle of relatives and friends – at home. We will not create problems for American diplomats. We will not send anyone. We will not prohibit their families and children to use for their usual vacation spots in the New Year’s holidays. Moreover, all children of American diplomats accredited in Russia, I invite you to New Year’s and Christmas tree in the Kremlin.
It is a pity that the President Obama administration completes its work this way, but, nevertheless, I congratulate him and his family a Happy New Year.
Congratulations to the elected President D.Trump, the American people!
I wish all welfare and prosperity!