2017 Begins with Additional U.S. Sanctions on Russia for Malicious Cyber-Related Activities

By Melissa Miller Proctor

U.S. companies doing business in Russia are urged to review the new cyber-related sanctions that were imposed on Russia at the end of December as they may impact existing business relationships with certain Russian individuals and entities. The new sanctions, enacted under Executive Order 13964, impact certain Russian government agencies, companies and individuals as a result of Russia’s cyber activities that were intended to influence the U.S. presidential election. Note that Executive Order 13964 was originally issued backed in April 2015, and authorized the imposition of sanctions for cyber-enabled malicious activities that:

  • Harm or compromise the provision of services by entities in a critical infrastructure sector;
  • Disrupt the availability of a computer or network or computers; or
  • Cause a misappropriation of funds or economic resources, trade secrets, personal identifiers or financial information for commercial or competitive advantage or private financial gain.

On December 29th, President Obama expanded the scope of Executive Order 13964 to authorize sanctions on persons who tamper with, alter, or cause a misappropriation of information with the purpose or effect of interfering with or undermining election processes or institutions. The following Russian intelligence services, individual intelligence officers and Russian companies that provided material support to the government’s cyber operations are subject to the new sanctions:

  • Russia’s Main Intelligence Directorate (Glavnoe Razvedyvatel’noe Upralenie or “GRU”);
  • Russia’s Federal Security Service (Federalnaya Sluzhba Bezopasnosti or “FSB”);
  • Special Technology Center (STLC, Ltd. Special Technology Center St. Petersburg);
  • Zorsecurity (Esage Lab);
  • Autonomous Noncommercial Organization Professional Association of Designers of Data Processing Systems (ANO PO KSI);
  • Igor Valentinovich Korobov, Chief of the GRU;
  • Sergey Aleksandrovich Gizunov, Deputy Chief of the GRU;
  • Igor Olegovich Kostyukov, First Deputy Chief of the GRU;
  • Vladimir Stepanovich Alexseyev, First Deputy Chief of the GRU;
  • Evgeniy Bogachev; and,
  • Aleksey Belan. 

The above-listed individuals and entities were added to the Specially Designated Nationals (SDN) List published by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC). U.S. persons are prohibited from dealing with Specially Designated Nationals (SDNs), or any company that is owned or controlled by listed SDNs, without prior authorization from OFAC. In addition, the U.S. Commerce Department’s Bureau of Industry and Security (BIS) added the GRU, FSB, Special Technology Center, Zorsecurity and ANO PO KSI to the Entity List. U.S. persons are prohibited from exporting or reexporting goods, software and technology (or engaging in in-country transfers of items) that are subject to the Export Administration Regulations (EAR) to individuals or entities designated on the Entity List without prior authorization from the BIS—this prohibition also applies where these entities are involved in export or reexport transactions as purchasers or intermediate consignees (not just ultimate consignees or end-users). 
In response to the reported harassment of U.S. diplomatic personnel in Russia by Russian security and police agencies, the U.S. State Department ordered 35 Russian government officials from the Russian Embassy in Washington and the Russian Consulate in San Francisco, as well as their families, to leave the United States. The State Department also denied Russian access to two Russian government-owned recreational compounds in Maryland and New York.

In view of these new sanctions, U.S. companies are urged to confirm that their automated restricted parties list screening software applications are up to date so that potential dealings with these new individuals and entities are effectively blocked. U.S. companies should also consider taking steps to assess their own cyber-security risks and the effectiveness of their cyber intrusion prevention policies, procedures and mechanisms to protect themselves from attack.