Senior national security officials held a briefing Thursday morning to update the media on the new sanctions against Russian entities. Some were speaking off the record and only on background so their names are not mentioned and quotes may not be exact.
National Security Spokesman Marc Raimondi started the briefing at about 10:05 a.m. EDT.
MR. RAIMONDI: Hey, thanks everybody for joining us this morning. Sorry we’re a couple minutes late. Today is a background call attributed to senior national security officials. Each speaker will talk for a couple minutes, then we’ll open it for Q and A. So we don’t have a lot of time for Q and A, so we’re going to ask that you just do one question, no follow-up. If you have a follow-up, just hit your button and get back in the queue again. All right.
SENIOR NATIONAL SECURITY OFFICIAL: Good morning, thanks for participating. I think my role here will be limited. I hope to allow you to ask questions to the senior administration officials gathered from DHS, FBI, and from the Department of Treasury.
Just a quick scene-setter here: Russia’s behavior or lack thereof on the world stage is continuing to trouble us and we are continuing to press back in meaningful ways.
Today we’re going to talk about a few of those ways, but by no means are we going to talk about all of them. And by no means will this constitute the end of our ongoing campaign to instruct Mr. Putin to change his behavior.
I think the key here for me, to set the stage, is to remind you that we, with international partners and industry, have continued our pattern of quick and accurate attribution of cyberattacks. And last week — or the week before, we attributed NotPetya for the destructive and — in fact, probably the largest, most destructive cyberattack in our history — to Russia and directly to the elements that Mr. Putin controls.
We are, today, going to announce some actions in response but not all of them. We’re also going to attribute, today, a different and separate attempt by the Russian government to get into our energy grid. We’ll talk more about that, but what we will do is allow DHS to educate the reporters on the call to their role, as DHS and the FBI have reached this conclusion, and they’re going to provide information that will allow network owners and operators to defend their critical infrastructure and their computers and data.
So that’s where we stand. There will be a few additional uses of authorities not previously used, and I’ll let my colleague talk about that. So that’s it for me here, and then we’ll take your questions as today evolves.
SENIOR NATIONAL SECURITY OFFICIAL: Thank you. So, today, the Department of Treasury’s Office of Foreign Assets Control, or OFAC, is designating 5 entities and 19 individuals under the Countering America’s Adversaries Through Sanctions Act, or CAATSA, as well as under Executive Order 13694, which is the executive order that deals with blocking the property of certain persons engaging in significant malicious cyber-enabled activity, and that executive order was also codified pursuant to CAATSA.
These sanctions target a wide-range of Russia’s destabilizing activities, including interference in the 2016 U.S. election. We continue to be very focused, as my colleague said, on pressuring Russia for its continued efforts to destabilize Ukraine, occupy Crimea, meddle in elections, as we well as for its endemic corruption in human rights abuses.
The recent use of a military-grade nerve agent in an attempt to murder two United Kingdom citizens further demonstrates the reckless and irresponsible conduct of its government. This, as we already mentioned, is part of our ongoing campaign to date.
This administration has had, before today, sanctioned 100 individuals and entities under our Ukraine- and Russia-related sanctions authorities, including a significant tranche on January 26th of 2018. These are in addition to our other efforts to hold Russia accountable for its actions, including our sanctioning of Russians targeted for activities related to the North Korea sanctions program, our Global Magnitsky program, and the Sergei Magnitsky Act.
Today’s sanctions also target other destructive cyberattacks, as already referenced, such as NotPetya attack, which has been described as the most destructive and costly cyberattack in history. It resulted in billions of dollars in damage across Europe, Asia, the United States, and significantly disrupted global shipping trade and the production of medicines. Additionally, several hospitals in the U.S. were unable to create electronic records for more than a week as a result of that attack.
The NotPetya cyberattack, as my colleague mentioned, was attributed to the Russian military in February of this year in statements released both by the White House and the British government. And I would just add that, since at least March 2016, Russian government cyberattacks have also targeted U.S. government entities in multiple U.S. critical infrastructure sectors. And I’ll look to DHS and the FBI to speak about that in more detail.
Just to go into a few of the details, which are in the press release related to these particular designations in the Russia cyber tranche, we are targeting three entities and 13 individuals,; which include the Internet Research Agency, which tampered with or altered information in order to interfere with the 2016 U.S. election.
This organization created and managed a vast number of fake online personas that posed as legitimate U.S. persons, to include grassroots organizations, interest groups, and a state political party on social media. The IRA posted thousands of ads that reached millions of people online, and organized and coordinated political rallies during the run up to the 2016 election, all the while hiding its Russian identity. It also stole and utilized personally identifiable information from U.S. persons to open financial accounts to help fund its operation.
We’re also designating 12 individual who worked in various capacities for the IRA, for acting for, on behalf, and proving material and technological support to the IRA. These include individuals who worked on the Translator Project, which conducted operations on multiple social media platforms and targeted the U.S. election. Many of these individuals posed as U.S. persons or organized — or grassroots organizations and posted, monitored, and updated social media content for the IRA.
I would note, of course, that one individual, Yevgeniy Prigozhin, and two entities — Concord Management and Consulting, and Concord Catering, which we are designating today — were previously designated by OFAC in December 2016 and in June of 2017, so we are designating them again today. They had already been designated in the past.
These 16 malicious cyber-actors are subject — are also subject of the Department of Justice indictment that was announced in February of 2018. As a result of today’s designations, all property and interests in property of these persons subject to U.S. jurisdiction are blocked, and all U.S. persons are generally prohibited from engaging in transactions with them.
Going to the next set of designations under CAATSA, we are designating two entities and six individuals pursuant to section 224 of CAATSA which targets maligned cyber actors acting on behalf of the Russian government. This includes the Federal Security Service, also known as FSB, a Russian intelligence organization that has utilized its cyber tools to target Russian journalists and politicians critical of the Russian government; Russian citizens and government officials; and U.S. government officials, including cyber security, diplomatic, military, and other personnel.
In 2017, as you may know, two FSB officers were also indicted for the 2014 hacking of the assets that compromised millions of Yahoo accounts. We’re similarly designating, under section 224 of CAATSA, the main intelligence directorate — or the GRU, a Russian intelligence organization that was directly involved in interfering in the 2016 election through cyber-enabled activities. The Russian military, of which the GRU is a part, was so also directly responsible for the NotPetya cyberattack in 2017.
And we are adding six individuals associated with the GRU to our CAATSA sanctions list, both as FSB and the GRU were previously sanctioned under another executive order, 13694, but they are not also designated under CAATSA. Of the six individuals designed today associated with those two organizations, four were previously sanctioned, but two — Sergei Afanasyev and Grigoriy Molchanov are being designated for the first time.
Just, before I turn it over, I just want to make it clear, without getting into details, this is just one of a series of ongoing actions that we’re taking to counter Russian aggression. As Secretary Mnuchin has made clear a number of times, we’re using all available information to inform future actions, there will be more to come, and we’re going to continue to employ our resources to combat malicious Russian activity and respond to nefarious attacks.
SENIOR NATIONAL SECURITY OFFICIAL: All right. Cybersecurity is a shared responsibility, and we all play a part in keeping this Internet safe. We greatly appreciate the actions that Treasury has taken today which will continue to raise the cost for malicious actors in cyberspace.
The Department of Homeland Security, my organization, is focused on this every hour, every day, in collaboration with our partners at Treasury, FBI, and the Department of Justice, and others throughout the government.
At DHS, we have key responsibilities including administrating the information security of the federal enterprise; responding to incidents and analyzing data about emerging cyber threats; collaborating with foreign governments and international entities to enhance the nation’s cybersecurity posture; developing timely and actionable information for distribution to network defenders across federal agencies, state, local, tribal, and territorial organizations, critical infrastructure owners and operators, private industry, and international organizations.
As an example of our work in this area, in Fiscal Year 2018, the National Cybersecurity and Communications Integration Center, or the NCCIC, within my organization, produced and distributed more than 17,000 cybersecurity products, including information about current cybersecurity issues, vulnerabilities, and exploits.
Technical alerts, in particular, provide users with information about vulnerabilities, incidents, and trends that pose a significant risk, as well as mitigations to minimize loss of information and destruction of services. These alerts contain technical details on the tactics, techniques, and procedures used by an advanced persistent threat actor to compromise victims in various sectors.
A joint technical alert is a collaborative effort between DHS and the FBI and others in the government and trusted partners within industry to collectively identify distinct indicators and behaviors related to a cyber-threat.
This specific joint technical alert is a result of DHS and FBI analysis of malware and observed indicators of compromise. DHS and FBI produce this alert to educate network defenders to enhance their ability to identify and reduce exposure to malicious activity.
This is also an update to a previously issued alert about targeting an advance persistent threat actor targeting energy and other sectors.
Based on forensic analysis, DHS assesses the threat actor sought information on network and organizational design and control system capabilities within the organization. The key elements of this alert are, first, that the cyber actors are using a multistage attack campaign with staging and intended targets involved, and the campaign is long term and still ongoing.
Second, after obtaining access, these actors conducted network reconnaissance, moved laterally, and collected information pertaining to industrial control systems — the systems that run our factories and our grid.
Cyber actors are using techniques such as spearfishing emails, watering hole domains, post-base exploitation, and more. We encourage network users and administrators to review network perimeter net flow, as this will help determine whether a network has experienced suspicious activity.
DHS and the FBI encourage recipients who identify the use of tools or techniques discussed in this document to report information to DHS or law enforcement immediately. To request incident response resources or technical assistance, they can contact the NCCIC at [email protected] or your local FBI field office.
Now Id like to turn it over to my colleague for additional information regarding the alert.
SENIOR NATIONAL SECURITY OFFICIAL: Hey, good morning. I would just like to make a few comments.
First, Id like to state the FBI appreciates the Treasury Department taking action today to bring renewed attention to the problem of Russian influence operations against the U.S., and impose consequences on some of those responsible.
Propaganda, disinformation lose their effect if the American people are aware of the foreign actors attempting to manipulate them. And by shining a light on the covert foreign sponsorship of these activities, they become less likely to achieve their objectives.
Id also like to thank DHS for their partnership in combatting the cyber threat. The FBI has a different but complementary role to that of DHS. Our mission is to gather intelligence, investigate crimes, and prevent further victimization by hunting and neutralizing the threat, and then support imposing costs of the actors. By doing so, we are in a great position to observe threat actors, learn of their plans, intentions, and identify new victims and protect the U.S. citizens and interests.
For instance, we notified over 4,000 targets of cyber threats last year alone — typically in person, by members of our 56 cyber taskforces across the continental United States. Its not an exaggeration to say that there are cyber special agents often just around the corner. And making these notifications helps develop relationships and advances our investigations. It also gives victims and others critical information needed to fix and, hopefully, prevent the problem.
By combining our efforts, together, we support the nations cybersecurity through alerts such as the one being announced today. On the alert, it contains the judgment of the FBI, DHS, and the intelligence community that Russian government cyber actors are behind the targeting of the organizations in the energy sector.
Cyber threat actors have deliberately chosen the organizations, and they targeted them rather than pursuing them as targets of opportunity. The FBI has worked with DHS to respond in a robust and coordinated way to these threats. The efforts to respond to threat represent one of the largest government responses to the cyber threat that weve seen to date.
Coming back to a couple of the statements made by my colleague, we do encourage network users — and we emphasize its a review of the perimeter net flow — and that will help determine whether or not a network has experienced suspicious activity. And whether or not your organization has observed suspicious activity highlighted in the alert, we strongly encourage you to establish a relationship with the cyber personnel in your local field office or DHS.
Early evidence of unauthorized access can advance our investigations and help us pursue the threat actors. Information that youre willing to share with the FBI and DHS, in combination with what was shared by others, can be used to protect the entire sector.
One thing, I think, we would all agree is to encourage strong authentication methods, such as two-factor authorization.
Cyber attribution is a complex — and it takes time and information to achieve a level of confidence to publicly report or impose costs. This is one of many efforts going — ongoing against the cyber threat actors. And we need public participation in system security and information sharing to be most effective.
Q Hi, thank you for doing this call. Can you tell us a little bit more; you said that this attempted attack on the energy sector is ongoing. Does that mean that the Russians are still in our network or our grid? Or have they been kicked out of that? When you say that — you know, intelligence and cyber actors, I just want to be clear: we’re accusing that the Russian government, in particular, of this attack on the energy sector? And when did the U.S. discover it? Thank you.
SENIOR NATIONAL SECURITY OFFICIAL: For those victims and targets that we’re able to identify based off of government information and sharing with the energy sector, we were able to identify where they were located within those business systems and remove them from those systems.
Part of the importance of sharing this information is that we can identify, potentially, other victims. The benefits of information sharing is, when we run information from intelligence or law enforcement activity that the government has access to, we publish that information as widely as possible, and oftentimes we will identify additional victims and learn more about the (inaudible) — we can say, to the extent that we are aware of, that we were able to assist those victims and ensure that the Russians failed in their attempt to gain further access into critical systems.
Q Thank you very much for the call. I just wanted to clarify, if this is correct, that you’re blocking assets of the Russian intelligence services in the U.S. specifically because of election meddling. And then, secondarily, what kind of assets do the Russian intelligence services actually have in the United States?
SENIOR NATIONAL SECURITY OFFICIAL: So, again, we had previously designated these two individuals — two entities. We’re now designating them under CAATSA. And as a result of these designations and our prior designations, all assets are locked, and all dealings with them are also prohibited. And that’s all we’re going to get into.
SENIOR NATIONAL SECURITY OFFICIAL: So there’s a series of new blocked officials and organizations that you’ll see in the press release details that are rolled out. So to answer that question really directly here, we are adding additional sanctioned entities — the Internet Research Agency, among others, are additional, and there will be, most likely, (inaudible).
But keep in mind that the national emergency declared for cyber activities that President Trump extended was applied to some of the organizations associated with election meddling. But today, there’s a significant expansion of the use of not only that executive order, but also of the new statute, CAATSA.
And so this is the first use of CAATSA. It’s being used for a long list of entities for a series of bad reasons or bad purposes to punish bad behavior. And then, separately, there’s an addition of a few different entities used on the extended executive order.
So to make sure Im clear on that, please note that there’s two entities and six individuals being sanctioned. Not all of them were under the executive order coming into this codification.
SENIOR NATIONAL SECURITY OFFICIAL: That’s right. We had previously designated the FSB and GRU, but there are a number of — the entire first list of entities and individuals that I described are new, other than Prigozhin and Concord Management and Consulting and Concord Catering, which we had previously designated under our Russia-Ukraine executive order.
Q Hi, thank you for doing the call. It was just said that election meddling is less effective if people are aware of it. Does the President, then, have any plans in speaking out directly to the American people about Russian election meddling anytime soon?
SENIOR NATIONAL SECURITY OFFICIAL: No, I’m not in any way qualified to answer that question, but thanks for putting it to me. But when the President speaks, and how we coordinate it and time it, I’ll leave to his communications team.
From the policy perspective — or maybe I would kind of clarify here a few things. Although this is a series of actions, and we’re going to continue those actions to increase pressure on Russia until they change their behavior and become responsible members of the international community, I think maybe there’s two teaching opportunities here. And the first has to do with our view of NotPetya. And so Russia’s ongoing military aggression in and against the Ukraine is unacceptable. You know that’s been the administration’s position.
The additional component here, from a policy perspective, is that the United States thinks any malware that propagates recklessly without bounds violates every standard and expectation of proportionality and discrimination. Truly responsible nations don’t behave this way.
And so, independent of the underlying reasons for the use of this cyber tool — in this case, their behavior in the Ukraine — we have an additional expectation that tools such as NotPetya not be used in a reckless fashion causing $10 billion and more of damage across the globe, not only in Europe, but in the United States.
So the idea here is that we’ve made clear the rule; we’ve started to make clear the penalty associated with that rule; and that, separately, and maybe misunderstood in this whole election fervor that is both legitimate but also conflated, there is an additional cyber announcement today that allows us to teach the important role that the FBI and DHS play.
And what DHS is doing, and what the FBI is doing is sharing information — we’re calling it “technical signatures” — to help every owner and operator of a computer protect themselves. So the idea is, the federal government can’t protect every computer, every system, every network in the country, in the world. There is no such thing as a collectivized central defense in a decentralized network like the Internet.
So what we do here is apply multiple departments and multiple agencies. DHS is very good at this. So to the earlier questions, and to this one on the table about election meddling, please try to — in your writing and in your thinking of this — separate influence campaigns from cyber hackings. And then, separate both of those from fraud or attempts to fraud our election system. Those are all three different buckets of activity that we look at very carefully.
And then remember, too, that, in addition to helping voters and operators of critical infrastructure and computer networks defend themselves, we believe that sharing this information in this joint report that you’ll see from DHS and the FBI — we enable a lot of our cyber experts in private sector to go out and do things that can help maybe push back against the Russian malign behavior.
MR. RAIMONDI: Okay, thank you. Operator, we have time for one more question. Anybody that did not get their questions answered can send me an email and I will attempt to get you a written response. That email [email protected] — sorry it’s so long. Operator, last question, please.
Q Hey, guys, good morning. Thanks for doing the call. Could you tell us why these actions took so long? As you mentioned, some of these entities were sanctioned last year right after the election, and the sanctions that were passed by Congress were passed several months ago.
And then, separately, you said there will be continued actions in the future. Is the Treasury Secretary still sticking by his line that he will not sanction the Russian debt? He said that in February. Thank you.
SENIOR NATIONAL SECURITY OFFICIAL: So, again, as the Secretary has made clear a number of times, we are very focused on dealing with Russian aggression and we are going to continue to use our authority to designate, whether it’s under executive order or CAATSA.
I’m not sure what you mean by why it has taken so long. In fact, in January of this year, we had a very significant tranche of designations, and we did the same last summer. That’s in addition to the very substantial report that we produced under CAATSA to Congress, as well as other actions that we have taken in the last six months — again, implementing CAATSA.
That is, of course, on top of the well over 1,000 designations that we’ve issued since the beginning of this administration in a wide range of programs, Russia being among the most significant. Of course, as you know, we’ve also taken a number of actions related to North Korea, related to Iran, related to serious human rights abuses and corruption, related to counterterrorism, ISIS, Hezbollah — among others.
So we are working at a very rapid pace at the Treasury Department to utilize all the authorities that we have, whether it’s under CAATSA or under our very extensive executive orders that — you know, of course, Venezuela is another very heavy focus for us. So there’s nothing that’s taking us long; we are ready to act when we have the available information and evidence to do so. And as you have seen over the last year, we’re going to continue to deploy our authorities at a rapid pace.