On Thursday afternoon, President Obama decided to give a bunch of Russian citizens the boot, kicking out 35 diplomatic workers from two compounds in New York City and Maryland that the government suspects were being used as headquarters for a network of Russian Intelligence Services. Russian Intelligence Services, or RIS, is a pretty vague descriptor and encompasses a bunch of acronym’d agencies like the FSB and GRU, as well as alleged hacking services with nicknames like “Fancy Bear” and SEADADDY. While the sanctions are one of the strongest foreign policy moves Obama has made against Russian interests, they don’t do much to disrupt the workflow of the actual people who broke into U.S. systems over the past few years.
Obama’s sanctions were, for the most part, a retaliation against for Russia’s alleged participation in a widespread hacking and disinformation campaign during the 2016 election. The official sanctions called out the FSB, Russia’s main security agency, the GRU, the official military intelligence agency. The FSB and GRU are the Russian analogs to the NSA/FBI and CIA, roughly — the GRU is affiliated with Russia’s armed forces and operates internationally, while the FSB is a civilian agency that operates mostly internally. The 35 Russians that were kicked out of the country could have been employees of either intelligence service, or neither, but were deemed suspicious enough for the Obama administration to make an example of them. Additionally, the sanctions mentioned six high-level Russian intelligence officials specifically. The two compounds shut down were legally purchased by the Russian government as “recreational facilities,” but Obama is now basically saying that U.S. intelligence figured out they were being used for surveillance all along.
The other big announcement on Thursday afternoon is where things start to get confusing. The FBI and Department of Homeland Security released a joint analysis report detailing the links between a long list of shadowy hacking agencies they believe are directly connected to Russian Intelligence. The report was nicknamed GRIZZLY STEPPE, which is fitting as many of the groups it accuses of being Russian intelligence have crazy nicknames as well (the most famous entity is known as “Fancy Bear”). The report is a step toward confirmation that Russia was involved in the DNC hacks, but it’s still worth noting that much of the evidence the government has released connecting groups like Fancy Bear is still circumstantial — it’s good enough for common sense (yeah, it was probably Russia), but not good enough for the government to use it to make major foreign policy decisions without some transparency.
There are so, so many good band names on here.
GRIZZLY STEPPE attempts to give more proof and context around the spear phishing cyberattacks that infiltrated email accounts of top Democratic officials. The centerpiece of the document is a long list of jargon-y codenames and pseudonyms that refer to various pieces of the cybersecurity puzzle. It’s confusing, because most of the codenames, like APT 28 and Fancy Bear refer to essentially the same entity or actor with a plausible connection to the Russian Intelligence Services. But other entries on the list, like “Powershell backdoor” and “X-Agent” are the names of specific malware programs, not actors, according to cybersecurity expert Robert Lee.
As Lee says, this makes the whole thing confusing. But here’s how it generally works: a group like APT 28, AKA “Fancy Bear,” is an ostensibly third-party group that conducts cyberattacks that just so happen to directly benefit Russian intelligence interests, like the DNC email hacks. Most recently, Fancy Bear was linked to the massive cyberattack on the Organization for Security and Co-operation in Europe (OSCE), the international organization that monitors the conflict in Eastern Ukraine for war crimes. Again, Fancy Bear’s targets are only circumstantial evidence for a link to the Russian government, but U.S. intelligence officials are pretty damn sure that the two are directly related, even if the hard proof is still classified.
A diagram of how APT 28 and APT 29, the two groups behind the DNC hacks, infiltrated government systems.
The GRIZZLY STEPPE report, which you can read here, is full of an extensive technical breakdown of APT 28 and APT 29’s tactics. But experts like Lee say the information, while extensive, is presented in a confusing format and still doesn’t provide the hard proof of Russian involvement it promises.
It also doesn’t really affect the actual hackers. Fancy Bear and other groups are likely based in Russia (much of the work on the DNC hacks took place on computers with Russian IP addresses during normal business hours in Moscow), and the deportation of 35 Russian spies probably isn’t going to change much. Obama has publicly promised that further sanctions are coming, and the FBI and DHS have another report planned to further prove the connection. Russia, by way of its embassy in the UK, responded with a meme.
What a time to be alive (for now).
