On April 15, 2021, the Biden administration announced an expansion of existing sanctions against the Russian government, notably including the intelligence service and affiliated parties identified as being responsible for the SolarWinds cyber-attack and other “specified harmful foreign activities,” and signaled a potential willingness to impose additional measures relating to Information and Communications Technology and Services (“ICTS”) from Russia.
The new measures include a modest expansion of existing sanctions targeting the Russian government and its agents, diplomatic expulsions of Russian officials in Washington DC, and other related cyber and defense measures. In announcing these new actions, the US government made public significant details about how Russian intelligence agencies allegedly conduct cyber espionage and other harmful activities through front companies. Notably, the US government formally attributed the SolarWinds cyber-attack to the Russian Foreign Intelligence Service (“SVR”).
In addition to the relatively limited sanctions imposed on April 15, the White House also signaled potential further action through the use of expansive new authorities to restrict ordinary course procurement of ICTS from Russia under a new Commerce Department framework, discussed in our prior Legal Update, that has to date principally been focused on China.1
As practical matter, these measures are likely to have a limited impact in the immediate term for most companies but are significant because of the potential escalation and further expansion of current targeted sanctions between the two countries. US and non-US companies doing business with Russia should monitor these developments carefully and assess the potential impact on their operations as part of their risk mitigation and compliance measures.
We provide below an overview of the key sanctions and cyber-related actions against Russia announced by the Biden administration.
In recent years, the US government has targeted the Russian government and affiliated parties with sanctions pursuant to a number of executive orders, including related to Russian interference in US elections and the Russian occupation of the Crimea region of Ukraine.
On December 13, 2020, the US Cybersecurity and Infrastructure Security Agency (“CISA”) announced that certain SolarWinds products had been compromised by malicious actors and issued an emergency directive for federal civilian executive branch agencies to take mitigation measures to disconnect affected devices, including disconnecting from certain SolarWinds products.2 Although updates on the SolarWinds incident by the US government indicated that the attack was likely Russian in origin and that an estimated nine federal agencies and about 100 private sector companies were affected, these updates fell short of an official attribution of responsibility.3
On March 16, 2021, the Office of the Director of National Intelligence announced that it had declassified the report “Assessment of Foreign Threats to the 2020 U.S. Federal Elections,” which identified actions taken by the Russian government and its proxies to interfere in the 2020 US presidential election.4
Most recently, on April 15, the US government formally attributed “the broad-scope cyber espionage campaign that exploited the SolarWinds Orion platform” to the SVR. This intelligence assessment was made with “high confidence.”5 The US government’s extensive attribution, which named specific organizations and individuals who have worked with Russian intelligence services, was accompanied by a range of publicly announced diplomatic and economic measures. The National Security Agency (“NSA”), CISA, and the Federal Bureau of Investigation (“FBI”) jointly released a Cybersecurity Advisory, “Russian SVR Targets U.S. and Allied Networks,” highlighting recent SVR activities, including the SolarWinds breach and a WellMess malware attack on COVID-19 research facilities.6
CISA and the Department of Defense Cyber National Mission Force (“CNMF”) also published an analysis of SolarWinds-related malware variants and formally attributed these to the SVR.7
II. New Executive Order Targeting the “Harmful Foreign Activities” of the Russian Government
On April 15, President Biden signed Executive Order 14024, “Blocking Property with Respect to Specified Harmful Foreign Activities of the Government of the Russian Federation,” declaring a national emergency to deal with certain activities carried out by the Russian government. The order cites several examples of such activities, including Russian government efforts to undermine US and foreign elections, “malicious cyber-enabled activities,” employing “transnational corruption to influence foreign governments,” targeting dissidents and journalists abroad, and violating “well-established principles of international law, including respect for the territorial integrity of states.”8
Executive Order 14024 authorizes the imposition of sanctions against individuals or entities involved in or benefiting from a variety of activities harmful to US national security. Specifically, it authorizes the Secretary of Treasury and Secretary of State (acting in some cases in consultation with the Attorney General) to block the property and interests in property of any individual or entity determined to be:
- Operating in the “technology sector or the defense and related materiel sector of the Russian Federation economy” or any other economic sector identified by the Secretaries of Treasury and State;
- Responsible for, complicit in, or otherwise involved with specific harmful actions taken “for or on behalf of, or for the benefit of, directly or indirectly, the Government of the Russian Federation,” including, among others, election interference, cyber-attacks, “transnational corruption,” and assassinations of US citizens or nationals of US allies;
- A senior leader, official, or manager of the Russian government or an entity that has engaged in the activities targeted by the executive order or designated under the executive order;
- A political subdivision, agency, or instrumentality of the Russian government;
- A spouse or adult child of any individual blocked pursuant to the executive order;
- Providing material support for any activity targeted by the executive order or any person blocked pursuant to the executive order;
- An entity owned or controlled by, or to have acted on behalf of, directly or indirectly, the Russian government or any person blocked pursuant to the executive order;
- A Russian citizen, entity, or resident found to have assisted, sponsored, or provided support to any Office of Foreign Assets Control-sanctioned government; or
- A Russian citizen, entity, or resident found to have been directly or indirectly involved with disruption of gas or energy supplies to Europe, the Caucasus, or Asia.
Finally, Executive Order 14024 also suspends unrestricted entry into the United States of noncitizens found to be involved in harmful activities of the Russian government. The Secretary of Homeland Security or the Secretary of State may permit such entry if “the person’s entry would further important United States law enforcement objectives.” The executive order does not apply to transactions or official business by the federal government, the United Nations and related entities, and their personnel.
III. Sanctions Targeting the Russian Government and Intelligence Services and Affiliated Entities and Parties
Also on April 15, the US Department of Treasury’s Office of Foreign Assets Control (“OFAC”) announced new sanctions on Russian sovereign debt and sanctions designations under the authority granted in Executive Order 14024 and in existing executive orders pertaining to Russian election interference and the Russian occupation of Crimea.
In connection with the issuance of Executive Order 14024, OFAC detailed the role of Russian intelligence services—specifically, the Federal Security Service (“FSB”), Russia’s Main Intelligence Directorate (“GRU”), and SVR—in a number of malicious activities, including the SolarWinds cyber-attack, the August 2020 poisoning of Aleksey Navalny with a chemical weapon, trade secrets theft of “red team tools” from a US cyber security company, and other cyber intrusions and attacks. OFAC announced the following responsive actions:9
- Expansion of Existing Russian Sovereign Debt Sanctions. OFAC issued Directive 1 of Executive Order 14024 to expand existing restrictions on Russian sovereign debt that have been in place since August 2019. Under this directive, US financial institutions will be prohibited from participating in the primary market for ruble or non-ruble denominated bonds issued after June 14, 2021, by the Central Bank of the Russian Federation, the National Wealth Fund of the Russian Federation, or the Ministry of Finance of the Russian Federation. US financial institutions will further be prohibited from lending ruble or non-ruble denominated funds to these three Russian entities. This is a modest expansion of existing restrictions on transactions involving Russian sovereign debt, pursuant to which US financial institutions have already been prohibited from lending non-ruble denominated funds to the Russian sovereign.
In Frequently Asked Questions published on its website, OFAC issued two important clarifications related to the Directive 1 prohibitions. First, US financial institutions are not prohibited from participating in the secondary market for bonds issued by the Russian sovereign entities named in Directive 1. Second, OFAC is not applying its “50 Percent Rule” to Directive 1. This means that the prohibitions in Directive 1 apply to bonds issued by, or loans made, to the Central Bank of the Russian Federation, the National Wealth Fund of the Russian Federation, or the Ministry of Finance of the Russian Federation and do not extend to bonds of or loans to any entity that is owned, directly or indirectly, 50 percent or more by one or more of these three entities.
- Cyber Sanctions. OFAC designated six Russian technology companies that provide a range of support to Russian intelligence services’ cyber activities. The announcement included assessments of the roles these companies played in supporting Russian intelligence services; for example, Treasury noted that one company, Positive Technologies, “hosts large-scale conventions that are used as recruiting events for the FSB and GRU.”10
On the same day and in parallel with the above actions, OFAC announced additional sanctions designations under existing executive orders targeting Russia.
- Election Interference Sanctions. Responding to the Intelligence Community’s recently declassified report, “Assessment of Foreign Threats to the 2020 U.S. Federal Elections,” OFAC designated 32 entities and individuals who influenced or attempted to influence the 2020 US presidential election at the direction of the Russian Government, pursuant to a number of existing executive orders.11
- Crimea-Related Sanctions. In partnership with the governments of the European Union, United Kingdom, Canada, and Australia, OFAC announced sanctions designations of five individuals and three entities for their role in Russia’s occupation of Crimea and alleged human rights abuses, pursuant to Executive Orders 13660 and 13685.12
IV. Applying the Information and Communications Technology and Services Supply Chain Executive Order
According to the White House’s April 15 announcement, the US government is also considering further measures under Executive Order 13873, “Securing the Information and Communications Technology and Services Supply Chain.”13 As noted in our previous Legal Update, Executive Order 13873 and its implementing rules authorize the US Department of Commerce (“Commerce”) to review (and potentially block or subject to restrictive mitigation requirements) transactions involving the ICTS supply chain, including both hardware and software, that have a nexus to certain designated “foreign adversaries,” including China and Russia, for purposes of protecting national security. The US government recently took its first actions under Executive Order 13873: Commerce announced that it served subpoenas on multiple Chinese companies in March 2021 and on another Chinese company on April 13, 2021, in order to undertake a review of transactions.14
The US government’s recent actions targeting the Russian government implicate a number of new entities and individuals but, more importantly, lay the groundwork for the imposition of further sanctions and other restrictions targeting Russian individuals and companies. Accordingly, all companies that have dealings with Russia or Russian entities should assess and monitor how these measures may impact their businesses and business partners.
1 See White House Fact Sheet, “FACT SHEET: Imposing Costs for Harmful Foreign Activities by the Russian Government,” https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government (Apr. 15, 2021) “White House Fact Sheet.”
2 See CISA Emergency Directive, “Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise,” https://cyber.dhs.gov/ed/21-01/#supplemental-guidance-v3 (Dec. 13, 2020).
3 See CISA Press Release, “Joint Statement by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Agency (CIA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA),” https://www.cisa.gov/news/2021/01/05/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure (Jan. 5, 2021); White House, “Press Briefing by Press Secretary Jen Psaki and Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger,” https://www.whitehouse.gov/briefing-room/press-briefings/2021/02/17/press-briefing-by-press-secretary-jen-psaki-and-deputy-national-security-advisor-for-cyber-and-emerging-technology-anne-neuberger-february-17-2021 (Feb. 17, 2021); see also CISA Alert, “Alert (AA20-352A) Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations,” https://us-cert.cisa.gov/ncas/alerts/aa20-352a (Dec. 17 2020).
FBI Press Release, “Joint Statement by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI),” https://www.fbi.gov/news/pressrel/press-releases/joint-statement-by-the-federal-bureau-of-investigation-fbi-the-cybersecurity-and-infrastructure-security-agency-cisa-and-the-office-of-the-director-of-national-intelligence-odni (Dec. 16, 2020).
4 See Office of the Director of National Intelligence Press Release, “ODNI Releases Intelligence Community Assessment of Foreign Threats to the 2020 U.S. Elections,” https://www.dni.gov/index.php/newsroom/press-releases/press-releases-2021/item/2193-odni-releases-intelligence-community-assessment-of-foreign-threats-to-the-2020-u-s-elections (Mar. 16, 2021), with accompanying report.
6 FBI Press Release, Russian Foreign Intelligence Service Exploiting Five Publicly Known Vulnerabilities to Compromise U.S. and Allied Networks (Apr. 15, 2021), https://www.fbi.gov/news/pressrel/press-releases/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabilities-to-compromise-us-and-allied-networks; Cybersecurity Advisory, Russian SVR Targets U.S. and Allied Networks, https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF
7 CISA Current Activity, “CISA and CNMF Analysis of SolarWinds-related Malware,” https://us-cert.cisa.gov/ncas/current-activity/2021/04/15/cisa-and-cnmf-analysis-solarwinds-related-malware (Apr. 15, 2021).
8 Executive Order, “Executive Order on Blocking Property with Respect to Specified Harmful Foreign Activities of the Government of the Russian Federation,” https://www.whitehouse.gov/briefing-room/presidential-actions/2021/04/15/executive-order-on-blocking-property-with-respect-to-specified-harmful-foreign-activities-of-the-government-of-the-russian-federation (Apr. 15, 2021).
9 US Department of Treasury Press Release, “Treasury Sanctions Russia with Sweeping New Sanctions Authority,” https://home.treasury.gov/news/press-releases/jy0127 (Apr. 15, 2021).
11 US Department of Treasury Press Release, “Treasury Escalates Sanctions Against the Russian Government’s Attempts to Influence U.S. Elections,” https://home.treasury.gov/news/press-releases/jy0126 (Apr. 15, 2021).
12 US Department of Treasury Press Release, “Treasury Sanctions Russian Persons in the Crimea Region of Ukraine,” https://home.treasury.gov/news/press-releases/jy0125 (Apr. 15, 2021).
14 See US Department of Commerce Press Release, “U.S. Secretary of Commerce Gina Raimondo Statement on Actions Taken Under ICTS Supply Chain Executive Order,” https://www.commerce.gov/news/press-releases/2021/03/us-secretary-commerce-gina-raimondo-statement-actions-taken-under-icts (Mar. 17, 2021); US Department of Commerce Press Release, “U.S. Department of Commerce Statement on Actions Taken Under ICTS Supply Chain Executive Order,” https://www.commerce.gov/news/press-releases/2021/04/us-department-commerce-statement-actions-taken-under-icts-supply-chain (Apr. 13, 2021).