Privacy Tip #219 – FBI Considers FaceApp a Counterintelligence Threat

For those of you who have downloaded the face editing app FaceApp, please note that the Federal Bureau of Investigation (FBI) has classified FaceApp as a counterintelligence threat because of its Russian origins.

According to the FBI, “[T]he FBI considers any mobile application or similar product developed in Russia, such as FaceApp, to be a potential counterintelligence threat, based on the data the product collects, its privacy and terms of use policies, and the legal mechanisms available to the Government of Russia that permit access to data within Russia’s borders.”

When the FBI considers an app a security threat to the U.S., we all should. Downloading apps, in general, is risky, but downloading apps based in foreign countries that are trying to obtain information about U.S. citizens – and in fact are obtaining information from unwitting U.S. citizens – is potentially putting us in danger.

Now is the time to perform app hygiene. Check the apps on your phone to determine whether you are using them or not. If you aren’t using them, delete them. There is no reason to continue to allow them to collect your information if you are not using them and getting a benefit from them. If you are using them and can’t live without them, do some due diligence to determine the background of the app, read the Privacy Policy and Terms of Use to know what they are collecting and using about you, and delete the app if your gut tells you something’s not right. If you have downloaded FaceApp, that would be the first one to delete.


Copyright © 2019 Robinson & Cole LLP. All rights reserved.

A Week of Surreal Headlines: A Charging Bull Smashed by Man Wielding Banjo, A Stolen 18-Karat Gold Toilet, and a $20 Million Consignment Decided by a Game of Rock, Paper, Scissors

UNITED STATES

Mercedes-Benz Suit Against Street Artists Allowed to Proceed

Mercedes-Benz brought a declaratory judgment action against four street artists who saw their work prominently displayed on social media as background for the automaker’s G-Class track ads. Mercedes is seeking a declaration that its use of the artworks was not a copyright infringement as it was either fair use or because the claim is precluded by the Architectural Works Copyright Protection Act (1990).

After a hearing last week, a Detroit court denied the artists’ motions to dismiss Mercedes’s claims. The artists contended, among other things, that Mercedes’s claim was not ripe as the artists have not yet registered their copyrights. Distinguishing the U.S. Supreme Court’s recent decision in Fourth Estate v. Wall-Street.com, this court concluded that copyright registration is not a prerequisite for an action seeking a declaration of non-infringement.

Los Angeles Police Department Seeks to Reunite Recently Discovered Artworks with Their Owners

The LAPD has uncovered a trove of more than 100 antiques and artworks that have been missing since a spree of thefts in 1993, including works by Pablo Picasso and Joan Miró. Two individuals involved in the thefts were captured in 1993, but it was not until this summer that an auctioneer’s tip led to the discoveries.

Charging Bull, a Symbol of Wall Street Power, Damaged by a Man with a Banjo

A man armed with a metal banjo bashed the famous Charging Bull on Wall Street, leaving it with a six-inch gash and several scratches. The attacker, who was arraigned and released without bail, gave no motive for his actions. He is due back in court on October 16. The artwork was installed in December 1989 by sculptor Arturo Di Modica, intended as a symbol of optimism after the Black Monday stock market crash in 1987.

EUROPE

Works of Art from the Collection of Nazi Collaborator Hildebrand Gurlitt to Be Exhibited in Israeli Museum

Artworks amassed by Hildebrand Gurlitt, noted Nazi collaborator, will go on view for the first time at the Israel Museum later this month. The collection includes works by Pierre-Auguste Renoir, Édouard Manet, Otto Dix and Max Ernst, among others. The show will include works declared “degenerate” by the Nazis and acquired by Gurlitt during the war, as well as works that have no red flags that might indicate ties to the Nazis. The exhibition, called “Fateful Choices: Art from the Gurlitt Trove,” reveals the historical circumstances behind the fate of art during the Third Reich and is intended to generate discussion about art and ethics.

Extreme Weather Leads to the Reemergence of a “Spanish Stonehenge”

This summer, an extreme drought in the Extremadura area of Spain has revealed the “Dolmen de Guadalperal,” a series of megalithic stones that were previously submerged. The Dolmen are 7,000 years old and are located in the Valdecañas Reservoir. They were last seen in 1963. A local group is working to move the Dolmen before they submerge again.

Police on the Hunt for Maurizio Cattelan’s 18-Carat Gold Toilet

Maurizio Cattelan’s America (2016), a fully functioning 18-carat gold toilet, was stolen from an exhibition at Blenheim Palace in Oxfordshire, UK. Blenheim Palace is the 18th Century home and ancestral seat of the Duke of Marlborough. The burglars caused significant damage and flooding while removing the toilet.

Gagosian Gallery Adds Estate of Simon Hantaï to Its Roster

Gagosian Gallery added the estate of postwar abstractionist Simon Hantaï. Gagosian will host its first Hantaï show in October at its gallery in France. Hantaï, who is well known for his surrealist and abstract expressionist works, died in 2008. He is beloved in France and represented the country at the Venice Biennale in 1982.

Arrests Made in Connection with a String of Forgeries of High-Profile Old Master Paintings

An arrest was made and an additional warrant issued in connection with a high-profile string of suspected forgeries of Old Master paintings uncovered in 2016. The scandal has involved such institutions at the Louvre, London’s National Gallery and the Metropolitan Museum. The forgery ring may have been involved in as much as $255 million in sales of fake Old Masters.

Banksy Gallerist Calls It Quits

Steve Lazarides, who started out as the driver, photographer and later dealer for street artist Banksy, is leaving gallery life. Lazarides said that he entered the art world to “promote a subculture that was being overlooked, and that’s gone now.” His first project post-gallery life is to sort through the 12,000 photographs he took over 11 years with Banksy and publishing a book titled Banksy Captured.

ASIA

Art Recovery International Calls for the Return of a Painting They Allege Was Stolen from a UK Residence in 1984

Art Recovery International seeks intervention from the International Council of Museums (ICOM) in the return on a painting, The Portrait of Miss Mathew, later Lady Elizabeth Mathew, sitting with her dog before a landscape, which was allegedly stolen from the home of Sir Henry and Lady Price in East Sussex in 1984. The painting is currently located at Tokyo’s Fuji Art Museum, an ICOM member. The museum is contesting the claim.

The Pushkin State Museum of Fine Arts Will Soon Take Over Russia’s National Centre for Contemporary Arts

Russia’s National Centre for Contemporary Arts (NCCA), which consists of nine branches, has begun merging with the Pushkin State Museum of Fine Arts in Moscow as part of Pushkin’s ambition to open a “Pushkin Modern.” Vladimir Medinsky, Russia’s minister of culture, announced the merger in July, saying that NCCA staff had requested the merger after a series of ideological and financial scandals.

How a $20 Million Consignment Was Decided by a Game of Rock, Paper, Scissors

In the spring of 2005, a Japanese electronics giant decided to auction off works from its art collection worth about $20 million. The collection included works by Paul Cézanne, Camille Picasso, Vincent Van Gogh, Paul Gauguin and others. Unable to choose whether to consign with Sotheby’s or Christie’s, the company president decided that representatives from each company would meet at the Tokyo office and compete in a game of rock, paper, scissors. Christie’s chose scissors and Sotheby’s chose paper, and we all know scissors cut paper


© 2019 Wilson Elser

International Sanctions and the Energy Sector – Part 2: Russia

In the second part of this series we explore the EU and the US sanctions that have been imposed against the Russian energy sector.

RUSSIA

Background
The sanctions regimes against Russia were imposed in response to actual or alleged actions by the Russian government.  These included the annexation of Crimea and the destabilisation of Ukraine in 2014, plus the alleged malicious cyber activities aimed at interfering with or undermining the 2016 US presidential election.

They initially targeted a number of individuals and companies alleged to be involved in these actions or those close to the Russian government.  However, they have since been expanded to include sanctions prohibiting activity in certain sectors of Russia’s economy (in particular its energy industry) and have also targeted a number of the so-called ‘Oligarchs’ and the companies in their control.

More recently, sanctions have been imposed in the wake of the Novichok nerve agent attack in Salisbury, UK.

This article concentrates on the sanctions directly targeting the Russian energy sector.

The EU Sectoral Sanctions
The EU sanctions targeting the Russian energy sector are primarily contained in Council Regulation (EU) No 833/2014 (as amended) (the “EU Regulation”).  They seek to inhibit oil exploration and production projects in Russia:

  1. in waters deeper than 150 meters;
  2. in the offshore area north of the Arctic Circle; or
  3. which exploit shale formations by way of hydraulic fracturing.

(the “Targeted Projects”)

The sanctions operate in two key ways.  First, by preventing the sale, supply, transfer or export of the items listed in Annex II of the EU Regulation (which includes a number of items that can be used in the exploration or production of oil, for example, drill pipe and casing) by EU persons or from the EU for use in the Targeted Projects.1  Second, by prohibiting the direct or indirect provision of associated services necessary for the Targeted Projects, including: drilling, well testing, logging and completion services; and supply of specialised floating vessels.2

The EU Regulation also prohibits:

  1. certain dealings, directly or indirectly, with transferable securities and money-market instruments with a maturity exceeding 30 days and issued after 12 September 2014 by, or
  2. the making of loans or credit with a maturity over 30 days to,

certain Russian companies involved in the sale or transportation of crude oil or petroleum products, any non-EU subsidiaries owned 50% or more by them and any person acting on their behalf or at their direction.3  The companies currently listed in the EU Regulation are Rosneft, Transneft and Gazprom Neft.

Finally, the EU Regulation states that prior authorisation is required in respect of the provision of certain assistance or financing related to the items listed in Annex II of the EU Regulation to individuals or entities in Russia or if the items are to be used in Russia.4

A separate EU regulation prohibits the sale, supply, transfer or export of certain goods and technology suited for use in the energy sector and for the exploration of oil, gas and mineral resources to Crimea or Sevastopol and any associated assistance of financing.5

The EU sanctions apply to anyone within the EU, any EU national or company incorporated in the EU (wherever they may be physically located), and to any business done in whole or in part in the EU.

The US Sectoral Sanctions
The US sanctions targeting the Russian energy sector are primarily contained in Executive Order 13662 (as amended) (the “Order”) and in the Countering America’s Adversaries Through Sanctions Act (“CAATSA”).

The Order applies to “United States persons”.6  However, it could also apply to non-US persons in respect of any transaction that causes a US person to violate the Order or causes a violation of the Order to occur in the US.

In similar fashion to the EU Regulation, Directive 4 of the Order seeks to inhibit oil exploration and production from the Targeted Projects.  It does this by preventing goods, services (other than financial services), or technology in support of exploration or production from being provided to certain restricted entities and their 50% or more subsidiaries.

However, following the introduction of CAATSA in August 2017, the US sectoral sanctions went a step further than their EU counterparts.  In particular, CAATSA extended Directive 4 to include oil projects outside Russia in which the restricted Russian entities have a 33% or greater ownership interest or own the majority of the voting rights.  The US sectoral sanctions can therefore impact projects located far from Russian borders.

The Order also attacks the ability of key companies in the Russian energy sector to access the international debt markets.  Directive 2 of the Order prohibits new debt with a maturity of more than 60 days being issued to certain entities and their 50% or greater subsidiaries.

CAATSA contains various additional provisions impacting the Russian Energy Sector.  In particular, it provides for the:

  1. mandatory imposition of sanctions on non-US persons who knowingly7 make a significant investment8 in a project intended to extract crude oil from deepwater, Arctic offshore or shale projects in Russia (section 225); and
  2. discretionary imposition of sanctions on a person (not limited to US persons) who knowingly:
    1. makes an investment of $1 million or more (or an aggregate value of $5 million or more over a 12‑month period), which directly and significantly contributes to the enhancement of the ability of Russia to construct energy export pipelines; or
    2. provides goods, services, technology, information or support to Russia, which could directly and significantly facilitate the maintenance or expansion of the construction, modernisation or repair of energy export pipelines. (section 232)

That section 232 refers to “energy export pipelines” is significant.  Unlike the previous sanctions targeting the oil sector, section 232 could be applied to pipelines carrying Russian gas, large amounts of which are imported by the EU.

These additional provisions purport to have extraterritorial effect, which means they are of concern to non-US persons who are otherwise outside the US jurisdiction.  Any non-US persons breaching these provisions may become subject to secondary sanctions that would severely restrict their ability to do business with the US and to access the US financial system, and therefore the international financial system.

The Reaction of Energy Companies
The sanctions imposed on the Russian energy sector have received mixed reactions among energy companies.  The differences between the EU and US sanctions, most especially the manner in which they are enforced, has led to the perception that US companies are more affected than their European counterparts.

Mostly, however, energy companies have been able to progress their projects unimpeded by the sanctions.  This likely reflects the types of projects being progressed in Russia since the sanctions came into force.

The EU and US sectoral sanctions target oil exploration and production from deepwater, Arctic offshore or shale projects in Russia.  Such projects are complicated and require the adoption of advanced techniques and technologies.  Accordingly, they are typically more expensive than, for example, conventional shallow water or onshore drilling operations.  Projects of this nature therefore tend to be uneconomic in periods of lower oil prices, such as those experienced since 2014.  For these reasons, it is possible that such projects might not have been pursued since 2014 even in the absence of sanctions.

In fact, Russian oil production has increased from 10.86 million barrels per day in 2014 to 11.23 million barrels per day in 2017, making it the world’s third largest producer in 2017 behind the US and Saudi Arabia.9  This is a clear indication that the sanctions have not had a significant impact on the Russian energy sector’s ability to produce crude.

Looking Forward
It is questionable whether the sanctions imposed on Russia’s energy sector have been effective.  They have not, it seems, prevented Russia from increasing its production of oil.  Neither have they prevented all deepwater, Arctic or shale projects from being progressed.  However, with higher oil prices than when the sanctions first took effect, the economics of such projects should become more palatable and Russia may begin to feel the impact of the sanctions to greater extents.

Furthermore, the extraterritorial aspects of CAATSA are likely to begin affecting the appetite of non-US persons to make significant investments in Russian energy export pipelines or in Russian deepwater, Arctic offshore or shale projects.  There is also the risk of further sanctions.  The US Energy Secretary, Rick Perry, recently indicated that sanctions on the Nord Stream 2 pipeline are possible and that further energy‑related sanctions are planned.10   In addition, further sanctions on Russia in relation to the Novichok nerve agent attack in Salisbury, UK are expected, although it is not yet clear what form they will take and whether they will target Russia’s energy sector.11

In the first part of this three part series we considered the impact of President Trump’s decision to re-impose sanctions on Iran’s energy sector with effect from 5 November 2018.

________________________________________________________________

1 Article 3 of the EU Regulation.

2 Article 3a of the EU Regulation.

Articles 5(2) and 5(3) of the EU Regulation.

Article 4.3(a) of the EU Regulation.

Article 2(b) of Regulation EU No 692/2014.

United States persons is defined as “any United States citizen, permanent resident alien, entity organized under the laws of the United States or any jurisdiction within the United States (including foreign branches), or any person in the United States” (Section 6(c) of Executive Order 13662).

7 “Knowingly” for these purposes means a person who had actual knowledge, or who should have known, of the conduct, circumstance or result.

8Guidance from the US Department of State that whether or not an investment is “significant” will be determined on a case by case basis taking into account inter aliathe nature and magnitude of the investment and its relation and significance to the Russian Energy Sector.

9here.

10here.

11 here.

 

© 2018 Bracewell LLP
This post was written by Robert Meade and Joshua C. Zive of Bracewell LLP.

United States Imposes Additional Sanctions Against Russian Entities and Individuals

On April 6, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) announced expanded sanctions against Russian entities and individuals, targeting a number of Russian oligarchs in the energy, banking, and other sectors and companies they own or control, as well as 17 senior Russian government officials. The Treasury Department also issued a detailed press release outlining the rationale for each of these designations. Given the prominence of the targeted oligarchs in Russian business and the extent of their business holdings, as well as the size and importance of the targeted companies in the Russian economy, the action could have a significant impact on companies doing business in Russia.

The OFAC action blocks the property and interests in property of the targeted entities and individuals when it comes into the United States or the possession or control of a U.S. person, and also prohibits virtually all dealings or transactions by U.S. persons with the targeted parties, who are now on OFAC’s List of Specially Designated Nationals and Blocked Persons (“SDN List”). The sanctions also apply to entities that are owned 50 percent or more by sanctioned persons, including the newly sanctioned parties. Non-U.S. persons also could be impacted by the new designations, through potential exposure to secondary sanctions for undertaking significant transactions with these parties.

The action follows the enactment last year of the Countering Americas Adversaries through Sanctions Act of 2017 (“CAATSA”), as discussed in our client alert, which imposed certain sanctions on Russia that apply to U.S. and non-U.S. companies, and the release earlier this year of an Administration report to Congress that identified Russian oligarchs, as called for in CAATSA. A number of the individuals sanctioned in today’s action were identified in that report.

At the same time it announced the new designations, OFAC also issued two general licenses. One authorizes U.S. persons doing business with certain of the newly sanctioned entities to wind down their activities between now and June 5, 2018. The other general license authorizes U.S. persons to divest or transfer debt, equity, or other holdings in three of the blocked entities to non-U.S. persons (other than sanctioned parties) between now and May 7, 2018. OFAC also issued related guidance on these actions in the form of responses to new Frequently Asked Questions (“FAQs”).

Companies and Individuals Targeted by the Sanctions

The new sanctions were imposed under existing Executive Orders, but follow from the enactment last year of CAATSA, which among other things required (in CAATSA Section 241) that the Administration report to Congress on significant “senior political figures and oligarchs in the Russian Federation.” This report, filed with Congress on January 29, 2018, did not entail the imposition of sanctions against the individuals identified in the report. At the time, however, Treasury Secretary Steven Mnuchin warned that some of the individuals could be later targeted for sanctions, saying that “there will be sanctions that come out of this report.”

Today’s designations target several individuals included in the CAATSA Section 241 report, and others who are closely tied to Russian President Vladimir Putin. In total, 26 individuals and 15 entities were designated today (including several non-Russian parties designated under sanctions authorities related to narcotics trafficking and several Russian parties designated for activities involving Syria).

Among the designated Russian oligarchs are close associates of President Putin who are operating in the energy sector, such as Vladimir Bogdanov, Director General and Vice Chairman of the Board of Directors of Surgutneftegaz; Victor Vekselberg, the founder and

Chairman of the Board of Directors of the Renova Group; Oleg Deripaska, the founder of

Russia’s largest industrial group Basic Element, which includes EN+ and Rusal; Igor Rotenberg, the son of previously sanctioned Arkady Rotenberg and owner of the gas drilling company,

Gazprom Burenie; and Kirill Shamalov, who married President Putin’s daughter in 2013 and is a minority shareholder of SIBUR.

Among the sanctioned Russian government officials are top managers of state companies and financial institutions, such as Alexey Miller, the Chairman of the Management Committee and Deputy Chairman of the Board of Directors of Gazprom; Andrey Akimov, the Chairman of the

Management Board of Gazprombank; and Andrey Kostin, the President, Chairman of the Management Board, and Member of the Supervisory Council of VTB Bank. Additionally, the sanctioned Russian Senator, Suleiman Kerimov, is connected to Russia’s largest gold producer, Polyus, and Duma member Andrei Skoch has ties to USM Holdings.

Notably, Russia’s major state-owned weapons trading company, Rosoboronexport, also was designated for asset-blocking for having materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services in support of, the Government of Syria. Previously, Rosoboronexport had been targeted only by U.S. sectoral sanctions that restricted U.S. person dealings in new debt of Rosoboronexport of greater than 30 days’ maturity.

As noted above, the addition of these entities and individuals to OFAC’s SDN List has several important ramifications.

First, U.S. persons are required to block the property and interests in property—as broadly defined—of these parties when it comes into the United States or the possession or control of U.S. persons. A “U.S. person” for these purposes is a U.S. entity and its non-U.S. offices and branches; individual U.S. citizens and lawful permanent residents (“green-card” holders), no matter where located or by whom employed; and non-U.S. persons when present in or operating from the United States. Funds of SDNs that are blocked must be placed into segregated, “frozen” accounts and reported to OFAC within 10 business days.

Second, U.S. persons are broadly prohibited from transacting or dealing with SDNs, unless authorized by OFAC (such as through the two new general licenses described below or specific licenses issued by OFAC).

As noted above, the above-described restrictions extend not just to listed persons, but also to entities in which those persons own a 50 percent or greater interest, individually or collectively with other SDNs. The application of this long-standing OFAC rule is particularly significant here, where the named individuals have wide-ranging business holdings, since the sanctions on the designated oligarchs also apply to any companies in which they, individually or with other sanctioned parties, own a 50 percent or greater interest.

The designations also can impact non-U.S. persons dealing with the designated parties, as more fully described below.

New General Licenses

To minimize immediate disruptions to U.S. persons from these designations, OFAC issued General License 12,which temporarily authorizes all transactions and activities that are ordinarily incident and necessary to the maintenance or “wind down” of operations, contracts, or other agreements, including the importation of goods, services, or technology into the United States involving one or more blocked entities identified in the general license.

For those entities listed on General License 12, U.S. persons may, until June 5, 2018, permissibly wind down operations, contracts, or agreements in effect prior to April 6, 2018. This General License also would apply to any entity owned 50 percent or more by entities listed in the General License. In FAQs issued with the new sanctions designations, OFAC explains that the blocked entities listed in General License 12 may, for the duration of the General License, make salary and pension payments, and provide other benefits, to U.S. persons. In addition, U.S. persons may continue to provide services to the listed entities until the License expires. General License 12 also permits U.S. persons to import goods into the United States from blocked entities listed on General License 12.

Significantly, although wind-down activities would include accepting payments from the enumerated entities, General License 12 clarifies that U.S. persons may not make payments to such entities; instead, any payments to, or for the direct or indirect benefit of, a blocked person—whether listed in General License 12 or not—must be deposited in a blocked, interestbearing account located in the United States. Therefore, although the new FAQs explain that U.S. persons may import goods into the United States from blocked entities listed on General License 12 until its expiration, any outstanding payments for such goods must be deposited into a blocked account.

Importantly, the list of blocked persons with whom U.S. persons may conduct wind-down activities is not coextensive with the newly designated individuals and entities. Instead, General License 12 covers only 12 of the 15 newly designated entities. It omits three newly designated entities—Gallistica Diamante, Rosoboronexport, and Russian Financial Corporation, each of which was designated under authorities other than those related to Russia—and all newly designated individuals. Therefore, General License 12 does not permit wind-down activities with these three entities, with any of the newly designated individuals, or with any entity owned 50 percent or more by the designated persons and not separately listed on General License 12.

OFAC also issued General License 13, which authorizes transactions and activities that are ordinarily incident and necessary to divest or transfer debt, equity, or other holdings in three blocked entities to a non-U.S. person (other than a sanctioned party), or to facilitate the transfer of debt, equity, or other holdings in those same three entities by a non-U.S. person to another non-U.S. person (other than a sanctioned party). General License 13 applies only to three of the newly designated entities:  EN+ Group PLC, GAZ Group, and United Company RUSAL PLC. General License 13 expires on May 7, 2018.

The activities permitted by General License 13 include facilitating, clearing, and settling transactions to divest to a non-U.S. person debt, equity, or other holdings in the blocked persons, including on behalf of U.S. persons. The License does not authorize unblocking any property other than as described above, or for U.S. persons to sell debt, equity, or other holdings to, or to invest in the debt, equity, or other holdings in, any blocked person, including those listed on General License 13. (It also prohibits facilitating any such transactions.)

With respect to both General License 12 and General License 13, U.S. persons participating in transactions authorized by the licenses must file detailed reports with OFAC within 10 days of the applicable General License’s expiration. Those reports must include the names and addresses of the parties involved, the type and scope of activities conducted, and the dates on which the activities occurred. Reports under General License 12 are due on June 15, 2018, and reports under General License 13 are due on May 17, 2018.

Secondary Sanctions under CAATSA Sections 226 and 228

In addition to the direct implications for U.S. persons associated with the new SDN

designations, there are certain secondary sanctions risks for non-U.S. parties that have dealings with these parties.

Section 228 of CAATSA, in amending earlier legislation, requires that asset-blocking sanctions be imposed against non-U.S. persons that knowingly “facilitate a significant transaction…, including deceptive or structured transactions, for or on behalf of…any person subject to sanctions imposed by the United States with respect to the Russian Federation.” This would include any of the newly added SDNs or parties owned 50 percent or more, individually or collectively, by SDNs. And Section 226 of CAATSA, again amending earlier legislation, requires the imposition of mandatory secondary sanctions on foreign financial institutions if the Treasury Department determines that they have knowingly facilitated “significant financial transactions” on behalf of any Russian person added to OFAC’s SDN List pursuant to existing Ukrainerelated authorities. In particular, foreign financial institutions can lose the ability to maintain or open U.S. correspondent accounts or payable-through accounts as a consequence of certain dealings with the individuals or entities designated today.

OFAC’s FAQ guidance clarifies the scope of these secondary sanctions authorities. Among other things, FAQ 545 provides that “facilitating” a transaction for or on behalf of a sanctioned person means “providing assistance for a transaction from which the person in question derives a particular benefit of any kind,” and sets out factors OFAC will consider in evaluating whether a transaction is “significant.” It also provides that a transaction is not “significant” if a U.S. person would not require a specific license from OFAC to conduct the transaction.

FAQ 542 provides guidance on the term “significant financial transaction” in the context of secondary sanctions against foreign financial institutions. It confirms, among other things, that “OFAC will generally interpret the term ‘financial transaction’ broadly to encompass any transfer of value involving a financial institution.” This would include, but is not limited to, the receipt or origination of wire transfers; the acceptance or clearance of commercial paper; the receipt or origination of ACH or ATM transactions; the holding of nostro, vostro, or loro accounts; the provision of trade finance or letter of credit services; the provision of guarantees or similar instruments; the provision of investment products or instruments or participation in investment; and any other transactions for or on behalf of, directly or indirectly, a person serving as a correspondent, respondent, or beneficiary. FAQ 542 also provides that a transaction is not “significant” if a U.S. person would not require a specific license from OFAC to conduct the transaction.

In this regard, new FAQ 547 confirms that activity authorized by new General Licenses 12 and 13, if occurring within the time period authorized in these general licenses, would not be considered “significant” for purposes of a secondary sanctions determination. The new FAQ guidance also emphasizes that the “intent” of the new designations is to “impose costs on Russia for its malign behavior.” It indicates that the U.S. government “remains committed to coordination with our allies and partners in order to mitigate adverse and unintended consequences of these designations.”

© 2018 Covington & Burling LLP

Peter FlanaganCorrine GoldsteinPeter LichtenbaumKimberly StrosniderDavid Addis, Stephen Rademaker, Elena Postnikova, and Blake Hulnick of Covington & Burling LLP

Why does it Matter if the NRA Used Russian Money to help Donald Trump’s Election?

The old saying goes, that “when you have a hammer, everything looks like a nail.” And as a campaign finance lawyer, I have to remind myself that not every story is a money in politics story. But the more I look at the 2016 election and what transpired, campaign finance is at the heart of the scandal.

To wit, this January, McClatchy reported that the FBI is allegedly investigating whether a Russian banker named Aleksander Torshin (who’s also wanted on criminal charges in Spain for unrelated matters) may have funneled money into the National Rifle Association (NRA) for the benefit of the candidacy of Donald Trump in 2016. At this point, all this is just a press report. We don’t have confirmation of this investigation.

In March, Politico reported that the Federal Election Commission (FEC) is investigating whether there really was any Russian money running through the NRA in the 2016 presidential election. This comes on the heels of Oregon Democratic Senator Ron Wyden asking similar questions to the NRA.

Illegal Political Sources

But why would this be so significant if the story of rubles flowing through the NRA is correct? For one, such spending by a foreigner in an American election is totally illegal under American law. Indeed foreign electoral spending has been barred since 1966 amendments to the Foreign Agents Registration Act (FARA). And with a Special Counsel actively indicting people for their roles in the 2016 election, this could become part of that criminal probe.

We Were Warned

Second, if the NRA-Russia-Trump nexus is borne out by the facts, then it will vindicate warnings from Supreme Court Justices and campaign finance reformers who said inviting secretive corporate money into our politics would provide cover for illegal foreign spending in American elections.

This caution was part of Justice John Paul Stevens’ dissent in Citizens United. He was leery of the possibility that inviting corporations into U.S. elections could invite foreign influence. As he wrote, “[u]nlike voters in U.S. elections, corporations may be foreign controlled.” He also noted the absurdity of giving equal protection to foreign speakers in this context: it would be like “accord[ing] the propaganda broadcasts to our troops by ‘Tokyo Rose’ during World War II the same protection as speech by Allied commanders.”

This warning that dark money could hide foreign money was particularly pronounced from transparency advocates among campaign finance reformers. In 2016, the FEC tried to promulgate new rules to clarify reporting requirements. But the FEC deadlocked and no new rules were finalized.

Without Clear Transparency Rules Dark Money Flourished

In the absence of new clear rules from the FEC, or Congress for that matter, dark money has increased. As I described in the law review article Dark Money As a Political Sovereignty Problem, since 2010, over $800 million in “dark money” has been spent in federal elections. Because of the dark money problem, often we don’t know what we don’t know about corporate money in politics—including whether it is from an illegal foreign source.

There is a data chart showing $183.8 million in dark money in 2016; $177.7 million in dark money in 2014; $308.6 million in dark money in 2012 and $135.6 million in dark money in 2010.

The growth of dark money is often blamed on the Supreme Court’s 2010 decision, Citizens United v. FEC. Paradoxically, Citizens United upheld the constitutionality of disclosure of the underlying sources of money in politics by a vote of 8 to 1. But regulators did not take up the Supreme Court’s open invitation to improve disclosure laws after Citizens United, thereby allowing dark money to metastasize like a cancer on our democracy.

How Dark Money Gets Dark

Here’s how dark political money works. Say you have a company that wants to exercise its Citizens United rights, but it doesn’t want to tell the public. That company gives the money to a politically active 501(c)(4) social welfare organization or 501(c)(6) trade association. Then that nonprofit buys political ads in a federal election. The FEC doesn’t require the nonprofit to reveal where it got the money. Even if the company is publicly traded, there is no SEC rule that requires the company to tell investors that they are spending money in politics. For even more secrecy, money can also be routed through a shell corporation like an LLC to make tracing the money even more difficult.

The Allegation

The reporting by McClatchy (and others) alleges that NRA’s Institute for Legislative Action (ILA), a 501(c)(4) arm of the NRA, that does not disclose its donors, received money from the Russian banker Torshin. We don’t know if that happened.

We do know how the NRA spent its money. In 2016, the NRA expended $54,398,558 in outside political spending. The NRA spent $31 million of that money to support Mr. Trump’s candidacy. According to Open Secrets.org, showing $183.8 million in dark money in 2016; $177.7 million in dark money in 2014$308.6 million in dark money in 2012 and $135.6 million in dark money in 2010.

It is outlandish to think that the NRA would wittingly or unwittingly violate American campaign finance law? At this point we don’t know if they have done anything wrong. However, the NRA has a long history of fighting campaign finance regulations. In 2010 when the Congress was on the verge of passing the DISCLOSE Act which would have brought transparency to money in politics post-Citizens United, lobbyists for the NRA got a legislative carve out so that new disclosure would not apply to them.

The NRA was also center stage in litigation against the last big federal campaign law, the Bipartisan Campaign Reform Act (better known as BRCA or McCain-Feingold). In 2002, the NRA and one its PACs, National Rifle Association Political Victory Fund were plaintiffs challenging the constitutionality of BRCA. This case was consolidated into the case that became McConnell v. FEC, a case that ended up upholding the constitutionality of BRCA, including its campaign finance disclosure requirements. Moreover, in 2001 the NRA was held liable for campaign finance violations from the 1978 and 1982 elections.

Conclusion

Like so many aspects of the multiple investigations into what really happened in the 2016 election, the public has no idea what will ultimately be revealed. Reading the news has become like a live action spy novel. It is possible further investigation will only exonerate the NRA and the Russian banker. But one strain to keep an eye on is whether any foreign money helped elect a U.S. president. Did I mention that’s completely illegal?

 

© Copyright 2018 Brennan Center for Justice at New York University School of Law

Kushner’s Bad Week: Losing Clearance, Suspicious Business Activities, and the Looming Russia Investigation

This week at the Trump White House was a cornucopia of news developments including a gun control meeting that quickly went off the rails, news of Trump confidant and stalwart Hope Hicks’s resignation, and Jared Kushner, First Son-in-Law, being stripped of his Security clearance for failure to complete paperwork in a timely manner, quickly followed by disturbing reports of Kushner’s business interests benefiting from his position in the White House and Kushner influence prompting possible backlash from the White House for parties who refused to support the Kushner Companies.

The Democratic National Committee says:

This week very clearly shows why Jared Kushner should lose his job at the White House. Kushner has never been qualified for his role . . . Kushner has repeatedly made critical omissions on his background check forms and has had to make dozens of revisions to his financial disclosure . . . multiple recent stories have further shown that the corruption Kushner brings to the White House is matched only by Trump himself …

Backing the DNC’s assertions, Kushner has amended and changed his financial filings on security documents 39 times, omitting significant financial disclosures.

Kushner’s Undisclosed Meetings with Foreign Nationals on Behalf of Kushner Cos.

 The Washington Post reported this week, that in December 2016, Kushner had meetings with the chairman of China’s Anbang insurance company, a Russian banker and a former prime minister of Qatar in the Kushner company’s efforts to get funding for the Kushner company’s $1.2 billion debt. The Washington Post revealed:

“Officials in at least four countries have privately discussed ways they can manipulate Jared Kushner, the president’s son-in-law and senior adviser, by taking advantage of his complex business arrangements, financial difficulties and lack of foreign policy experienceaccording to current and former U.S. officials familiar with intelligence reports on the matter.”

National Security advisor H.R. McMaster, later learned that Kushner’s contacts with foreign officials were not coordinated through the National Security Council nor did he officially report them.

NBC reported yesterday that special counsel Mueller is investigating if Kushner’s meetings with foreign officials during the presidential transition, impacted White House policy, specifically noting that the White House last year backed an economic blockade of Qatar in the weeks after Qatari officials declined to provide loans to the Kushner Companies.

SEC’s Decision to End an Investigation of Kushner Related to Apollo Loan

The AP is reporting on the SEC’s 2017 decision to end a Kushner Co. loan investigation. The SEC investigation was prompted after Apollo Global Management gave the Kushner Cos. a $180 million Real Estate loan.  Apollo’s loan to the Kushner Cos. followed several meetings at the White House with Jared Kushner and Apollo Global Management’s founder, reported by the New York Times this week.

Currently, there is no evidence that Kushner’s White House role or anyone else in the Trump administration played a role in the SEC’s decision to drop the Apollo inquiry.  ‘I suppose the best case for Kushner is that this looks absolutely terrible,’ said Rob Weissman, president of Public Citizen.

 ‘Without presuming that there is any kind of quid pro quo … there are a lot of ways that the fact of Apollo’s engagement with Kushner and the Kushner businesses in a public and private context might cast a shadow over what the SEC is doing and influence consciously or unconsciously how the agency acted.’

In its 2018 annual report, Apollo disclosed that the SEC had halted its inquiry into the firm’s financial reporting and how Apollo reported the results of its private equity funds.

New Revelations about Citibank Loan to Kushner Co. after White House Visit

Shortly after Citigroup’s CEO Michael Corbat visited Kushner’s White House office, Citigroup made a $325 million loan to the Kushner Companies, the New York Times reported this week.    “This is exactly why senior government officials…don’t maintain any active outside business interests,” per Don Fox, former Acting Director and General Counsel of the Office of Government Ethics during the Obama administration. “The appearance of conflicts of interests is simply too great.”

In spite of White House ethics rules, Kushner continues to own “as much as $761 million” of the Kushner Companies according to a New York Times estimate and the Times also notes that while Kushner is the point man for Middle East policy “his family company continues to do deals with Israeli investors.”

Separate Ongoing Federal and State Investigations of Kushner

Separately from the Mueller probe, Kushner is being investigated by federal prosecutors in Brooklyn for the Eastern District of New York.  Investigators have requested records related to a $285 million loan Deutsche Bank gave Jared Kushner’s family real estate company in October 2016, one month before election day. Kushner was the Kushner Companies’ CEO until January 2017 and still owns part of the Kushner Cos. after selling off part of his stake. The Kushner Companies have a long-term relationship with Deutsche Bank according to financial disclosure forms.

The New York State Department of Financial Services asked Deutsche Bank, Signature Bank and New York Community Bank for information about their relationships with Jared Kushner and his finances, The Wall Street Journal and ABC News reported this week. Responses to the New York State inquiry are due March 5.

Abbe Lowell, Kushner’s attorney, says Kushner has behaved “appropriately” in meetings with foreign officials and that he “has taken no part of any business, loans or projects with or for” Kushner Companies since joining the White House.”  In a statement provided to NPR, Lowell says, “Mr. Kushner has done more than what is expected of him in this [Security clearance] process.”

 

Copyright ©2018 National Law Forum, LLC
This post was written by Jennifer Schaller and Eilene Spear of the National Law Forum, LLC.

Sessions, Oprah, Obama but not the Russians in Trump’s On-Going Twitter War

On February 20, 2018, DNC deputy communications director Adrienne Watson responded to a recent series of tweets by President Trump.  Last week’s Russian election meddling indictments renewed the debate about whether Obama did enough to counter Russian interference when he was in office.

After continued criticism about how he is handling Russia’s meddling in the 2016 Election, President Trump took to Twitter. Watson details Trump’s tweets from his attacks on Oprah, down to the Pennsylvania redistricting map. Trump’s tweets from last week and even today, included no mention of prevention of future Russian attacks on US elections, he did not condemn the Kremlin’s attack of the 2016-Presidential and he adamantly denies that the Mueller investigation will or has uncovered any unsavory connections between him and the Russians.

Trump Tweet Fox News Says Russia Has not dirt on Trump

Why Doesn’t Sessions Go After Obama for the Russian Meddling?

On February 21st Trump lashed out at Attorney General Jeff Sessions,  asking why he isn’t investigating the Obama-administration for being weak in the face of Russian aggression.

Trump Tweet why didnt Sessions go after Obama

Pressuring Sessions to investigate Obama’s knowledge of Russian involvement is somewhat awkward because Session’s involvement with Russian government officials was investigated by the Department of Justice in March 2017.  Sessions stated during his confirmation hearing in January 2017, that he “did not have communications with the Russians.” It was later determined by the Justice Department that he met with Russian ambassador, Sergey I. Kislyak twice in the preceding 12 months.

Sessions clarified the apparent disharmony between his sworn confirmation testimony and the two meetings with the Russian ambassador by stating that he “never met with any Russian officials to discuss issues of the campaign.”

The President seemed to forget that Sessions recused himself from the Russian investigation in June 2017.  “I recused myself not because of any asserted wrongdoing on my part during the campaign,” Sessions stated. “But because a Department of Justice regulation, 28 CFR 45.2, required it.”

What did the Obama Administration Know and When?

From the Mueller indictment, we now know that in 2015 the Russians purchased advertisements on social-media sites designed to influence public opinion, but it remains unclear whether the F.B.I. or any other intelligence agencies were aware of the purchases and other election interferences in real time.

By the summer of 2016, U.S. intelligence agencies had collected a “critical mass” of data about Russian efforts to intervene in the election. This prompted John Brennan, the then director of the C.I.A., to brief Obama and other top advisers in August about the threat.  But President Obama and his advisors didn’t learn of the extent of the Russian inference, including the use of fake personas online, or that the Russians were exploiting Facebook and other social-media sites until after the 2016 elections former administration officials said. “We knew some things, but didn’t have all the pieces,” a senior official said, referring to Obama’s final weeks in office.

Who is Tougher on Russia?  It Depends on Who You Ask.

From the beginning, President Trump has vehemently denied that his campaign and administration had any knowledge of Russian meddling in the election.  As detailed in his tweets, he also continues to state that the current administration has been “tougher on Russia than Obama.”

Trump Tweet Im tougher on Russia than Obama

Although the President claims the Obama administration didn’t take proper actions against Russia, Obama did make strides towards imposing sanctions against Russia, with a major retaliatory measures coming after the 2016 Election, when the Obama Administration expelled 35 Russian diplomats accused of interfering  with the Presidential Election, sanctioning three companies and also closing two Russian diplomatic offices in the United States.

Trump has yet to impose sanctions against the Russians, after the overwhelming passage of the Countering America’s Adversaries Through Sanctions Act by Congress last year. The sanctions were to take effect on January 29th.  The law gives the administration the power to target powerful Russian elites and companies and countries that do business with blacklisted Russian military and intelligence entities.  The administration also failed to meet a deadline to identify Russian entities and individuals which would be added to a sanctions list. Instead, the Administration published a list of 96 known prominent Russian Oligarchs, as noted on Twitter by Tom ParfittMoscow Correspondent at The London Times.

Parfitt Tweet Russians added to list all from Forbes

Treasury Secretary Steven Mnuchin said February 14 that the Trump administration is “actively working” on imposing sanctions on Russia over its interference in the 2016 US election.  And on February 20th, White House Press Secretary Sarah Sanders stated that Donald Trump “has done a number of things to put pressure on Russia and be tough on Russia.” We’ll have to see what’s coming and maybe we’ll find out exactly what Trump has done to put pressure on Russia, monitor Twitter.

 

Copyright ©2018 National Law Forum, LLC
This post was written by Alessandra de Faria and Jennifer Schaller of the National Law Forum.
Read more coverage of Trump’s tweets and other political news at the Election page of the National Law Review.

Mueller Indictment: Russians Manipulated Social Media, Advertising and Political Rallies to Impact 2016 Election

Robert Mueller’s office released 37 page  indictment of 13 Russian individuals and three Russian organizations for interference in the 2016 Presidential election.  According to Mueller’s office, a Russian organization based in St. Petersburg known as the Internet Research Agency used fake American social media profiles sometimes posing as political activists to wage “information warfare,” interfering with and manipulating the US election process.

According to today’s indictment, these activities began as early as 2014, with certain defendants traveling to the United States and obtaining VPN infrastructure, to obscure the origins of their activities so various accounts would appear to be based within the United States.  Alleged activities included purchasing online advertisements–and stealing identities to do so.  Moving offline the defendants and their co-conspirators solicited individuals to disparage or promote candidates, including hiring a woman to wear a costume portraying Hillary Clinton in a prison uniform at various political events, all while hiding their Russian identities.

These activities were done without proper regulatory disclosure and without registering as foreign entities.  Deputy Attorney General, Rod Rosenstein, who announced the indictment stated: “The defendants allegedly conducted what they called information warfare against the United States with the stated goal of spreading distrust towards the candidates and the political system in general.”

DNC Chair Tom Perez released a statement, saying, “This indictment gives us a chilling look at just how sophisticated, well-funded and wide-ranging this attack on our democracy really was. It should send chills up the spine of every American.”   Perez points to the indictment as proof that the 2016 election was marred by Russian interference; including hacking into the DNC by Russian operatives as well as hacking into voter registration systems across the country, along with the now ubiquitous understanding of the Russian presence on social media and their attempts to foster disagreement and manufacture intense contention among already disagreeing Americans online.

Additionally, Perez points to Trump’s failure to act on the information presented by Mueller, referencing Trump’s attempts to diminish and discredit the Mueller investigation and his failure to direct intelligence officials to take action to prevent future attacks.   Perez:

“President Trump continues to deny these facts.  And Republican in Congress continues to spread falsehoods to tarnish the very investigation that is beginning to hold Russia accountable for its actions in 2016. If the president won’t uphold the oath he took to protect our nation’s security, he has no place in the Oval Office. And if Republican leaders in Congress can’t put the interests of our democracy before politics, they have no place in Congress.”

On the other side of the aisle, Kayleigh McEnany, an RNC spokesperson read the indictment to indicate that Russian interference was two-sided, with President-elect Trump also in the Russian cross-hairs.  She points specifically to rallies funded by Russian Roubles on November 12th and 19th of 2016, in the days following the election.   In an appearance on Fox News, she indicated that it was the Democrats who had deceived the country by emphasizing the Russian election interference.  She said, “Democrats deceived this country…and they were caught today.”

In a tweet today, president Trump stated that there was a lack of allegations in today’s indictment of any impact on the 2016 presidential election and highlighted his campaign’s lack of involvement.

Trump Tweet  Russian Election Indictment

However, a holistic reading of the indictment supports claims that Russian interference did appear to impact the 2016 election. The indictment offers a timeline of the defendant’s conspiracy that had a clear purpose: “impairing, obstructing and defeating the lawful governmental functions of the United States by dishonest means in order to enable the Defendants to interfere with U.S. political and electoral processes, including the 2016 U.S. Presidential election.”

You can read the indictment here.

For more on Election Legal issues, check out our Legislative, Election, Lobbying, Campaign Finance and Voting Law News.

This post was written by Eilene Spear of The National Law Review/The National Law Forum LLC.

Suspension of Visa Operations in Russia

The U.S. Embassy and Consulates in Russia announced that “[a]s a result of the Russian government’s personnel cap imposed on the U.S. Mission, all nonimmigrant visa (NIV) operations across Russia will be suspended beginning August 23, 2017.”

This is the most recent volley in the diplomatic back-and-forth that started with the reports of possible Russian involvement in U.S. elections. Following U.S.-imposed sanctions, Russia ordered the withdrawal of 755 U.S. diplomatic personnel from Russia.

Generally, the announcement means:

  • The U.S. Mission has begun cancelling current nonimmigrant visa appointments countrywide.
  • As of September 1, nonimmigrant visa interviews will be conducted only at the U.S. Embassy in Moscow.
  • NIV applicants whose appointments are cancelled can reschedule for a later date in Moscow.
  • Some immigrant visa interviews also will be affected.
  • The Embassy in Moscow and the Consulate in St. Petersburg will no longer accept new visa applications from residents of Belarus, who are encouraged to schedule NIV appointments in Warsaw, Kyiv (Kiev), or Vilnius.
  • The current plan is to offer a block of visa appointments for students in early September.
  • The Embassy in Moscow will continue to process NIV applications without an interview for those who qualify.

The U.S. Embassy in Moscow and the three consulates in St. Petersburg, Yekaterinburg, and Vladivostok will continue to provide emergency and routine services to American citizens, although hours may change.

This post was written by Michael H. Neifach  of Jackson Lewis P.C. © 2017

For more Immigration Legal News go to The National Law Review

Russia v. USA: Geo Political Cyber Warfare And Your Business

Cyber warfare, Russian Flag HackThe cyber war battlefield has expanded, and your business is now a fighter and a target.

A new U.S. Government report explains many reasons for identifying and penalizing Russian hackers, the Russian intelligence services, and the Russian leadership in response to hacks on U.S. government, political and business targets. The report contains detailed information that organizations can use to determine if the Russians have accessed their systems, plus a detailed list of prudent steps and best practices that all organizations should consider as part of their cyber security efforts.

The overarching message of the report is that the DNC hack was not an isolated incident but part of an ongoing campaign of cyber-enabled operations directed at the U.S. government and its citizens. These cyber operations have included campaigns targeting government organizations, critical infrastructure entities, think tanks, universities, political organizations, and corporations leading to the theft of information.

The report is best understood as a call to arms for U.S. private sector and government entities to strengthen their vigilance and defenses against Russian Intelligence Services and join DHS and FBI in their effort to counter them. Many organizations believe that because they hold no state secrets, defense-related intellectual property, or sensitive information on government employees, they have no stake in geopolitical cyber security. DHS and the FBI are saying that this is not true. The national interest in cyber security is materially weakened whenever organizations with credibility and standing allow their domains to be breached and used conduits for cyber-attacks on others –as happened in the DNC breach. Furthermore, data collected from breaches of non-traditional targets is often used to create the highly-targeted and highly credible email packages for use in spear phishing campaigns against more traditional targets. Geopolitical cyber security is being “democratized” with wide ranging potential public policy implications.

On December 29, 2016, the United States Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) jointly identified the Russian civilian and military intelligence services (RIS) as responsible for the 2015-2016 hack of the Democratic National Committee and its leadership. (In a nod to investigatory confidentiality, the joint DHS/FBI report refers to the targets only as a “U.S. political party,” and “multiple senior party members.”) The U.S. government has given the RIS effort the rather unartfully chosen name of “GRIZZLY STEPPE.”1

The joint DHS/FBI report provides the most detailed public discussion to date by U.S. law enforcement and cyber security agencies of the means and methods used in a foreign government-sponsored cyber-attack against U.S. interests. In October 2016, DHS and the Director of National Intelligence had reported that they were “confident” that RIS was behind the DNC attack. But this is the first time that a DHS/FBI joint report had formally assigned culpability for a specific cyber-attack to a specific nation. It is also the first time that specific operational groups within a foreign cyber directorate have been singled out and their identifying practices, approaches and tools have been publically discussed.

The report links these operations by RIS to damaging or disruptive cyber-attacks committed in recent years on foreign interests.2 The report does not mention these attacks by name but apparently is referencing recent cyber-attacks on the Ukrainian electrical grid, banking system and other infrastructure,3 and on Estonian governmental and quasi-governmental entities. All of these cyber-attacks have been widely attributed to the Russian government, which denies that attribution.

As part of its call to arm, the DHS/FBI report provides “technical details regarding the tools and infrastructure” being used by the RIS “to compromise and exploit networks and endpoints associated with a range of U.S. Government, political and private sector entities.

The report shows how groups working within RIS have been able to plant command and control infrastructure within the servers and domains of U.S. organizations and educational institutions –infrastructure they used to send phishing emails to potential victims and to serve as a pipeline to receive and retransmit stolen data once a breach was established. The report infers that the Russians were able to camouflage their actions by routing this malicious internet traffic through otherwise known and legitimate –perhaps even well-respected— private and educational organizations.

In the report, DHS and the FBI provides “technical indicators related to many of these operations, recommended mitigations, suggested actions to take in response to these the indicators provided and information on how to report such incidents to the U.S. Government.” The technical indicators include the specific software fingerprints (Yara signatures) for the malware planted by RIS, and the specific IP addresses, URLs and file hashes that the RIS operatives have used in their attacks on U.S. computer systems.

DHS and the FBI call on the private sector and others to put this information to immediate use to identify and remediate on-going RIS breaches and to limit future vulnerabilities. It is likely that other private and governmental entities are subject to active and breaches by the RIS, and may be serving as infrastructure for on-going RIS attacks on others. To this end, the report recommends that network administrators “review the IP addresses, file hashes, and Yara signatures provided and add the IP addresses to their watchlists” to determine whether malicious activity is taking place in their systems today.

The DHS/FBI report cautions that some of the traffic crossing network perimeters or firewalls and reflecting the suspicious IP addresses and other identifying information may prove to be legitimate. Conversely, some traffic that appears legitimate may involve RIS or others scanning public-facing servers (e.g., HTTP, HTTPS, FTP) to identify websites that are vulnerable cross-site scripting (XSS) or Structured Query Language (SQL) injection attacks. This scanning can be the precursor to exploitation of the vulnerabilities found.

The FBI and DHS cannot impose direct legal consequences on private sector and governmental entities who fail to act on this information. But scenarios can be envisioned where the failure to do so could be considered a failure to provide the minimum levels of data protection that are may be required by the multiple statutory, regulatory and common law constructs under which businesses operate today. Womble Carlyle advises its clients to evaluate the DHS/FBI report carefully, and to document and the actions and decisions taken response to it for future reference.

As to the specific DNC attack, the report concludes that two separate groups within RIS breached the DNC computer system. These teams used different techniques and malware exploits and the report does not show direct coordination between the breaches. The report designates the two RIS hacking groups as APT (Advanced Persistent Threat) 28 and APT 29.

(An advanced persistent threat actor or APT is a hacker or team of hackers whose sophisticated methods, choice of targets, and the determination to breach those specific targets set them apart from even the most accomplished global cybercriminals. APTs are generally assumed to be associated with nation states and other political actors.)

The report indicates that the initial breach of the DNC computer resulted from a 2015 spear phishing campaign in which APT29 sent “out emails containing a malicious link to over 1,000 recipients, including multiple U.S. Government victims.” But even before this, APT29 had breached a number of “legitimate [internet] domains, to include domains associated with U.S. organizations and educational institutions.” Through these earlier breaches, APT29 had set up operational infrastructure (i.e., false user and email accounts) within the computer domains of these legitimate organizations. These accounts allowed APT29 to send spear phishing emails to its victims from legitimate organizations, possibly organizations known to and respected by the potential victims, albeit from unauthorized and fraudulent email accounts hosted there.

Links in the spear phishing emails directed the victims to web pages created by APT29 and hosted, once again, on the domains of these otherwise legitimate organizations. The pages included malware droppers which downloaded malicious software on the targets’ computer system when the victims’ clicked on the links.

At least one targeted individual, apparently a “U.S. Government victim,” activated the malicious link from a computer on the DNC’s system. The downloaded malware granted APT29 remote access to that individual’s computer which the group then used to obtain control over the computer’s operating systems (PowerShell commands). The group established “persistence” in the form of difficult to detect “back doors” allowing its members to come and go on the system at will. They “escalated privileges” harvesting credentials that allowed them wider and wider access to the data on the DNC’s system. They created their own user accounts on the DNC domains to receive, encrypt and exfiltrate (steal) data. They conducted surveillance and began exporting data using encrypted connections.

Operational infrastructure unwittingly hosted on legitimate sites formed the pipeline for breaching the DNC and transmitting the stolen data to Russia. This made the malicious nature of the transfers harder to detect.

A second breach occurred in the spring of 2016 when a separate RIS group, APT28, hacked the DNC using a different spear phishing technique. DHS and the FBI report that APT28’s established modus operandi is to “leverage[e] domains that closely mimic those of targeted organizations.” This can mean, for example, substituting www.yourcompany.co or www.youcompany.com for www.yourcompany.com. Spear phishing emails can be sent that spoof an email from the targets’ IT department or other leadership. The email instructs the targets to confirm or update their passwords using a link provided. The link is to a fraudulent web page on an unwitting host’s system. If the targets click on the link and enter passwords as instructed, their credentials are immediately transmitted to the hacker who uses them to gain access to the computer and begin uploading malware and conducting exploits.

APT28’s approach appears to gained access to the email accounts of “multiple senior party members” at the DNC. The report indicates that the 19,000 emails and other documents posted on WikiLeaks on the eve of the Democratic National Convention were harvested by APT28.

Other reports indicate that it was APT28’s attempts to breach the DNC’s computers in the spring of 2016 that led to DNC to retain cybersecurity consultants to look for a potential breach. Apparently, by the time remedial action could be taken the damage had been done. It also seems that the investigation into the APT28 cyber-attack lead to the discovery of the older, on-going APT29 breach, which may explain the fact that the team responsible for the older breach was assigned the higher reference number.

The DHS/FBI report does not say which “U.S. organizations and educational institutions” were the unwitting hosts to the RIS’s activities. But it is very reasonable to assume that sometime in the summer of 2016, a legitimate and undoubtedly respected U.S. organization or educational institution received a call from the FBI telling them that their lax cyber security policies materially contributed to what the U.S. government is now reporting to be a deliberate attempt by Russia to subvert the U.S. political process. Other organizations may be in a similar situation today, with RIS actively using their infrastructure to carry out cyber-attacks on other U.S. interests.

Would an organization become civilly liable, if absent good reasons, it were to ignore the tools and recommendations cited in this report and then becomes (or continues to be used as) the conduit for future data breaches that injure others? The law on this point is in its infancy. The answer will only come when courts resolve claims by specific plaintiffs seek against specific defendants in future lawsuits. But the process for creating future precedents on these matters will likely be slow, embarrassing and expensive for the defendants involved. And the resulting reputational black-eye may represent the greatest cost of all.

Copyright © 2016 Womble Carlyle Sandridge & Rice, PLLC. All Rights Reserved.


1 Would a second such cyber-attack become the “GRIZZLY TWO-STEPPE” or simply “DANCING BEAR?”

2 http://www.wsj.com/articles/behind-russias-cyber-strategy-1483140188

3 http://www.wsj.com/articles/cyber-experts-cite-link-between-dnc-hacks-an…