Sanctions by the Numbers: Spotlight on Cyber Sanctions

As illicit actors and hostile foreign governments continue to exploit global cyberspace and new financial technologies, President Joe Biden has elevated the status of cyber threats within U.S. national security considerations to an “urgent initiative,” suggesting an increased use of government measures to curtail this illicit activity. This edition of Sanctions by the Numbers will provide an overview of U.S. cyber-related sanctions authorities from the Obama administration to recent developments under the Biden administration, followed by trends in the deployment of cyber sanctions and snapshots of malicious North Korean and Russian cyber networks that cyber-related sanctions exposed. The objective is to highlight key developments in U.S. cyber sanctions policy, as well as the successes and limitations sanctions offer the U.S. government in identifying and targeting malicious cyber activity that threatens U.S. national security.

The Evolution of U.S. Cyber Sanctions

The U.S. government first incorporated sanctions policy into its cybersecurity strategy in 2012 when Barack Obama’s administration designated Iran’s Ministry of Intelligence under terrorism-related authorities for illicit hacking activities in coordination with Hezbollah. Since then, the Treasury Department has issued a total of 311 cyber-related sanctions with the largest number against Russia (141), Iran (112), and North Korea (18). The watershed moment for cyber sanctions came in November 2014 when the Lazarus Group, a North Korean–sponsored cybercrime organization, hacked Sony Pictures Entertainment. Following this cyberattack, the Obama administration created the first cyber-specific sanctions program in 2015. Pursuant to Executive Order 13694, this authority allows the U.S. government to designate individuals and entities solely on their participation in, and/or facilitation of, malicious cyber activities without needing connections to additional illicit activity covered under other sanctions programs, such as terrorism. However, the Treasury Department didn’t impose sanctions under the original cyber-specific framework until it was amended in 2016, demonstrating that the logistical difficulty of attributing cyberattacks to specific individuals or entities abroad remained a challenge for the U.S. government.

A possible explanation is that state-sponsored cybercriminals often conduct cyberattacks against the United States while located in either hostile foreign jurisdictions with low to non-existent U.S. law enforcement capabilities, such as Russia or China, or regions with poor sanctions compliance and legal framework, such as Southeast Asia. This significantly limits the United States’ ability to attribute and/or punish illicit actors engaging in cybercrime overseas. For example, the Treasury Department wasn’t able to sanction the Lazarus Group for its 2014 cyberattack against Sony Pictures until 2019.

In the aftermath of Russian interference in the 2016 U.S. presidential election, Obama issued Executive Order 13757, which amended the cyber-specific sanctions program now known as CYBER2 to include cyber-enabled election interference as a sanctionable activity. This amendment resulted in the sanctioning of nine Russian individuals and entities involved in the 2016 hack of the Democratic National Committee. Even so, cyber-enabled election interference remains a significant threat to the democratic fabric of the United States. Cyber threats continued to evolve during the Trump administration, which led the U.S. government to expand cyber-related sanctions through the Countering America’s Adversaries Through Sanctions Act (CAATSA) and Executive Order 13848. The former targets Russian-sponsored cybercriminals and the latter expanded sanctions on election interference. In response to the growing cyber threat, the Biden administration has called for a national review of cybersecurity protocols and sanctions programs.

Cyber-related Designations, 2011–2021

Although both the Obama and Trump administrations faced rising cyber threats from abroad, their use of cyber-related sanctions varied significantly. Despite creating the first cyber-specific sanctions program, the Obama administration imposed relatively few cyber-related designations, averaging 10 per year between 2012 and 2017. In contrast, the Trump administration averaged 57 cyber-related sanctions per year from 2017 to 2020. This increase may be partly due to a concurrent increase in the frequency and scale of cyberattacks, as some of the major state-sponsored cyberattacks conducted during this timeframe include: the 2017 Equifax hack (China); the 2017 WannaCry 2.0 ransomware attack (North Korea); the 2017 NotPetya ransomware attack; and the 2020 SolarWinds breach (Russia). While the rate of sanctions designations per year has increased from 15 in 2012 to the highest level yet of 90 in 2020, illicit cyber actors continue to exploit weaknesses in the U.S. government’s ability to anticipate and prevent further cyberattacks. As previously mentioned, the logistical difficulty of attributing cyberattacks to specific actors often delays the rate at which the U.S. government can respond via sanctions, ultimately weakening the deterrence factor of cyber sanctions.

Most recently, the U.S. government discovered two major Chinese- and Russian-led cyberattacks that targeted federal agencies with the goal of obtaining sensitive government information: the Microsoft hack in March 2021 and the year-long SolarWinds breach in 2020. According to Microsoft, the Chinese hacking group Hafnium targeted program vulnerabilities in Microsoft Exchange Server, an email and calendar application, through leased virtual private networks (VPNs) in the United States. VPNs allow internet users to create a private network connection that obfuscates their original internet protocol (IP) address. They can be used to access region-restricted websites and entertainment materials, as well as shield one’s physical location when conducting cyberattacks against a target in a foreign country. Although government officials are still investigating the repercussions of this cybersecurity breach, the modified email software is believed to have infected tens of thousands of U.S. businesses, government agencies, and schools. The Russian-led cyberattack against U.S. software company SolarWinds involved a modified software update that granted Russian cybercriminals access to approximately 18,000 private and government computers across several federal agencies, including the Departments of the Treasury, State, and Defense.

These two major cyberattacks demonstrate both Beijing's and Moscow’s growing cyber aggression toward Washington, highlighting an urgent need for greater U.S. cybersecurity measures. In response, the Biden administration attributed the SolarWinds hack to the Russian Foreign Intelligence Service (SVR) in a new set of sanctions targeting Russia’s malign foreign activities, addressing both general malicious cyber activities and cyber-enabled election interference. This new executive order extends restrictions on U.S. banks’ dealings with Russian sovereign debt. It also permits the U.S. government to issue status-based sanctions on any Russian company operating in the technology sector, as opposed to conduct-based sanctions, which demonstrates U.S. efforts to stymie further fusion between the private sector and Moscow.

Trends in the Deployment of Cyber-related Sanctions

Although the CYBER2 sanctions program increased the global breadth of U.S. sanctions by authorizing designations solely for participation in, and/or facilitation of, illicit cyber activities, there is a continued use of other sanctions programs to impose cyber-related sanctions. For example, the Treasury has imposed only 19 percent of cyber-related designations targeting Iran under CYBER2. The rest relied primarily on country-specific sanctions programs dating back to the Obama administration, targeting individuals linked to the previously designated Iranian Ministry of Intelligence and Islamic Revolutionary Guard Corps. Similarly, all 18 sanctions on North Korean individuals and entities are pursuant to country-specific programs (DPRK2 and DPRK3), which target actors directly linked to the North Korean government. A possible explanation is that under the auspices of country-specific programs, the Treasury only needs to link individuals and entities to sanctioned government organizations, rather than to a specific cyber-attack—a much easier task given the challenges of attributing specific illicit cyber activities to specific actors. This method of leveraging country-specific sanctions programs to target specific illicit activity is a common practice also seen in human rights– and corruption-related designations. In April 2021, the Biden administration issued 35 new cyber-related sanctions on Russia, with almost all designations pursuant to CYBER2 and country-specific or election interference sanctions programs. Although most of the newly sanctioned entities are linked to previously sanctioned entities under CYBER2, such as the Internet Research Agency, the new country-specific executive order on Russia increases the administration’s ability to sanction companies in the Russian technology sector.

Total Cyber-related Designations under CYBER2 versus Non-CYBER2 2011–2021

Cyber-related designations are highly concentrated in a handful of countries, with the greatest in Russia (45 percent), Iran (36 percent), and North Korea (6 percent). The Treasury imposed nearly all remaining cyber-related sanctions on individuals and entities located in various other jurisdictions due to their connections to sanctioned Russian, Iranian, and/or North Korean actors. For example, all five designations on Chinese individuals and entities for cybercrimes were because of their involvement with activities conducted by sanctioned Russian or North Korean actors. This includes two Chinese nationals who were designated under the auspices of CYBER2 and DPRK3 for laundering over $100 million worth of stolen cryptocurrency on behalf of North Korea in March 2020. An exception to this pattern is Nigeria where the Treasury sanctioned six Nigerian individuals in 2020 who were involved in email scams and romance fraud against American individuals and businesses—though these were not state-sponsored.

Global Distribution of Cyber-related Sanctions, 2011–2021

Despite its low number of cyber-related sanctions relative to Russia, Iran, and North Korea, China remains a major cyber threat to the United States. While the Justice Department has indicted over 25 Chinese nationals, including officers in China’s People’s Liberation Army, for various cyber-enabled activities, such as the 2017 Equifax data breach, the Treasury has yet to sanction any Chinese national or entity for illicit cyber activities conducted on behalf of the Chinese government. This stems in part from a repeated high-level agreement between the United States and China to distinguish between cyber espionage conducted for commercial reasons, as opposed to that done for traditional national security reasons. The United States endeavors to prevent escalating tensions with China while keeping the possibility of imposing further costs on the table.

Spotlight on Malicious Cyber Networks: Russia and North Korea

While sanctions may have a limited material effect on individuals and entities, they play an important role in “naming and shaming” actors and the countries that sponsor them by providing information on the connections between governments and illicit actors. The following visualizations of Office of Foreign Assets Control (OFAC) designations and U.S. Department of Justice indictments provide a snapshot of the complex networks of Russian and North Korean government-sponsored organizations, businesses, and cybercriminals responsible for major cyberattacks around the world.

Russia’s Federal Security Service Technology Procurement Networks According to OFAC Designations

A cluster of cyber-related sanctions on Russia centers on the activities of the Russian Federal Security Service (FSB), the internal security agency of Russia. The Treasury first sanctioned the FSB in December 2016 for interfering in the 2016 U.S. election, and since then, both OFAC and the Department of Justice have designated or indicted more than 50 individuals and entities linked to the FSB. A major area of focus for Treasury sanctions has been the connections between the FSB and businesses providing technological support and surveillance technologies. In 2018 and 2020, the Treasury sanctioned two Russian companies under CYBER2, Divetechnoservices and Okeanos, for providing the FSB with underwater equipment and diving technology, which were allegedly used in efforts to monitor telecommunications data through undersea communications cables. Ultimately, these designations led to additional sanctions on many other Russian companies and individuals who facilitated sanctions evasion on behalf of the Russian government. Recognizing that advanced technologies and equipment can in fact contribute to improved and well-coordinated cyberattacks, the Biden administration included the Russian technology sector in its new executive order in response to Russian malign cyber activities. Under this new authority, the Treasury designated three technology companies connected to the Russian FSB in April 2021, as depicted in the flowchart above.

Russia’s Federal Security Service Connections to Cybercriminals According to OFAC Designations and Department of Justice Indictments

The FSB has also been involved both directly and indirectly in cyberattacks against major U.S. targets, indicating collaboration between Russian government officials and cybercriminals. In March 2017, the U.S. Department of Justice indicted two FSB officers for their involvement in the 2014 Yahoo hack, in which the officers paid Alexsey Belan, a previously indicted Latvian hacker, for illicit access to at least 500 million Yahoo accounts, some belonging to Russian journalists and U.S. government officials, in order to monitor their email content. Belan was sanctioned in December 2016, along with Evgeniy Bogachev, a notorious cybercriminal responsible for several major malicious software programs. Bogachev is a member of the Jabber Zeus Crew, a cybercrime organization that counted Maksim Yakubets among its members. Yakubets, indicted for his activities with the Jabber Zeus Crew, would go on to lead Evil Corp, the organization responsible for the Dridex malware, which stole banking credentials in order to drain bank accounts and was responsible for tens of millions of dollars in losses. In a Treasury press release accompanying his designation in 2019, Yakubets was accused of working directly for the FSB since 2017.

North Korea’s Lazarus Group Cybercrime Web According to OFAC Designations

Perhaps the most well-known North Korean–sponsored cybercrime organization is the Lazarus Group. This subunit of the Reconnaissance General Bureau, North Korea’s main intelligence agency, is responsible for myriad cyberattacks targeting foreign financial institutions, agencies, and online networks including, but not limited to: the Sony Pictures Entertainment hack (2014), the Bangladesh Bank cyber heist (2016), the WannaCry 2.0 ransomware attack (2017), and numerous spear-phishing and cryptojacking campaigns. However, Pyongyang doesn’t operate alone as it currently commands an estimated 6,000 cybercriminals across the globe, many reportedly operating overseas in China, Russia, India, Belarus, and Malaysia. The U.S. Department of Justice indicted North Korean hacker Park Jin Hyok twice for his involvement in the Sony Pictures hack, Bangladesh Bank cyber heist, and WannaCry ransomware attack through his association with the Lazarus Group. Park previously worked for over a decade at a North Korean government front company in China called the Chosun Expo Joint Venture which is known for its connections to the Reconnaissance General Bureau. North Korea has outsourced a certain degree of its cybercrime to China, including by recruiting two Chinese nationals, indicated in the flowchart above, for professional money laundering services. Although more research is needed to properly ascertain North Korea’s ability to fully monetize stolen crypto funds, its continued success in hacking large sums of cryptocurrencies will likely result in increased attacks against financial institutions and exchanges hosting and/or facilitating digital currency transactions.

Under increased economic sanctions during both the Obama and Trump years, North Korea began to rely heavily on cyber-enabled financial crime to steal and procure funds for its nuclear weapons development program. For example, the Department of Justice unsealed a new indictment in February 2021 that added two defendants, Jon Chang and Kim Il, along with Park in North Korea’s efforts to procure illicit funds through the Lazarus Group from 2014 to 2020. This indictment also detailed the wide range of malicious state-sponsored cyber-enabled financial crime ranging from cyberattacks, heists, and intrusions to spear-phishing campaigns, destructive malware attacks, exfiltration of data, and global money laundering schemes. Sanctions are commonly thought of as a useful tool to target state-sponsored cybercriminals, but the logistical difficulty of attributing cyberattacks to specific individuals or entities abroad remains a challenge for the U.S. government. For instance, the Treasury wasn’t able to sanction Park for his involvement in the Sony Pictures hack and other major cyberattacks until September 2018 due to the opaque nature of state-sponsored covert cyber operations conducted in jurisdictions with little to non-existent U.S. presence and/or law enforcement capabilities.

As seen in the recent hacking attacks against Microsoft and COVID-19 vaccine research and testing facilities, hostile nations continue to successfully conduct disruptive cyberattacks against U.S. government agencies, federal employees, average citizens, financial and commercial institutions, and medical facilities. In response, the Biden administration has indicated that it is planning to impose steeper costs on governments responsible for cyberattacks through clandestine actions, affirming that economic sanctions will continue to play an important role in curbing illicit cyber activity. Regardless of their material impact on malicious actors, economic sanctions will continue to serve a useful “naming and shaming” function for the U.S. government to publicize hostile actors and promote greater information sharing among allies through public indictments and statements. Similar to human rights and corruption-related sanctions, the Biden administration will likely continue the ongoing trend of utilizing country-specific sanctions programs to target specific illicit activity otherwise difficult to designate.

Methodology

Designations included in this edition were drawn from the following sanctions programs: CYBER2, TCO, CAATSA-RUSSIA, RUSSIA-EO14024, DPRK2, DPRK3, IRAN-TRA, HRIT-IR, HRIT-SY, IRAN-HR, and ELECTION-EO13848. For non-CYBER2 programs, only cyber-related designations listed in Treasury press releases were included.

Learn More

The CNAS Sanctions by the Numbers series offers comprehensive analysis and graphical visualization of major patterns, changes, and developments in U.S. sanctions policy and economic statecraft. Members of the CNAS Energy, Economics, and Security Program collect and analyze data from publicly available government sources, such as the Treasury Department’s Office of Foreign Assets Control.