U.S. Imposes Stiff Sanctions on Russia, Blaming It for Major Hacking Operation

The Biden administration on Thursday announced tough new sanctions on Russia and formally blamed the country’s premier intelligence agency for the sophisticated hacking operation that breached American government agencies and the nation’s largest companies.

In the broadest effort yet to give more teeth to financial sanctions — which in the past have failed to deter Russian activity — the actions are aimed at choking off lending to the Russian government.

In an executive order, President Biden announced a series of additional steps — sanctions on 32 entities and individuals for disinformation efforts and for carrying out the Russian government’s interference in the 2020 presidential election. Ten Russian diplomats, most of them identified as intelligence operatives, were expelled from the Russian Embassy in Washington. The country also joined with European partners to sanction eight people and entities associated with Russia’s occupation in Crimea.

In Moscow, the Foreign Ministry’s spokeswoman, Maria Zakharova, said a response would be “inevitable” but did not immediately disclose what it would entail. The U.S. ambassador was summoned to a meeting with Russian officials, Ms. Zakharova said.

“Such aggressive behavior will of course receive a decisive response,” Ms. Zakharova said. “In Washington, they should know there will be a cost for the degradation of bilateral relations. Responsibility for what is happening lies wholly with the United States.”

Widely anticipated, the sanctions come amid a large Russian military buildup on the borders of Ukraine and in Crimea, the peninsula that Moscow annexed in 2014.

They comprise what United States officials described as “seen and unseen” steps in response to the hacking, known as SolarWinds, and to Russia’s longstanding effort to interfere in U.S. elections on behalf of Donald J. Trump. The key to the sanctions’ effectiveness, officials concede, will be whether European and Asian allies go along with that ban, and whether the United States decides to seek to extend the sanctions by threatening to cut off financial institutions around the world that deal in those Russian bonds, much as it has enforced “secondary sanctions” against those who do business with Iran.

In a conversation with President Vladimir V. Putin on Tuesday, Mr. Biden warned that the United States was going to act to protect its interests, but also raised the prospect of a summit meeting between the two leaders. It is unclear whether Russia will now feel the need to retaliate for the sanctions and expulsions. American officials are already alarmed by a troop buildup along the border of Ukraine and Russian naval activity in the Black Sea.

And inside American intelligence agencies there have been warnings that the SolarWinds attack — which enabled the SVR to place “back doors” in the computer networks — could give Russia a pathway for malicious cyberactivity against government agencies and corporations.

Jake Sullivan, Mr. Biden’s national security adviser, has often said that sanctions alone will not be sufficient, and said there would be “seen and unseen” actions against Russia. Mr. Biden, before his inauguration, suggested the United States would respond in kind to the hack, which seemed to suggest some kind of clandestine cyber-response. But it may take weeks or months for any evidence that activity to come to light, if it ever does.

The order also designates six Russian companies for providing support to the cyber-activities of the Russian intelligence service.

Widely anticipated, the sanctions come amid a large Russian military buildup on the borders of Ukraine and in Crimea, the peninsula that Moscow annexed in 2014.

In the SolarWinds breach, Russian government hackers infected network-management software used by thousands of government entities and private firms in what officials believe was, at least in its opening stages, an intelligence-gathering mission.

The SVR, also known as the Russian Foreign Intelligence Service, is primarily known for espionage operations. The statement said American intelligence agencies have “high confidence in its assessment of attribution” of responsibility to Russia.

In an advisory, the United States described for private companies’ specific details about the software vulnerabilities that the Russian intelligence agencies used to hack into the systems of companies and governments. Most of those have been widely known since FireEye, a private security firm, first found evidence of the hack in December. Until FireEye’s discovery, the actions had been entirely missed by the U.S. government, largely because the attack was launched from inside the United States — where, as the Russians know well, American intelligence agencies are prohibited from operating.