US tech companies sucked into Russian sanctions row

Updated An expansion of sanctions on companies connected with Russian government cyberattacks has pulled in two US tech companies.

Smart devices security specialist Embedi, based in Berkeley, and enterprise resource planning (ERP) cyber security firm ERPScan, based in Palo Alto – both in California – were added to the official sanctions list on Monday due to being owned by Russian company Digital Security.

The US Treasury department has formally accused Digital Security of "providing material and technological support to the FSB" – the Russian intelligence service. It says in a short note announcing the sanctions expansion that "as of 2015, Digital Security worked on a project that would increase Russia’s offensive cyber capabilities for the Russian Intelligence Services, to include the FSB."

It's not clear whether the US government believes Embedi and ERPScan were also involved in that project, and the official notice doesn’t accuse them of having done so, noting only that they are subsidiaries of Digital Security.

But the decision to put them on the sanctions list puts both companies in the impossible situation that they cannot trade with anyone based in their own country.

We spoke to Embedi's head of marketing Alex Kruglov who was stunned by his company's inclusion. "We have never worked with any government – the Russian or US, or any government," he said. "We are totally a white hat company."

Embedi has found a lot of vulnerabilities in products from Microsoft, Intel and Cisco among others – but has disclosed them in the same way any other security research company does. Unfortunately, it is owned by a Russian company that has worked with the FSB to actively exploit similar holes, according to the Treasury department.

Uncertain

"We're not sure about our future activity, or the future of our US office," said Kruglov. "Maybe this is a misunderstanding that could be solved, who knows?"

We also contacted ERPScan – whose disclosure of vulnerabilities in SAP and Oracle software we have repeatedly covered. It refused to comment.

The sanctions have been brought to bear on individuals and organizations that the US government has determined are responsible for persistent cyberattacks on the US.

"The United States is engaged in an ongoing effort to counter malicious actors working at the behest of the Russian Federation and its military and intelligence units to increase Russia’s offensive cyber capabilities," said an official release from the US Treasury, citing secretary Steven Mnuchin.

"The entities designated today have directly contributed to improving Russia’s cyber and underwater capabilities through their work with the FSB and therefore jeopardize the safety and security of the United States and our allies."

As for the impact of that decision, the Treasury Department surmises: "As a result of today’s action, all property and interests in property of the designated persons subject to US jurisdiction are blocked, and US persons are generally prohibited from engaging in transactions with them."

Which is particularly bad news for employees based in the United States itself. ®

Updated to add

Polyakov Alexander, founder and CTO of ERPScan has been in contact to say he's baffled by the ban and it appears someone in the Treasury Department has goofed.

"I woke up and was embraced by such news," he said. "The only accusation against ERPScan is that we are subsidiary of other company. ERPScan is a private company registered in 2014 in the Netherlands and are not a subsidiary of any company listed in this document."

"Seems that the only issue is that some of my peers and I were born in Russia. I’m sorry, we can’t change it. But we can change the world by making it better and more secure. We will continue helping protect critical SAP and Oracle software from cyberattacks as we did, and it doesn’t matter what has happened."