OFAC Updates

OFAC designates Evil Corp under cyber sanctions, and removes a terrorist

Earlier today, OFAC added the following persons:

ALVARES, Carlos, Moscow, Russia; DOB 18 May 1971; POB Spain; Gender Male; National ID No. AV176942 (Spain) (individual) [CYBER2] (Linked To: EVIL CORP). 

 

BASHLIKOV, Aleksei, Moscow, Russia; DOB 18 Mar 1988; POB Russia; Gender Male; Passport 4509592875 (Russia) (individual) [CYBER2] (Linked To: EVIL CORP). 

 

BURKHONOVA, Gulsara, Moscow, Russia; DOB 06 Apr 1977; POB Russia; alt. POB Tajikistan; Gender Female; Passport 9707561379 (Russia) (individual) [CYBER2] (Linked To: EVIL CORP). 

 

GUBERMAN, David, Moscow, Russia; DOB 01 Mar 1971; POB Ukraine; Gender Male; National ID No. 7201105 (Israel) (individual) [CYBER2] (Linked To: EVIL CORP). 

 

GUSEV, Denis Igorevich (Cyrillic: ГУСЕВ, ДЕНИС ИГОРЕВИЧ) (a.k.a. GOTMAN, David; a.k.a. POMOJAC, Marin), Moscow, Russia; DOB 10 Jun 1986; alt. DOB 08 Jul 1977; alt. DOB 07 Oct 1987; POB Moscow, Russia; alt. POB Ceadir-Lunga, Moldova; citizen Russia; Gender Male; Passport 717386212 (Russia); alt. Passport A1167292 (Moldova); alt. Passport 1213007 (Israel) (individual) [CYBER2] (Linked To: EVIL CORP). 

 

MANIDIS, Georgios, Moscow, Russia; DOB 23 Aug 1971; Gender Male; National ID No. AV2752462 (Greece) (individual) [CYBER2] (Linked To: EVIL CORP). 

 

PLOTNITSKIY, Andrey (a.k.a. KOVALSKIY, Andrey Vechislavovich; a.k.a. STREL, Andrey), Moscow, Russia; DOB 25 Jul 1989; Gender Male (individual) [CYBER2] (Linked To: EVIL CORP). 

 

SAFAROV, Azamat, Moscow, Russia; DOB 26 Mar 1990; POB Uzbekistan; Gender Male; National ID No. CE2236830 (Uzbekistan) (individual) [CYBER2] (Linked To: EVIL CORP). 

 

SHEVCHUK, Tatiana, Moscow, Russia; DOB 08 Jan 1970; Gender Female; National ID No. BB299742 (Ukraine) (individual) [CYBER2] (Linked To: EVIL CORP). 

 

SLOBODSKOY, Dmitriy Alekseyevich, Russia; DOB 28 Jul 1988; Gender Male; Passport 721007353 (Russia) (individual) [CYBER2] (Linked To: EVIL CORP). 

 

SLOBODSKOY, Kirill Alekseyevich, Moscow, Russia; DOB 26 Feb 1987; POB Moscow, Russia; nationality Russia; Gender Male; Passport 721025114 (Russia); National ID No. 4508818947 (Russia) (individual) [CYBER2] (Linked To: EVIL CORP). 

 

SMIRNOV, Dmitriy Konstantinovich, Moscow, Russia; DOB 10 Nov 1987; citizen Russia; Gender Male (individual) [CYBER2] (Linked To: EVIL CORP). 

 

TUCHKOV, Ivan Dmitriyevich, Russia; DOB 27 Nov 1986; POB Moscow, Russia; Gender Male; Passport 45092006504 (Russia); alt. Passport 753931329 (Russia); VisaNumberID 525867504 (France) (individual) [CYBER2] (Linked To: EVIL CORP). 

 

TURASHEV, Igor Olegovich (a.k.a. “ENKI”; a.k.a. “NINTUTU”), Russia; DOB 15 Jun 1981; Gender Male (individual) [CYBER2] (Linked To: EVIL CORP). 

 

YAKUBETS, Artem Viktorovich, Moscow, Russia; DOB 17 Jan 1986; POB Polonnoye, Khmelnitskaya Oblast, Ukraine; citizen Russia; Gender Male (individual) [CYBER2] (Linked To: EVIL CORP). 

 

YAKUBETS, Maksim Viktorovich (a.k.a. “AQUA”), Moscow, Russia; DOB 20 May 1987; POB Polonnoye, Khmelnitskaya Oblast, Ukraine; citizen Russia; Gender Male; Passport 4509135586 (Russia) (individual) [CYBER2] (Linked To: EVIL CORP; Linked To: FEDERAL SECURITY SERVICE). 

 

ZAMULKO, Ruslan, Moscow, Russia; DOB 25 Jun 1970; POB Ukraine; Gender Male; National ID No. HB698865 (Ukraine) (individual) [CYBER2] (Linked To: EVIL CORP).

and entities:

BIZNES-STOLITSA, OOO (Cyrillic: ООО БИЗНЕС-СТОЛИЦА) (a.k.a. OBSHCHESTVO S OGRANICHENNOI OTVETSTVENNOSTYU BIZNES-STOLITSA), d. 14 korp. 1 pom. Khll/kom. 1, ul., Sokolovo-Meshcherskaya Moscow, Moscow 125466, Russia; D-U-N-S Number 50-722-4994; Tax ID No. 7733904024 (Russia); Government Gazette Number 40335667 (Russia); Registration Number 5147746417682 (Russia) [CYBER2] (Linked To: GUSEV, Denis Igorevich). 

 

EVIL CORP (a.k.a. DRIDEX GANG), Moscow, Russia; Moldova [CYBER2]. 

 

OPTIMA, OOO (Cyrillic: ООО ОПТИМА) (a.k.a. OBSHCHESTVO S OGRANICHENNOI OTVETSTVENNOSTYU OPTIMA), d. 2 korp. 2 pom. 1, ul., Kominterna Moscow, Moscow 129344, Russia; D-U-N-S Number 50-579-8144; Tax ID No. 7716740680(Russia); Government Gazette Number 17325717 (Russia); Registration Number 1137746232260 (Russia) [CYBER2] (Linked To: GUSEV, Denis Igorevich). 

 

TREID-INVEST, OOO (Cyrillic: ООО ТРЕЙД-ИНВЕСТ) (a.k.a. OBSHCHESTVO S OGRANICHENNOI OTVETSTVENNOSTYU TREID-INVEST), 11/2, ul., Sadovaya-Chernogryazskaya Moscow, Moscow 105064, Russia; D-U-N-S Number 50-722-5114; Tax ID No. 7701416320 (Russia); Government Gazette Number 40214946 (Russia); Registration Number 5147746418782 (Russia) [CYBER2] (Linked To: GUSEV, Denis Igorevich). 

 

TSAO, OOO (Cyrillic: ООО ЦАО) (a.k.a. OBSHCHESTVO S OGRANICHENNOI OTVETSTVENNOSTYU TSENTR AVTOOBSLUZHIVANIYA), 9, per., Omski Kurgan, Kurganskaya Oblast 640000, Russia; D-U-N-S Number 68-215-4722; Tax ID No. 4501122896 (Russia); Government Gazette Number 78739479 (Russia); Registration Number 1064501172394 (Russia) [CYBER2] (Linked To: GUSEV, Denis Igorevich). 

 

VERTIKAL, OOO (Cyrillic: ООО ВЕРТИКАЛЬ) (a.k.a. OBSHCHESTVO S OGRANICHENNOI OTVETSTVENNOSTYU VERTIKAL), d. 102/1, ul. Beregovaya Kogalym, Khanty-Mansiski, Avtonomny Okrug – Yugra Okr. 628482, Russia; D-U-N-S Number 50-630-4726; Tax ID No. 8608056026 (Russia); Government Gazette Number 26149774 (Russia); Registration Number 1138608000189 (Russia) [CYBER2] (Linked To: GUSEV, Denis Igorevich). 

 

YUNIKOM, OOO (Cyrillic: ООО ЮНИКОМ) (a.k.a. OBSHCHESTVO S OGRANICHENNOI OTVETSTVENNOSTYU YUNIKOM), d. 18, ul. Tsentralnaya Kogalym, Khanty-Mansiski, Avtonomny Okrug – Yugra Okr. 628483, Russia; D-U-N-S Number 68-321-9795; Tax ID No. 8608052180 (Russia); Government Gazette Number 97396163 (Russia); Registration Number 1068608008204 (Russia) [CYBER2] (Linked To: GUSEV, Denis Igorevich).

to the SDN List under its cyber-related sanctions program.

Additionally, it removed the following listings under the counter terrorism sanctions program:

AMHAZ, Issam Mohamad (a.k.a. AMHAZ, ‘Isam; a.k.a. AMHAZ, Issam Mohamed), Ghadir, 5th Floor, Safarat, Bir Hassan, Jenah, Lebanon; Issam Mohamad Amhaz Property, Ambassades (Safarate), Bir Hassan Area , Ghobeiri, Baabda, Lebanon; DOB 04 Mar 1967; POB Baalbek, Lebanon; nationality Lebanon; Additional Sanctions Information – Subject to Secondary Sanctions Pursuant to the Hizballah Financial Sanctions Regulations; Passport RL0000199 (Lebanon); Identification Number 61 Nabha; Chairman, Stars Group Holding; General Manager, Teleserveplus (individual) [SDGT]. 

 

AMHAZ, Issam Mohamed (a.k.a. AMHAZ, ‘Isam; a.k.a. AMHAZ, Issam Mohamad), Ghadir, 5th Floor, Safarat, Bir Hassan, Jenah, Lebanon; Issam Mohamad Amhaz Property, Ambassades (Safarate), Bir Hassan Area , Ghobeiri, Baabda, Lebanon; DOB 04 Mar 1967; POB Baalbek, Lebanon; nationality Lebanon; Additional Sanctions Information – Subject to Secondary Sanctions Pursuant to the Hizballah Financial Sanctions Regulations; Passport RL0000199 (Lebanon); Identification Number 61 Nabha; Chairman, Stars Group Holding; General Manager, Teleserveplus (individual) [SDGT]. 

 

AMHAZ, ‘Isam (a.k.a. AMHAZ, Issam Mohamad; a.k.a. AMHAZ, Issam Mohamed), Ghadir, 5th Floor, Safarat, Bir Hassan, Jenah, Lebanon; Issam Mohamad Amhaz Property, Ambassades (Safarate), Bir Hassan Area , Ghobeiri, Baabda, Lebanon; DOB 04 Mar 1967; POB Baalbek, Lebanon; nationality Lebanon; Additional Sanctions Information – Subject to Secondary Sanctions Pursuant to the Hizballah Financial Sanctions Regulations; Passport RL0000199 (Lebanon); Identification Number 61 Nabha; Chairman, Stars Group Holding; General Manager, Teleserveplus (individual) [SDGT].

And the Treasury Department issued the following press release:

PRESS RELEASES

Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware

Washington – Today the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) took action against Evil Corp, the Russia-based cybercriminal organization responsible for the development and distribution of the Dridex malware.  Evil Corp has used the Dridex malware to infect computers and harvest login credentials from hundreds of banks and financial institutions in over 40 countries, causing more than $100 million in theft.  This malicious software has caused millions of dollars of damage to U.S. and international financial institutions and their customers.  Concurrent with OFAC’s action, the Department of Justice charged two of Evil Corp’s members with criminal violations, and the Department of State announced a reward for information up to $5 million leading to the capture or conviction of Evil Corp’s leader.  These U.S. actions were carried out in close coordination with the United Kingdom’s National Crime Agency (NCA).  Additionally, based on information obtained by the Treasury Department’s Financial Crimes Enforcement Network (FinCEN), the Treasury Department’s Office of Cybersecurity and Critical Infrastructure Protection (OCCIP) released previously unreported indicators of compromise associated with the Dridex malware and its use against the financial services sector.   

“Treasury is sanctioning Evil Corp as part of a sweeping action against one of the world’s most prolific cybercriminal organizations.  This coordinated action is intended to disrupt the massive phishing campaigns orchestrated by this Russian-based hacker group,” said Steven T. Mnuchin, Secretary of the Treasury.  “OFAC’s action is part of a multiyear effort with key NATO allies, including the United Kingdom.  Our goal is to shut down Evil Corp, deter the distribution of Dridex, target the “money mule” network used to transfer stolen funds, and ultimately to protect our citizens from the group’s criminal activities.”

Worldwide, cybercrime results in losses that total in the billions of dollars, while in the United States, financial institutions and other businesses remain prime targets for cybercriminals.  Today’s action clarifies that, in addition to his involvement in financially motivated cybercrime, the group’s leader, Maksim Yakubets, also provides direct assistance to the Russian government’s malicious cyber efforts, highlighting the Russian government’s enlistment of cybercriminals for its own malicious purposes.  Maksim Yakubets is not the first cybercriminal to be tied to the Russian government.  In 2017, the Department of Justice indicted two Russian Federal Security Service (FSB) officers and their criminal conspirators for compromising millions of Yahoo email accounts.  The United States Government will not tolerate this type of activity by another government or its proxies and will continue to hold all responsible parties accountable.

Today’s designations and indictments were issued in furtherance of previous international actions targeting Evil Corp in an effort to further disrupt and degrade the group’s ability to operate.  In October 2015, the Department of Justice indicted Andrey Ghinkul for spreading the Dridex malware.  At that same time, the Federal Bureau of Investigation and the NCA disrupted the global infrastructure utilized at the time by Evil Corp.  Over the past several years, the NCA and the United Kingdom’s Metropolitan Police Service have arrested multiple individuals who enabled the activities of Evil Corp, including laundering stolen proceeds acquired through the Dridex malware.

As a result of today’s designations, all property and interests in property of these persons subject to U.S. jurisdiction are blocked, and U.S. persons are generally prohibited from engaging in transactions with them.  Additionally, any entities 50 percent or more owned by one or more designated persons are also blocked.  Foreign persons may be subject to secondary sanctions for knowingly facilitating a significant transaction or transactions with these designated persons.

DESIGNATION TARGETS

Today’s action targets 17 individuals and seven entities to include Evil Corp, its core cyber operators, multiple businesses associated with a group member, and financial facilitators utilized by the group.  OFAC designated these persons pursuant to Executive Order (E.O.) 13694, as amended, which targets malicious cyber-enabled actors around the world, and as codified by the Countering America’s Adversaries Through Sanctions Act.

DRIDEX infection chain photo

Evil Corp is the Russia-based cybercriminal organization responsible for the development and distribution of the Dridex malware.  The Dridex malware is a multifunctional malware package that is designed to automate the theft of confidential information, to include online banking credentials from infected computers.  Dridex is traditionally spread through massive phishing email campaigns that seek to entice victims to click on malicious links or attachments embedded within the emails.  Once a system is infected, Evil Corp uses compromised credentials to fraudulently transfer funds from victims’ bank accounts to those of accounts controlled by the group.  As of 2016, Evil Corp had harvested banking credentials from customers at approximately 300 banks and financial institutions in over 40 countries, making the group one of the main financial threats faced by businesses.  In particular, Evil Corp heavily targets financial services sector organizations located in the United States and the United Kingdom.  Through their use of the Dridex malware, Evil Corp has illicitly earned at least $100 million, though it is likely that the total of their illicit proceeds is significantly higher.  As a result of this activity, Evil Corp is being designated pursuant to E.O. 13694, as amended, for engaging in cyber-enabled activities that have the effect of causing a significant misappropriation of funds or economic resources for private financial gain. 

Evil Corp operates as a business run by a group of individuals based in Moscow, Russia, who have years of experience and well-developed, trusted relationships with each other.  Maksim Yakubets (Yakubets) serves as Evil Corp’s leader and is responsible for managing and supervising the group’s malicious cyber activities.  For example, as of 2017, Yakubets supervised Evil Corp actors who were attempting to target U.S. companies.  As of 2015, Yakubets maintained control of the Dridex malware and was in direct communication with Andrey Ghinkul prior to the unsealing of his indictment.  As a result, Yakubets is being designated pursuant to E.O. 13694, as amended, for having acted for or on behalf of and for providing material assistance to Evil Corp.  Prior to serving in this leadership role for Evil Corp, Yakubets was also directly associated with Evgeniy Bogachev, a previously designated Russian cybercriminal responsible for the distribution of the Zeus, Jabber Zeus, and GameOver Zeus malware schemes.  In particular, Yakubets was responsible for recruiting and managing a network of individuals responsible for facilitating the movement of money illicitly gained through the efforts spearheaded by Evgeniy Bogachev.  Yakubets is the subject of an indictment and criminal complaint unsealed today by the Department of Justice, while the Department of State announced a $5 million reward for information leading to the capture of Yakubets. 

In addition to his leadership role within Evil Corp, Yakubets has also provided direct assistance to the Russian government.  As of 2017, Yakubets was working for the Russian FSB, one of Russia’s leading intelligence organizations that was previously sanctioned pursuant to E.O. 13694, as amended, on December 28, 2016.   As of April 2018, Yakubets was in the process of obtaining a license to work with Russian classified information from the FSB.  As a result, Yakubets is also being designated pursuant to E.O. 13694, as amended, for providing material assistance to the FSB.  Additionally, as of 2017, Yakubets was tasked to work on projects for the Russian state, to include acquiring confidential documents through cyber-enabled means and conducting cyber-enabled operations on its behalf.

Another key Evil Corp figure targeted today is Igor Turashev (Turashev).  As of 2017, Turashev was involved in helping Evil Corp exploit victims’ networks.  As of 2015, Turashev served as an administrator for Yakubets and had control over the Dridex malware.  As a result, Turashev is being designated pursuant to E.O. 13694, as amended, for having acted for or on behalf of and for providing material assistance to Evil Corp.  Turashev is also the subject of an indictment unsealed today by the Department of Justice.

Denis Gusev (Gusev), a senior member of Evil Corp, is also being designated today for his active role in furthering Evil Corp’s activities.  As of 2017, Gusev was involved in helping Evil Corp move to a new office location and as of 2018, Gusev served as a financial facilitator for Evil Corp and its members.  As a result, Gusev is being designated pursuant to E.O. 13694, as amended, for having acted for or on behalf of and for providing material assistance to Evil Corp.

Gusev also serves as the General Director for six Russia-based businesses. These entities include Biznes-Stolitsa, OOO, Optima, OOO, Treid-Invest, OOO, TSAO, OOO, Vertikal, OOO, and Yunikom, OOO.  As a result, these entities are being designated pursuant to E.O. 13694, as amended, for being owned or controlled by Gusev.

In addition to Yakubets, Turashev, and Gusev, Evil Corp relies upon a cadre of core individuals to carry out critical logistical, technical, and financial functions such as managing the Dridex malware, supervising the operators seeking to target new victims, and laundering the proceeds derived from the group’s activities.  These additional core members of the group include Dmitriy Smirnov, Artem Yakubets, Ivan Tuchkov, Andrey Plotnitskiy, Dmitriy Slobodskoy, and Kirill Slobodskoy.  As a result, these six individuals are being designated pursuant to E.O. 13694, as amended, for having acted for or on behalf of and for providing material assistance to Evil Corp.

To transfer the proceeds gained through their use of the Dridex malware, Evil Corp relies upon a network of money mules who are involved in transferring stolen funds obtained from victims’ bank accounts to accounts controlled by members of Evil Corp.  Previously, the NCA arrested multiple individuals in the United Kingdom suspected of laundering the criminal profits of cybercrime schemes, including those perpetrated by Evil Corp, through hundreds of accounts at various banks in the United Kingdom.  Today, OFAC is designating eight Moscow-based individuals who have served as financial facilitators for Evil Corp.  These individuals include Aleksei Bashlikov, Ruslan Zamulko, David Guberman, Carlos Alvares, Georgios Manidis, Tatiana Shevchuk, Azamat Safarov, and Gulsara Burkhonova.  As a result, these eight individuals are being designated pursuant to E.O. 13694, as amended, for providing financial and material assistance to Evil Corp.

And FinCEN and the Office of Cybersecurity and Critical Infrastructure Protection (OCCIP) issued an alert about the Dridex malware.

Links:

OFAC Notice

Treasury Press Release

FinCEN/OCCIP Dridex Malware Alert

December 3, 2019: OFAC adds vessels to Venezuela sanctions

On Tuesday, OFAC added:

ICARO Crude Oil Tanker Panama flag; Vessel Registration Identification IMO 9038842 (vessel) [VENEZUELA-EO13884] (Linked To: PETROLEOS DE VENEZUELA, S.A.). 

 

LUISA CACERES DE ARISMENDI Products Tanker Venezuela flag; Vessel Registration Identification IMO 9117478 (vessel) [VENEZUELA-EO13884] (Linked To: PETROLEOS DE VENEZUELA, S.A.). 

 

MANUELA SAENZ Products Tanker Venezuela flag; Vessel Registration Identification IMO 9117492 (vessel) [VENEZUELA-EO13884] (Linked To: PETROLEOS DE VENEZUELA, S.A.). 

 

PARAMACONI Crude Oil Tanker Venezuela flag; Vessel Registration Identification IMO 9543512 (vessel) [VENEZUELA-EO13884] (Linked To: PETROLEOS DE VENEZUELA, S.A.). 

 

TEREPAIMA Crude Oil Tanker Venezuela flag; Vessel Registration Identification IMO 9552496 (vessel) [VENEZUELA-EO13884] (Linked To: PETROLEOS DE VENEZUELA, S.A.). 

 

YARE Crude Oil Tanker Venezuela flag; Vessel Registration Identification IMO 9543500 (vessel) [VENEZUELA-EO13884] (Linked To: PETROLEOS DE VENEZUELA, S.A.).

and modified:

NEDAS Crude Oil Tanker Greece flag; Vessel Registration Identification IMO 9289166 (vessel) [VENEZUELA-EO13850] (Linked To: JENNIFER NAVIGATION LIMITED). -to- ESPERANZA (f.k.a. NEDAS) Crude Oil Tanker Cuba flag; Former Vessel Flag Greece; Vessel Registration Identification IMO 9289166 (vessel) [VENEZUELA-EO13850] (Linked To: CAROIL TRANSPORT MARINE LTD).

vessels on the SDN List under the Venezuela sanctions program.

And the State Department issued the following press release:

The United States Takes Action Against the Movement of Venezuelan Oil to Cuba

PRESS STATEMENT

MICHAEL R. POMPEO, SECRETARY OF STATE

DECEMBER 3, 2019

Share

On December 3, the United States identified six PDVSA-owned vessels, pursuant to E.O. 13884 or 13850, being used by the former Maduro regime to ship oil to Cuba.  In addition, the Esperanza was identified as the new name for the vessel previously named the Nedas, which was blocked on April 12, 2019.  These actions block the efforts by the Cuban and former Maduro regimes to evade sanctions that are intended to prevent the theft of Venezuela’s natural resources for corrupt purposes.

While the Venezuelan people continue to take to the streets to demand basic services and a return to freedom and prosperity, Maduro chooses to ship a vital natural resource to Cuba in exchange for Cuban security and intelligence services that preserve his influence in Venezuela.  Cuba continues to prop up Nicolas Maduro, subverting the Venezuelan people’s right to self-determination and undermining Venezuelan institutions.

The United States will continue to promote accountability for Cuba’s actions in Venezuela.  The United States is steadfast in its support for the people of Venezuela, interim President Juan Guaido, and the democratically elected National Assembly.

Links:

OFAC Notice

State Department Press Release

November 27, 2019: OFAC updates Iran FAQs

Last Wednesday, OFAC updated Frequently Asked Question (FAQ) #303:

303. Which insurance, reinsurance, or underwriting activities are potentially subject to sanctions under IFCA’s section 1246(a)(1)? 

A number of insurance activities are subject to sanctions under IFCA, including knowingly providing insurance, reinsurance, or underwriting services to or for Iranian persons on the SDN List to or for any person designated in connection with Iran’s support for international terrorism or WMD proliferation, or for activities with respect to Iran for which sanctions have been imposed (e.g., knowingly engaging in a significant transaction for the purchase, acquisition, sale, transport, or marketing of petroleum or petroleum products from Iran). However, the provision of insurance, reinsurance, or underwriting services to non-Iranian persons on the SDN List is generally not sanctionable under section 1246(a)(1) of IFCA if the provision of insurance, reinsurance or underwriting services is not to or for an Iranian person on the SDN List, to or for any person designated in connection with Iran’s support for international terrorism or WMD proliferation, or for any activity with respect to Iran for which sanctions have been imposed. [11-27-2019]

and FAQ 804:

804. Do sanctions on COSCO Shipping Tanker (Dalian) Co. and COSCO Shipping Tanker (Dalian) Seaman & Ship Management Co. apply to their corporate parent and affiliates?

COSCO Shipping Tanker (Dalian) Co. and COSCO Shipping Tanker (Dalian) Seaman & Ship Management Co. were determined by the Secretary of State on September 25, 2019, to meet the criteria for the imposition of sanctions under Executive Order (E.O.) 13846, and the Secretary of State imposed certain sanctions, including blocking, on these entities. The blocking sanctions apply only to these listed entities and any entities in which they own, individually or in the aggregate, a 50 percent or greater interest. Sanctions do not apply to these entities’ ultimate parent, COSCO Shipping Corporation Ltd. (COSCO). Similarly, sanctions do not apply to COSCO’s other subsidiaries or affiliates (e.g., COSCO Shipping Holdings), provided that such entities are not owned 50 percent or more in the aggregate by one or more blocked persons. U.S. persons, therefore, are not prohibited from dealing with COSCO, its non-blocked subsidiaries, or non-blocked affiliates to the extent the proposed dealings do not involve any blocked person, or any other activities prohibited pursuant to any OFAC sanctions authorities.

In addition, on October 24, 2019, OFAC issued General License K that authorizes through its expiration date all transactions and activities prohibited pursuant to section 5 of E.O. 13846 that are ordinarily incident and necessary to the maintenance or wind down of transactions involving COSCO Shipping Tanker (Dalian) Co., subject to certain conditions specified in the license and described in FAQ 806. 

With respect to transactions involving non U.S. persons outside of U.S. jurisdiction, please see FAQ 805. [11-27-2019]

and added three new ones:

805. Are non-U.S. persons exposed to sanctions for providing goods or services to, or engaging in other transactions with, a non-Iranian person sanctioned under section 3 of E.O. 13846?

No, non-U.S. persons are generally not exposed to sanctions for providing goods or services to, or engaging in other transactions with, a non-Iranian person sanctioned under section 3 of E.O. 13846. 

However, please note that non-U.S. persons should ensure that the provision of goods or services to, or other transactions with such non-Iranian persons do not involve: (1) prohibited transactions by U.S. persons (including U.S. financial institutions) or U.S.-owned or -controlled foreign entities, unless the transaction is exempt from regulation, or authorized by OFAC; (2) the knowing provision of significant support to an Iranian person on OFAC’s List of Specially Designated Nationals and Blocked Persons (SDN List); or (3) the knowing facilitation of a significant transaction for a person on the SDN List that has been designated in connection with Iran’s support for international terrorism or proliferation of weapons of mass destruction, including designated Iranian financial institutions or the Islamic Revolutionary Guard Corps (IRGC), or other activity for which sanctions have been imposed with respect to Iran (e.g., knowingly engaging in a significant transaction for the purchase of petroleum from Iran). 

For information about persons sanctioned by State Department pursuant to Section 3 of E.O. 13846, please see the relevant State press statement or Federal Register Notice. [11-27-2019] 

806. What types of activities are considered “maintenance” as the term is used in General License K?

As a general matter, the authorization for “maintenance” in General License K includes all transactions ordinarily incident to the continuity of operations by U.S. persons involving COSCO Shipping Tanker (Dalian) Co., Ltd. or any entity owned, directly or indirectly, 50 percent or more by COSCO Shipping Tanker (Dalian) Co., Ltd., other than COSCO Shipping Tanker (Dalian) Seaman & Ship Management Co. or any entity owned, directly or indirectly, 50 percent or more by COSCO Shipping Tanker (Dalian) Seaman & Ship Management Co. (hereinafter, “General License K Covered Entities”). Additionally, for the purposes of General License K, the authorization for “maintenance” generally includes all transactions and activities ordinarily incident to performing under a contract or agreement in effect prior to September 25, 2019, provided that the level of performance is consistent with the terms of the general license and consistent with past practices that existed between the party and the General License K Covered Entities prior to September 25, 2019. Notwithstanding the absence of a contract or agreement in effect prior to September 25, 2019, the authorization for “maintenance” also generally includes all transactions and activities ordinarily incident to obtaining goods or services from, or providing goods or services to, General License K Covered Entities in a manner consistent with the terms of the general license and consistent with past practices that existed between the party, or any intermediary party, and the General License K Covered Entities prior to September 25, 2019. OFAC will consider the transaction history between the party, or any intermediary party, and the General License K Covered Entities prior to September 25, 2019 in assessing whether activity is consistent with past practices. The authorization for “maintenance” also generally includes authorization to enter into contingent contracts for transactions and activities consistent with the above, extending beyond the current expiration of General License K where any performance after the expiration of the general license is contingent on such performance either not being prohibited or being authorized by OFAC. 

For example, transactions and activities authorized by General License K could include issuing or accepting purchase orders (including for sales of fuel to General License K Entities) and making or receiving shipments (including undertaking new charters or voyages) that were initiated after September 25, 2019 involving General License K Entities, if such activity is ordinarily incident and necessary to contracts in effect prior to September 25, 2019 (provided the purchase and shipment amounts are consistent with past practices, as demonstrated by transaction history). Similarly, transactions and activities that are not within the framework of a preexisting agreement may be considered “maintenance” if such activity is consistent with the transaction history between the person and General License K Entities prior to September 25, 2019. Conversely, General License K would not authorize purchase orders and shipments involving the General License K Entities where there was no preexisting relationship between a person and a blocked entity or where the contemplated activity exceeds past practices that existed between the party and the General License K Entities prior to September 25, 2019 as demonstrated by transaction history. Stockpiling inventory, for example, would not be authorized unless transaction history indicates that the scope and extent of maintaining inventory is consistent with past practice. [11-27-2019] 

807. Can U.S. financial institutions process transactions involving COSCO Shipping Tanker (Dalian) Co., Ltd. under Iran General License K if the U.S. financial institution is the only U.S. person involved in the transaction?

Yes, provided the transaction is ordinarily incident and necessary to the maintenance or wind down of transactions involving, directly or indirectly, COSCO Shipping Tanker (Dalian) Co., Ltd., or any entity owned, directly or indirectly, 50 percent or more by COSCO Shipping Tanker (Dalian) Co., Ltd., including any transaction or dealing in property or interests in property of the foregoing, subject to the conditions and expiration dates noted in Iran General License K. However, please note that Iran General License K does not authorize any transactions involving COSCO Shipping Tanker (Dalian) Seaman & Ship Management Co. or any entity owned, directly or indirectly, 50 percent or more by COSCO Shipping Tanker (Dalian) Seaman & Ship Management Co. 

Please note that absent knowledge or a reason to know that the transaction is not authorized by Iran General License K, OFAC would not expect the intermediary U.S. financial institution to conduct additional due diligence beyond the information collected in the ordinary course of processing such transactions, and accordingly, in the event of a potential violation, OFAC would consider the totality of the facts and circumstances in determining the appropriate administrative enforcement response, if any. 

Please see FAQ 116 for additional guidance on due diligence for U.S. financial institutions serving as intermediaries within a transaction. [11-27-2019] 

Links:

OFAC Notice

FAQ 303

FAQ 804

New FAQs

OFAC Enforcement Action takes bite out of Apple

Apple paid $466,912 for non-egregious, self-reported violations of the Kingpin Act, as opposed to the base penalty amount of $576,434 and the maximum civil monetary penalty of $74,331,860. Turns out they had a developer company in the App Store who was an SDN, and whose account administrator was, too – and Apple’s screening software and procedures were found wanting:

On July 18, 2008, Apple entered into an app development agreement with SIS, a software company located at 19 Spruha, Trzin 1236, Slovenia. On February 24, 2015, OFAC designated SIS and Savo Stjepanovic (“Stjepanovic”), a director and majority owner of SIS, pursuant to the Foreign Narcotics Kingpin Designation Act, 21 U.S.C. §§ 1901-1908, and added them to the SDN List. OFAC’s public announcement of the designation included SIS’s address, registration number, and tax identification number, and further noted that SIS was linked to Stjepanovic. The SDN List provided the following identifying information for SIS:

SIS D.O.O., 19 Spruha, Trzin 1236, Slovenia; Registration ID 5919070 (Slovenia); Tax ID No. SI91729181 (Slovenia) [SDNTK].

OFAC also published a diagram titled “KARNER Steroid Trafficking Network,” which included a photograph of Stjepanovic, SIS, and a SIS logo.

On the same day that OFAC designated SIS and Stjepanovic, Apple, in accordance with its standard compliance procedures, screened the newly designated SDNTKs against its app developer account holder names using its sanctions screening tool. During this screening, Apple failed to identify that SIS, an App Store developer, was added to the SDN List and was therefore blocked. Apple later attributed this failure to its sanctions screening tool’s failure to match the upper case name “SIS DOO” in Apple’s system with the lower case name “SIS d.o.o.” as written on the SDN List. The term “d.o.o.” is a standard corporate suffix in Slovenia identifying a limited liability company. In addition, even though the address for SIS collected by Apple matched the address for SIS identified and published by OFAC, Apple failed to identify SIS as an SDNTK for over two years after the designation.

On the day of designation, Apple was in possession of Stjepanovic’s full name in its records since he was listed as an “account administrator” in its App Store developer account, though he was not listed as a “developer.” At the time, Apple’s compliance process screened individuals identified as “developers,” but did not screen all of the individual users identified in an App Store account against the SDN List. Apple therefore failed to identify Stjepanovic as an SDNTK.

On the day of designation, any property in which SIS or Stjepanovic had an interest became blocked, and any transactions or dealings in such property by Apple, a U.S. person, were prohibited. Nonetheless, Apple continued to host software applications and associated content (“apps”) owned by SIS on the App Store, allowed downloads and sales of the blocked SIS apps, received payments from App Store users downloading the blocked SIS apps, permitted SIS to transfer and sell its apps to two other developers, and remitted funds on a monthly basis to SIS for the sales of the blocked SIS apps.

On or about April 17, 2015 — approximately two months after the designations — Apple facilitated the transfer of a portion of SIS’s apps to a second software company (the “Second Company”). The Second Company was incorporated several days after OFAC’s designation of SIS. Separately, on or about September 14, 2015, SIS entered into an agreement with a third software company (the “Third Company”) and transferred the ownership of SIS’s remaining apps to the Third Company. The owner of the Third Company took over the administration of SIS’s App Store account and replaced SIS’s App Store banking information with his own banking information. These actions were all conducted without personnel oversight or additional screening by Apple.

After enhancing its sanctions screening tool and related processes, Apple identified SIS as a potential SDNTK in February 2017. Apple’s finance team immediately suspended further payments associated with the SIS account, which was being administered by the Third Company, and whose owner was receiving payments from Apple. However, Apple continued to make payments to the Second Company for the blocked SIS apps that had been transferred to the Second Company in April 2015, after OFAC’s designation of SIS as a SDNTK.

Apple made 47 payments associated with the blocked apps, including payments directly to SIS, during the period of time that SIS was listed on the SDN List. In total, over 54 months, Apple collected $1,152,868 from customers who downloaded SIS apps.

Here are the aggravating factors, according to OFAC:

(1) Based on the number of Apparent Violations, the length of time over which the Apparent Violations occurred, and the multiple points of failure within the company’s sanctions compliance program, policies, and procedures, the conduct demonstrated reckless disregard for U.S. sanctions requirements;

(2) Apple’s payments to SIS and for the blocked apps conferred significant economic benefit to SIS and its owner, as Apple’s App Store appears to have been the main business for SIS around the time it was designated; and

(3) Apple is a large and sophisticated organization operating globally with experience and expertise in international transactions.

OFAC found the following to be an aggravating factor with respect to three Apparent Violations that occurred after Apple identified SIS as an SDNTK in February 2017:

(4) Apple failed to take corrective actions in a timely manner after identifying SIS as an SDNTK, and continued to make payments for the download of blocked apps for multiple months.

And the mitigating factors:

(1) The volume and total amount of payments underlying the Apparent Violations was not significant compared to the total volume of transactions undertaken by Apple on an annual basis;

(2) Apple has not received a penalty notice or Finding of Violation from OFAC in the five years preceding the date of the transaction giving rise to the Apparent Violations; and

(3) Apple responded to numerous requests for information in a prompt manner

And Apple’s remediation:

• Increased the role of the Global Export and Sanctions Compliance Senior Manager in the escalation and review process;

• Reconfigured the primary sanctions screening tool to fully capture spelling and capitalization variations and to account for country-specific business suffixes, and implemented an annual review of the tool’s logic and configuration;

• Expanded sanctions screening to include not only app developers, but also their designated payment beneficiaries and associated banks;

• Updated the instructions for employees to review potential SDN List matches flagged by the primary sanctions screening tool; and

• Implemented mandatory training for all employees on export and sanctions regulations.

And the lesson to be learned:

This enforcement action highlights the benefit of comprehensive SDN List screening that utilizes all of the information on the SDN List. Companies should consider OFAC screening and compliance measures that exploit names, addresses, and other identifying information on the SDN List. Compliance measures should also anticipate potential vulnerabilities in a company’s compliance program that could allow sanctions evasion and circumvention, and should include preventative measures that alert and react to sanctions evasion warning signs, such as business and employment connections between individuals and entities.

Link:

OFAC Enforcement Information

November 22, 2019: OFAC adds 1 person to Iran sanctions

On Friday, OFAC added the following individual:

AZARI JAHROMI, Mohammad Javad, Iran; DOB 16 Sep 1981; POB Jahrom, Iran; Additional Sanctions Information – Subject to Secondary Sanctions; Gender Male (individual) [IRAN] [IRAN-TRA].

to their Iranian sanctions program – specifically, under the Iran Threat Reduction and Syria Human Rights Act of 2012.

Link:

OFAC Notice

New article published on KYC360

Editors always make your titles too long so that everyone knows what it’s about.

Original title: Hold on a Second(ary)

Final title: Hold on a Second(ary): Rethinking OFAC”s Expanded Sanctions Powers

You can find it here… hope you like it.