ERPScan named in new US sanctions that claim that Russia is monitoring underwater communication cables

ERPScan, the Amsterdam-based security company that examines SAP and Oracle software for flaws, has been added to the list of companies sanctioned by authorities in the US.

ERPScan is one of five IT companies sanctioned by the US Department of the Treasury's Office of Foreign Assets Control (OFAC). It claims that ERPScan is owned by Digital Security, a major Russian security company that, it asserts, worked on projects for the FSB, Russia's Federal Security Service, in 2015.

However, ERPScan founder and chief technology officer, Alexander Polyakov, denies that ERPScan is owned by Digital Security. He claims that links between the two companies were severed in 2014. The only remaining link, he says, is an individual shareholder with stakes in both companies.

The sanctions explicitly bar any person or organisation from doing business with ERPScan and its parent company with immediate effect. The ban would also cover any person or company that does business in the US from also doing business with ERPScan.

As such, the sanctions could put ERPScan out of business as any US company or multinational will be forced to discontinue subscriptions.

Embedi, another notable IT security company, conducting exploit research and security solutions for hardware, was also named in the sanctions.

While the sanctions are primarily intended to target Digital Security, they have also been extended to ERPScan in the belief that the two companies are linked. The US Treasury statement claimed that Digital Security had provided "material and technological support to the FSB".

It added that in 2015, Digital Security had worked on a project that "would increase Russia's offensive cyber capabilities for the Russian Intelligence Services". It didn't go into any further detail about the project.

The sanctions covering five Russia-connected entities were announced overnight by the US Department of the Treasury's Office of Foreign Assets Control, under section 224 of the Countering America's Adversaries Through Sanctions Act (CAATSA).

Computing is awaiting comment from ERPScan founder and chief technology officer Alexander Polyakov, but told BleepingComputer that ERPScan was not a subsidiary of Digital Security, as asserted by the US Department of the Treasury.

"As of 2014, ERPScan is a private company registered in the Netherlands and are not a subsidiary of any company listed in [the] document," he said.

In addition to the shareholder-in-common, Polyakov also admitted to having worked at Digital Security after university as it was one of the few companies in Russia conducting penetration testing.

Nevertheless, the US Department of the Treasury claimed in its statement that the sanctioned companies were controlled by "and provided material and technological support to Russia's Federal Security Service (FSB), while two others have provided the FSB with material and technological support".

Treasury Secretary Steve Mnuchin described the move as part of "an ongoing effort to counter malicious actors working at the behest of the Russian Federation and its military and intelligence units to increase Russia's offensive cyber capabilities".

He added: "The entities designated today have directly contributed to improving Russia's cyber and underwater capabilities through their work with the FSB and therefore jeopardise the safety and security of the United States and our allies."

The statement went on to reference the NotPetya ransomware, which targeted Ukraine but affected organisations around the world, and "cyber intrusions" into the US energy grid as examples of Russian government-sourced cyber attacks.

More intriguingly, perhaps, the statement also claimed that the Russian government "has been active in tracking undersea communication cables" carrying global internet and telecommunications data. It didn't, though, suggested that those cables had been actively tapped.

"As a result of today's action, all property and interests in property of the designated persons subject to US jurisdiction are blocked, and US persons are generally prohibited from engaging in transactions with them," the statement concludes.