April 6, 2022

Director Christopher Wray Announces Actions to Disrupt and Prosecute Russian Criminal Activity

FBI Director Christopher Wray delivered the following remarks during a press conference at the Department of Justice in Washington, D.C., with partner agency officials announcing actions to prosecute criminal Russian activity. (Remarks as delivered.)

Thank you, Lisa. I’m pleased to be here today to help announce this series of actions countering threats originating from Russia.

I want to focus for a few minutes on the FBI’s role in one of the actions the Attorney General mentioned, and what it says about the FBI’s unique cyber capabilities and what we can accomplish together with the private sector.

Today, we’re announcing a sophisticated, court-authorized operation disrupting a botnet of thousands of devices controlled by the Russian government—before it could do any harm.

We removed malware from devices used by thousands of mostly small businesses for network security all over the world. And then we shut the door the Russians had used to get into them.

Yesterday’s Darknet takedown struck a blow against Russian criminals and the ecosystem of cryptocurrency tumblers, money launders, malware purveyors, and other supporting them. The botnet disruption we’re announcing today strikes a blow against Russian intelligence, the Russian government.

The bot network we disrupted was built by the GRU—the Russian government’s military intelligence agency. And in particular it was the unit within GRU known to security researchers as Sandworm Team.

This GRU team, Sandworm, had implanted a specific type of malware known as Cyclops Blink on thousands of WatchGuard Technologies’ Firebox devices—these are security appliances, mainly firewalls, that are typically deployed in home office environments and in small to mid-size businesses.

Sandworm strung them together to use their computing power in a way that would obfuscate who was really running the network and let them then launch malware or to orchestrate distributed denial of service attacks like the GRU has already used to attack Ukraine. I should note here, that the GRU’s Sandworm team has a long history of outrageous, destructive attacks: The disruption of the Ukrainian electric grid in 2015, attacks against the Winter Olympics and the Paralympics in 2018, a series of disruptive attacks against the nation of Georgia in 2019, and, in 2017, the NotPetya attack that devastated Ukraine but also ended up hitting systems here in the U.S., throughout Europe, and elsewhere, causing more than 10 billion dollars in damages­—one of the most damaging cyberattacks in the history of cyberattacks.

With the court-authorized operations we’re announcing today, we’ve disrupted this botnet before it could be used. We were largely able to do that because we had close cooperation with WatchGuard.

We’ve worked closely with WatchGuard to analyze the malware and develop detection tools and remediation techniques over the past several weeks. And our operation removed Russia’s ability to control these Firebox devices on the botnet network, and then copied and removed malware from the infected devices. Now I should caution that as we move forward, any Firebox devices that acted as bots may still remain vulnerable in the future until mitigated by their owners, so those owners should still go ahead and adopt WatchGuard’s recommended detection and remediation steps as soon as possible.

We’re continuing to conduct a thorough and methodical investigation, but as we’ve shown, we are not going to wait for our investigations to end to act. We are going to act as soon as we can, with whatever partners are best situated to help, to protect the public.

This announcement today shows the value of the FBI’s technical expertise and unique authorities—both as a law enforcement agency and an intelligence service. And that unique combination, both of which were essential to the success of this operation. 

It also shows what we can accomplish with our partners to help companies—like the thousands of mostly small business affected by this botnet—hit by threats like these posed by the Russian government.

Our partnership with the private sector was key here. WatchGuard enthusiastically cooperated with the FBI to figure out the source of the infection and to counter it. That kind of cooperation makes successes like the one we’re announcing today possible, and it will continue to be important going forward.

The Russian government has shown it has no qualms about conducting this kind of criminal activity, and they continue to pose an imminent threat. And this global botnet disruption, in conjunction with the other actions discussed today, reflect an aggressive effort by the FBI and our partners to go on offense against Russian cyber threats, wherever they appear.

I’d also like to commend our partners at the DEA, IRS, and our foreign partners on the Hydra Darknet takedown and all of the men and women of the FBI involved with both of those operations, as well as the indictments and property seizures involving Russian oligarchs this week.

I should emphasize that we will continue to rely on companies to work with us the way WatchGuard has so that we can protect our nation’s cybersecurity together. For businesses, I would encourage you to have a cybersecurity plan and to include contacting your local FBI field office as an important part of that plan. And if you suspect a cyber intrusion, please contact your local FBI field office immediately—the more quickly we get involved, the more we can do to protect you. We are laser focused on disrupting the threat, on preventing harm from dangerous adversaries. Sometimes that means making arrests, and other times—like both yesterday and today—that means taking adversaries’ capabilities off the field.

No agency or business can do this alone. It takes everyone's cooperation. And the FBI will be there to work with you on cyber threats from Russia or anywhere else.

Finally, I would like to thank and congratulate our FBI teams in a wide number of field offices here in the U.S. and our legal attaches overseas for their work that has paid off this week—with seizing sanctioned assets here and in Spain, with the indictments we’re announcing today, and with the disruption of both criminal and hostile intelligence activities that we’re here to discuss this morning.

Thank you.