Developing Unique Partnerships to Defeat the Cyber Threat
Remarks as delivered.
Good afternoon. It’s an honor to be with you, and great to join so many of our partners in one space. I wish we could be together in person, but the pandemic has of course forced us to find new ways of getting together.
But I’m grateful to at least be able to spend time with you in this virtual setting. This is the FBI’s fifth year co-hosting the conference on cybersecurity with Boston College. This conference has grown into a unique partnership of cyber experts, innovators, and policy makers across all levels of the private sector, academia, and law enforcement. And we at the FBI are extremely privileged to be a part of it.
Brief Threat Overview
As everyone in this room knows all too well, the cyber threat has evolved dramatically in recent years. Today, the threat comes at us from all angles. We see criminal actors turning to an underground economy in search of the most skilled hackers and sophisticated criminal cyber tools. They then leverage data theft, ransomware, and other illicit methods to inflict immense harm on their victims.
Cyber criminals are also taking a page out of the nation-state hacker playbook. In this regard, they’re sometimes breaching the systems of managed service providers. Through just one intrusion they can then access the networks of hundreds of potential victims.
Over the past year we’ve also seen criminal hackers take advantage of the ongoing pandemic. They target victims awaiting stimulus checks or others searching for PPE. Nation-states target the innovators and labs conducting research and developing vaccines. But as cyber threats evolve so do the ways we tackle them.
Today, I want to talk to you in part about the FBI’s new cyber strategy. And I’d also like to talk about the need to continue working together —private sector together with government—to most effectively combat the cyber threat.
Fighting cyber crime at the FBI is not a new responsibility. Believe it or not, the Cyber Division is nearly 20 years old—it was created in 2002. Over the years, we’ve called out nation-state actors for their destabilizing and damaging cyber activity. For example, last summer’s indictment of two hackers working on behalf of the Chinese Ministry of State Security. They are accused of stealing intellectual property from companies both here and abroad. They also targeted dissidents who spoke out against the Chinese Communist party. Separately, last fall we announced charges against Russian intelligence officers behind the most destructive cyber campaign ever perpetrated by a single group, including the NotPetya and Black Energy attacks. And last month we unsealed charges against three North Korean computer programmers. They were part of a criminal conspiracy conducting cyberattacks and are accused of stealing and extorting more than $1.3 billion in money and cryptocurrency from financial institutions and companies.
But we know full well this is only a small part of the ever-evolving cyber threat landscape. Cyber criminals perpetuating ransomware schemes have taken things to a whole new level. They're not only wreaking havoc on company operations and causing significant financial losses, ransomware schemes are also now shutting down virtual learning in schools, crippling vital hospital systems, disrupting government services and threatening critical infrastructure. Going forward, it’s important to stay focused on imposing risks and consequences on all bad actors in cyberspace, whoever and wherever they are, to make it harder and more painful for hackers and criminals to victimize others and to prove to both criminals and nation-states that they can no longer compromise U.S. networks, steal U.S. financial and intellectual property, and put our nation’s critical infrastructure at risk without facing severe consequences.
This strategy represents a shift in mindset—focused on impact. We’re going to accomplish this by leveraging unique authorities, world-class capabilities, and enduring partnerships—for the benefit of the larger cyber community.
One example of this is FBI Boston’s investigation into a variant of the Mirai botnet. This variant’s role in a cyberattack massively disrupted the internet back in 2016 and made websites such as Sony, Twitter, Amazon, and Netflix inaccessible for a time. As a result of the investigation, a juvenile pleaded guilty to his role in the attack in December and was recently sentenced.
But arrests and indictments aren’t the only methods we can employ. Significant consequences can be imposed in other areas as well. Our investigations often help the Treasury Department eliminate criminals from the global financial system and assist law enforcement partners abroad in seizing malicious infrastructure or in finding and arresting cyber criminals hiding in their countries. Our investigations also provide the information and technical indicators private sector network defenders rely on to protect their companies.
In the end, it doesn’t matter whose action kicks cyber criminals off their networks and platforms, or which agency took down the criminals’ infrastructure. What matters is that we’re all working together to ensure safety, security, and confidence, for all, in this digitally connected world.
Our Unique Capabilities
Given the gravity of the cyber threats we face, the government must employ an entire ecosystem against them. And at the FBI, we’re playing a central role in that ecosystem by offering a range of capabilities. The FBI is both a law enforcement and intelligence agency—with a set of authorities, capabilities, and relationships to match. We don’t just investigate discrete incidents. It’s also important to understand who and where our cyber adversaries are, how they operate, and what needs to be done to weaken them.
We’re collecting intelligence from a wide variety of sources and sharing that information with our domestic and international partners. Here at home, we have cyber squads, including interagency partners, in each of our 56 field offices. Abroad, we have cyber agents in embassies around the globe—working with both foreign law enforcement and intelligence services. We also have a rapid-response force called the Cyber Action Team, that can readily deploy to major incidents anywhere, anytime. And within the Bureau, we’ve got decades of experience to lend to fight cyber crime. Our Counterintelligence Division investigates a wide range of foreign intelligence threats on U.S. soil. Our Counterterrorism Division anticipates how terrorists might develop cyber skills or use cyber-enabled methods to cause harm. And our Criminal Investigative Division works to stop online fraud schemes and disrupt cyber syndicates. And anything we can do—together—to neutralize and stop the cyber adversary or disrupt their activities is a victory.
That’s a little bit about the capabilities offered by the FBI. But we’re also working with partners, including all of you, to foster greater collaboration and trust. We’ve created unique venues where members of the cyber community can work alongside each other and build long-term relationships. Within government, that hub is the National Cyber Investigative Joint Task Force, or NCIJTF. The NCIJTF includes more than 30 co-located agencies from the intelligence and law enforcement communities. The NCIJTF coordinates multi-agency campaigns to combat the most significant cyber threats and adversaries. We’ve pushed a significant amount of our own cyber operational and analytical capabilities into the NCIJTF to strengthen its role as a core element of this nation’s cyber strategy. And last year we invited senior executives from other agencies to lead new threat-focused mission centers there.
But the fact is, we know that the government can’t do it alone, by far. This fight requires a whole-of-society approach—government and the private sector, working together against threats to national and economic security. That’s why we’re co-located with partners in industry, academia, and the financial sector as part of the National Cyber-Forensics and Training Alliance in both Pittsburgh and New York City. It’s why we created another hub to work with and facilitate cybersecurity collaboration among the defense industry, the National Defense Cyber Alliance, where experts from the FBI and cleared defense contractors sit together, sharing intelligence in real time. And it’s why agents in every single FBI field office now spend a huge amount of time going out to companies and universities in their areas of responsibility, establishing relationships before there’s a problem, and providing threat intelligence to help prepare defenses. That includes information we’ve obtained from sensitive sources.
And we are working more closely than ever with our federal partners like the Cybersecurity and Infrastructure Security Agency (CISA) to produce joint advisories, so you’re hearing a single message from across the government.
Cyber Strategy in Practice
With a new strategy in place, I’d like to illustrate what it looks like in practice, and how we’re attacking some of the most dangerous threats on the cyber front. Against the cyber criminal threat, in late January, we, along with international partners, announced coordinated disruptions of the vast Emotet criminal botnet. As many of you know, Emotet has for years enabled criminals to push additional malware onto victim networks in critical sectors like healthcare, e-commerce, technology, and government.
Emotet is one of the longest running and most pervasive malware delivery services out there. And it’s especially dangerous when Emotet is used in conjunction with the Trickbot Trojan to deliver Ryuk ransomware. Used together, these tools can wreak financial and operational devastation on victims. With Europol, national partner services across Europe, and a number of providers, we used the detailed technical information obtained through our investigation to interrupt the botnet administrators’ control of their own servers. Applying lessons learned from disruptions of earlier botnets, we broke the server control chain at multiple levels—making it harder and slower for the botnet administrators to regain control.
It’s the kind of disruption that demands cooperation. Emotet, like other major ransomware threats, spans the globe. And this disruption is one with immediate, significant benefits for our whole community.
In a separate case, also investigated by our Boston Division, two computer hackers, one based in Iran, were indicted in September on charges they damaged scores of websites across the U.S. Following the January 2020 death of Islamic Revolutionary Guard Corps. commander Qasem Soleimani, one of the subjects allegedly transmitted computer code to more than 50 websites hosted in the U.S. and replaced their content with pictures of the late Soleimani with anti-American text. The two men remain fugitives, hunted by U.S. authorities.
Of course, not all of our criminal cyber cases have a global reach. Later this month, a New Hampshire man faces sentencing after pleading guilty to hacking into the Auburn Police Department and Town of Auburn computer systems. The subject deleted files, defaced employee accounts, and deployed malware that sent threatening pop-up messages to employees. This series of cyberattacks was retribution for the man’s arrest on drug charges by an Auburn police officer. The man even hacked into and defaced the website of the substance abuse center that treated him for heroin addiction.
And in November 2019, two Massachusetts men were indicted on computer and wire fraud charges and identity theft for allegedly hacking into the accounts of cryptocurrency company executives. Using an illegal practice known as SIM swapping, the two men convinced a cell phone carrier to reassign a victim’s cell phone number to a cell phone they controlled. The men targeted 10 victims and allegedly stole or attempted to steal over $500,000 in cryptocurrency. Their cases are still pending.
Another cyber threat that continues to grow is the blended or hybrid threat—state-sponsored economic espionage facilitated by cyber intrusions. We’re deploying our own, as well as our partners’ tools, against it, sequenced and synchronized, for maximum impact. In September we unsealed charges against five Chinese nationals from the hacking group called APT 41. They were targeting victim companies around the world from their safe haven in China. With our partners here and abroad, we arrested two of their co-conspirators in Malaysia, and seized or took down hundreds of the hacker accounts, servers, and domains. We also distributed a FLASH message to our private sector and foreign partners with technical information to help detect and mitigate APT 41’s malicious activities.
Around the same time, in Boston, our office uncovered a years-long malware campaign orchestrated by the Iranian government. This malware monitored dissidents, along with travel and telecommunications companies. As a result of the investigation, we were able to work with the Treasury Department, resulting in the imposition of sanctions on 45 individuals and a front company backed by the Iranian Intelligence Ministry. We also made the malicious code public, which not only dealt the Iranian government a significant blow but also helped mitigate the ongoing victimization of thousands of individuals and organizations around the world.
These are just a few examples of the work being done to impose risk and consequences on adversaries. On the Russia front, last year we worked with partners at NSA to uncover and expose highly sophisticated malware developed by Russian military intelligence. Legal process was used to get information that helped better understand that malware, complementing the great work our fellow intelligence community colleagues had done. That information allowed for the release of an unclassified report warning the public and resulting in a painful disruption to a well-known adversary. These actions resulted in a real cost to the Russia government, because they’d spent a lot of time and money developing the malware that was exposed and neutralized.
Elsewhere on the same front, we’ve been working nonstop on the SolarWinds investigation through a task force, known as the Unified Coordination Group, including CISA and ODNI, with support from NSA. As the lead agency for threat response, the FBI’s investigation is concentrating on identifying and notifying additional victims, collecting evidence, analyzing the evidence to determine attribution and sharing results with our government and private sector partners to inform operational actions, build the intelligence picture, and bolster network defense.
Responding to Your Needs
The way we do business today—and the changes made in our strategic approach—are in large part because of our work with you. We’ve been listening to your concerns, suggestions, and guidance and have taken them to heart. We’ve shifted our thinking and the way we operate to move more quickly in order to significantly impact our adversaries. And we’re working more collaboratively with partners at every level. We’re sharing more information with the private sector yet working discreetly behind the scenes. We’re co-locating cyber agents at desks right next to international counterparts to make it even easier to work together.
We’ve been doing a lot of listening and working hard to meet the needs of the community. While sometimes we might not be able to tell you precisely how we knew your company, your organization, your university was targeted, we can usually tell you what you need to know to prepare for, or stop, a cyber attack. And having a pre-existing relationship invariably helps to do that faster. Talking with us before a problem strikes helps you understand how we operate, how we protect victim information, and how we work hard not to disrupt your operations. That kind of information is a lot easier to digest during a time of calm, rather than during a crisis. It helps you better understand how we can help.
The recent SolarWinds campaign shows how important it is that government and the private sector share information both ways. The FBI has domestic intelligence collection authorities that give us unique visibility into how foreign adversaries are using U.S. IT infrastructure to target victims. But it’s the private owners of U.S. networks and infrastructure who are often in the best position to illuminate a key and important part of the threat picture. We may come to a victim knowing one IP address used to attack them, but not another. If, through our interaction, we learn about more, then we may be able to do more to help, and to stop the next attack, too. We’re committed to continuing to listen, take feedback, and to give feedback on what you share with us.
* * *
Those are just a few thoughts on the current threat landscape and how we can work to tackle and defeat cyber threats together. I hope that next year, when we return to Boston, we will be even further ahead in our evolution. Because working together is the only way we’re going to stay ahead of these complex threats. We need to bring together the right people, tools, and authorities at the right time. And we can’t do that without your trust and our mutual cooperation and partnership. We've got to build these relationships now in order to make sure we know about and understand the threats coming at us.
Please reach out, engage, get to know and talk to us about what you’re seeing and let us know how we can help. Thank you for taking the time to be here today. Stay well and be safe.