Christopher A. Wray
Director
Federal Bureau of Investigation
Washington, D.C.
September 18, 2024

Director Wray's Remarks at the 2024 Aspen Cyber Summit

Remarks as prepared

Good morning. It’s great to be here with you today.

I realize we’re at the Aspen Cyber Summit this morning, and I promise I have some very important cyber-related issues I want to discuss with all of you. But, before I get to those, I want to just take a moment to talk about what happened over the weekend in West Palm Beach.

For the second time in just over two months, we’ve witnessed what appears to be an attempt to attack our democracy and our democratic process. I’m relieved that former President [Donald] Trump is safe and I want the American people to know the men and women of the FBI are working tirelessly to get to the bottom of what happened.

Our work is very much ongoing, and we’re just a few days into the investigation, so we’re limited in what we can say at this point.

What I can say is that we have dedicated the full force of the FBI to this investigation, and that runs the gamut from criminal to national security resources, from tactical support to Evidence Response Teams, from forensic scientists to operational technology personnel.

FBI Director Announces Chinese Botnet Disruption, Exposes Flax Typhoon Hacker Group’s True Identity at Aspen Cyber Summit

The FBI and our partners disrupted a Chinese botnet and freed thousands of impacted devices from its clutches, Director Christopher Wray announced September 18.

Together, we’re working around the clock to investigate this.

And now I’d like to get into those cyber issues I promised to discuss this morning.

For three-quarters of a century, the Aspen Institute has helped leaders throughout industry, academia, and government identify not just the greatest challenges we face, but opportunities we have to join forces to overcome them.

And while the cyber threats I want to discuss here weren’t even the stuff of science fiction 75 years ago, ultimately, today’s threats still boil down to an age-old conflict: the conflict between good and evil, between the rule of law and the criminals and foreign adversaries who seek to harm our people, our organizations, and our businesses.

And, unfortunately, then and now, there’s no shortage of bad guys out there looking for ways to hurt us.

So, where does that leave us?  

It’s almost inevitable that your organization will be the victim of a cyberattack. And, when that happens, working with the FBI can help you navigate what otherwise might be an incredibly costly ordeal.

And to be clear—in many cases that may even mean saving your organization money—just how much I’ll get into in a few minutes.

Working with us can also save you precious time, helping you reconstitute your operations faster, and may keep not just your organization—but the American people themselves—safe from future attacks 
 
Focusing on victims 

It’s no secret that the volume of cyber incidents has increased exponentially.

Cybercriminals and nation-state hackers, alike, have demonstrated they’re not only willing, but more and more able, to hit the services people really cannot live without: things like hospitals and schools, utility companies and transportation providers.

Between 2021 and 2024, 15 of our country’s 16 critical infrastructure sectors—sectors like telecommunications, energy, emergency services—fell victim to ransomware, and that’s just ransomware.

Because those services are so essential, criminals and hackers backed by nation-states know they can score big by: 

  1. Locking up your data until you pay an outrageous ransom;
  2. Conducting what we call double extortion: stealing your data and threatening to release it—or sell it to the highest bidder; and
  3. Conducting triple extortion by preventing access to your website through denial-of-service attacks—or by harassing or threatening your organization’s employees and executives.

So, given the ubiquity and the severity of the cyber threat, more and more, it can sometimes seem like the odds are stacked against us.

Mindful of this evolving landscape, four years ago, I announced a new strategy to drive the FBI’s cyber work.

The cornerstone of that strategy is our unwavering support for victims—everyone from private citizens targeted by fraudsters to billion-dollar corporations suffering data breaches.

That means our mission revolves around you: using every piece of intelligence available to us to help keep your organizations—and others like them—safe from future attacks, and working with you when a cyberattack does occur to help you minimize your losses and get up and running again.

Now, depending on the circumstances, the work we do can vary from victim to victim.

And we believe in using every tool we’ve got to make life harder for our adversaries.

For example, when an attack happens, we can deploy one of our FBI Cyber Action Teams. These are elite specialty groups that can deploy around the world in a matter of hours to respond to cyberattacks onsite.

That’s what we did last year, for instance, when a telecommunications company found suspicious behavior on their network and asked for our help.

Our team was able to identify malicious activity associated with Volt Typhoon—a group of hackers sponsored by the Government of China. They’d been hiding inside the network, lying in wait. Fortunately, our Cyber Action Team gave the company the information they needed to mitigate the compromise across their system. And when we discovered Volt Typhoon was also using a botnet made up of hundreds of compromised, privately owned routers to conceal their activity—and the fact that it was being directed by China—we conducted a court-authorized operation that not only severed their connection to the botnet, but also prevented re-infection of those victim devices.

Volt Typhoon is just one facet of a broader campaign by the Chinese government to infiltrate U.S. infrastructure, co-opt devices in your organizations—and, frankly, a whole lot of homes—and use them to target us and our allies.

Today, for the first time, we’re able to publicly speak about a second joint, sequenced operation that we conducted last week as part of our ongoing efforts to take China’s botnets offline. This botnet was run by a different group of hackers, again working at the direction of the Chinese government.

Known as Flax Typhoon, they represent themselves as an information security company—the Integrity Technology Group. But their chairman has publicly admitted that for years his company has collected intelligence and performed reconnaissance for Chinese government security agencies.

Flax Typhoon was targeting critical infrastructure across the U.S. and overseas, everyone from corporations and media organizations to universities and government agencies.

And, like Volt Typhoon, they used internet-connected devices—this time hundreds of thousands of them—to create a botnet that helped them compromise systems and exfiltrate confidential data. But, unlike Volt Typhoon, they targeted more than just routers. Flax Typhoon hijacked Internet of Things devices like cameras, video recorders, and storage devices—things typically found across big and small organizations—and about half of those hijacked devices were located here in the U.S. 

Flax Typhoon’s actions caused real harm to its victims, who had to devote precious time to clean up the mess when they discovered the malware. One organization in California, for instance, suffered an all-hands-on-deck cybersecurity incident, and IT [information technology] staff needed to work long hours to remediate the threats and replace hardware—all of which took swaths of the organization offline and caused a significant financial loss.

But, working in collaboration with our partners, we executed court-authorized operations to take control of the botnet’s infrastructure. When the bad guys realized what was happening, they tried to migrate their bots to new servers and even conducted a DDOS [distributed denial-of-service] attack against us. Working with our partners, we were able to not only mitigate their attack, but also identify their new infrastructure in a matter of hours. At that point, as we began pivoting to their new servers, we think the bad guys realized that it was the FBI and our partners that they were up against. And, with that realization, they burned down their new infrastructure and abandoned their botnet.

Ultimately, as part of this operation, we were able to identify thousands of infected devices, and, then, with court authorization, issued commands to remove the malware from them, prying them from China’s grip.

Now, this was another successful disruption, but make no mistake: It’s just one round in a much longer fight.

The Chinese government is going to continue to target your organizations and our critical infrastructure—either by their own hand or concealed through their proxies. And we’ll continue to work with our partners to identify their malicious activity, disrupt their hacking campaigns, and bring them to light.

Of course, we’re also working hard to provide your organizations with information to proactively build resilience and defend yourselves before an attack even happens.

That was the case earlier this year, when we joined our partners to warn the private sector about a group of pro-Russian hacktivists, cybercriminals using a particular known vulnerability to compromise operational technology networks. They had set their sights across our critical infrastructure—from dams and wastewater systems to the energy, food, and agriculture sectors. And, after we sounded the alarm, we heard from our partners throughout industry. Because of the advisory we’d issued, they were able to prioritize fixing that specific vulnerability, keeping their companies—and the American public—safe.

When we learn of a potential attack—through our intelligence collection or our global partnerships—we’re focused on working with you to stop criminals and foreign adversaries before they can cripple your networks, like we did in 2022 to protect a major American political party’s networks. Through information collected using our FISA Section 702 authorities, we learned hostile nation-state actors were just days away from conducting a cyberattack. So, working together with the targeted organization, we denied that adversary’s access and prevented any damage.

And, as you saw from our announcement last month regarding Iran, foreign targeting of our political parties remains a serious concern.

Saving organizations money 

Now, hardening systems, fixing vulnerabilities, mitigating network compromise—that’s all essential.

But, what happens if—or, maybe, when—your organization finds itself the victim of a ransomware attack you cannot defend against, and you’re faced with the prospect of shelling out millions of dollars—or even hundreds of millions—to unlock your network and free your data? 

Well, the Bureau can help there, too.

And, in fact, the kind of help we provide sets us apart from every other agency on the planet.

Because victims are our highest priority, we’re constantly hard at work developing decryption capabilities to combat known ransomware variants. And when we’ve got them, we put them to very good use.

I’m extremely proud to report that in just the past two years, the FBI has handed out nearly 1,000 decryptors, and we’ve saved victims around the world something like $800 million dollars in ransom payments.

Let me repeat that: Partnering with the FBI saved ransomware victims around $800 million in the span of just two years, and that’s just the money saved in ransoms not paid. It does not include the almost incalculable savings by organizations not paralyzed by an attack, operations not suspended with systems and data taken offline.

And that $800 million saved? That could have been even more. 

What do I mean by that? 

Before we can use many decryptors, we need to know who the victims actually are—whose data each of these unique keys unlocks.

So, if your organization gets hit by ransomware and tries to go it alone? We might not be able to make that match—and we might not be able to save you that ransom payment.

Now, it’s been more than seven years since I was working in the private sector, but I think I still understand the importance of profit to a business, so let me say this as plainly as I can: If you’re a victim of ransomware, call the FBI right away, because together, we can try to save your money.

Saving organizations time 

But money’s not the only thing the Bureau can help you save.

When you’re the victim of a cyberattack, every second counts, and involving the FBI right from the outset can save your organization precious time when it matters most.

In fact, an IBM study last year proved exactly that.

The lifecycle of the average data breach is 33 days longer when the victim organization does not involve law enforcement in their response.

Can you afford an extra 33 days of downtime after a cyberattack? 

Consider, for example, the case of the Los Angeles Unified School District. It’s the nation’s second-largest school district, with 600,000 students and 100,000 employees. Two years ago, they were hit by a ransomware attack over Labor Day weekend and immediately called the FBI. We had our experts onsite within an hour, and, by the end of the weekend, we’d helped them halt the ransomware, turn their network back on, and restore priority systems—all without paying the hackers a cent and without losing a single day of operations.

Or what about the U.S. cancer treatment center that was the target of a ransomware attack last summer? Hackers had encrypted the center’s systems and data, leaving scores of patients without access to critical medical care. It’s hard to think of a case when the criminals were more callous—or when getting back online fast mattered more. Fortunately, the center engaged with the FBI fully, right from the start. And, in addition to investigators and technical experts, we also deployed crisis negotiators.

So, while we were busy working with our partners to provide indicators of compromise and share information about the hackers’ tactics and procedures, we were also helping the center negotiate the ransom payment, getting it from $450,000 down to $50,000. Using the decryption key the hackers then provided, the center was able to resume operations—just four days after the attack. In that instance, not only was it time-saving to work with the Bureau. According to the victim cancer center, it was also life-saving.

Saving organizations from becoming victims in the future  

But the value you’ll find in working with the FBI is more than just time and money.

The FBI has a suite of unique authorities and capabilities that are key to stopping and preventing attacks and essential to our work with victims before, during, and after they’re hit.

One particularly critical authority is Rule 41, which I know many of you are familiar with. It allows law enforcement to seize “instrumentalities of a crime."

Think malware that’s been secretly installed on victim networks.

With Rule 41 search and seizure warrants, we can combat illicit cyber activity that spans multiple states, seizing the bad guys’ domains and servers, removing malware and webshells, or conducting operations to kick adversaries out of our systems. 

In the case of Volt Typhoon and Flax Typhoon, we could not have protected our nation’s critical infrastructure—your networks—without our Rule 41 authorities and the help of our partners in the private sector. In many of these cases, it’s the private sector that helps us identify the threat actors and understand those critical technical details. And, in some cases, we’re able to work with private sector companies and our government partners to develop mitigation measures, helping shut the doors the bad guys have propped open.

For us to continue to successfully execute our Rule 41 operations, information and intelligence sharing is critical because, bottom line: The FBI, our government partners, and the private sector each tend to have a piece of the puzzle, and everyone has to share their piece to complete the picture to help us impose the greatest possible cost on our adversaries.That’s how essential all of you are in our nation’s cybersecurity.

And we need you to keep playing a role in this space, because the threat is only going to get more severe as adversaries like China, Russia, and Iran turn to AI [artificial intelligence] to infiltrate our networks and steal our information. We’re going to need all the help we can get.

Conclusion 

The mission of the FBI always has—and always will—prioritize victims.

Working to keep people and organizations safe, providing the assistance they need in the aftermath of a crime: That’s what we do.  

And if the criminals and hostile nation-states behind today’s cyber threats had their way, everybody would be a victim—not just you and your networks, data, and livelihoods; but all Americans and the essential services they depend on.


So, if there’s only one thing you take away from my time here today, I hope it’s this: The FBI needs and wants to work with you. Let us save you money, save you time, and save you from future attacks so that you can keep your organization’s focus where it should be: on your operations, and—together—we can help keep our nation safe.

Thank you.

Resources:


The Cyber Action Team

When major computer intrusions happen, the FBI's Cyber Action Team—a rapid deployment group of cyber experts…