Director's Remarks to the Boston Conference on Cyber Security 2022
Remarks prepared for delivery.
It’s good to be back here at BC, particularly since I couldn’t participate in the virtual conference last year. In fact, the last time I was able to participate was in March 2020, right before everything went into lockdown. It’s pretty incredible how quickly our lives—work, school, social events —shifted to being online.
I can’t say I was a fan of shifting from interacting with my staff around a conference table to seeing a fair number of folks show up only on screen, usually from elsewhere in the building.
It worked, sort of. But I’m glad we’ve been able to go back to meeting in person. For the FBI, a lot of our work is hard to accomplish online. We work with a lot of classified information that can’t go home, and we certainly can’t conduct crime scene investigations remotely.
But I recognize that we’re fairly unique, and a lot of businesses have been able to cut costs by keeping employees at home instead of leasing office spaces.
So, it’s clear that our world and our society are not just going back to where we were two-and-a-half years ago. And people are going to continue to take advantage of the connectivity that cyberspace provides.
But, at the same time, the shift of our personal and professional lives even more online has created new vulnerabilities. And malicious cyber actors are going to continue to take advantage of people and networks.
That includes cybercriminals holding data for ransom and nation states like China stealing defense and industrial secrets.
And lately, that’s included Russia trying to influence what happens in the ground war they started—by threatening attacks against the West in cyberspace.
I think, if we’re going to address cyber security properly, we’ve got to talk about how we’re responding to each of those threats.
We’ve got to hold the line on multiple fronts—all at once—to help people and businesses protect themselves, to support victims, and to inflict costs on criminals.
And we can’t let up on China or Iran or criminal syndicates while we’re focused on Russia. So that’s what we’re doing, taking on all these threats and shifting resources quickly to respond.
And I think it’s worth covering some of those threats with you today.
I do want to start with Russia because we’re laser focused on them right now.
I’m not breaking any new ground or compromising any intelligence sources by saying they’ve been absolutely reckless on the battlefield. They really don’t care who they hurt—civilians, noncombatants, women, children. And their recklessness with human lives carries over into how they act in cyberspace.
Of course, that’s not new. In 2017, the Russian military used the NotPetya malware to hit Ukrainian critical infrastructure. The attack was supposed to look like a criminal heist but was actually designed to destroy any systems it infected.
They targeted Ukraine but ended up also hitting systems throughout Europe, plus the U.S. and Australia, and even some systems within their own borders. They shut down a big chunk of global logistics.
That reckless attack ended up causing more than 10 billion dollars in damages—one of the most damaging cyberattacks in the history of cyberattacks—and spread world-wide before anyone knew to do anything.
Now, in Ukraine, we see them again launching destructive attacks, using tools like wiper malware. And we’re watching for their cyber activities to become more destructive as the war keeps going poorly for them.
At the FBI, we’re on what I’d call combat tempo.
We’ve got a 24/7 cyber command post running, and we've been pushing out intelligence products and technical indicators—not just to government partners, but also to private companies and others.
We’ve seen the Russian government taking specific preparatory steps towards potential destructive attacks, here and abroad. We’re racing out to potential targets to warn them about the looming threat, giving them technical indicators they can use to protect themselves. And we’re moving rapidly to disrupt Russian activity.
Just this April, the FBI disrupted a botnet that the Russian GRU intelligence service had created and could have used to obfuscate malicious and damaging cyber activity.
This is the same Russian agency behind NotPetya and that attacked the Ukrainian electric grid in 2015, attacked the Winter Olympics and Paralympics in 2018, and conducted attacks against Georgia in 2019.
The GRU’s Sandworm team had implanted Cyclops Blink malware on ASUS home routers and Firebox devices, which are firewall devices produced by WatchGuard Technologies and largely used by small to medium businesses.
By infecting and controlling thousands of these devices worldwide, the GRU could string them together to use their computing power in a way that would hide who was really running the network.
This past November, we alerted WatchGuard about the malware targeting their devices, and we collaborated with CISA and WatchGuard on mitigation.
We collected additional malware samples from U.S. victims, while WatchGuard developed mitigation tools.
We reverse-engineered the malware samples and developed a sophisticated technical operation to sever the GRU’s ability to communicate with the botnet’s command-and-control layer.
And in March, we executed the operation and successfully cut their ability to control the botnet.
We removed malware from the “Firebox” devices—used by small businesses for network security all over the world—and then shut the door the Russians had used to access them.
Clearly, that’s not the only threat coming out of Russia, and we’re certainly not resting on our laurels. But that was a pretty solid hit against Russian intelligence. And it shows that we can do quite a bit to counter threats and help companies hit by threats like that posed by the Russian government.
Reminders and Lessons
As I mentioned earlier, even while we’re at full tilt against Russian cyber threats, we’re also countering other nation-state and criminal cyber actors. So we’re particularly attuned to lessons from the Ukraine conflict that apply more broadly.
We’re not the only ones. We know that China is studying the Ukraine conflict intently. They’re trying to figure out how to improve their own capabilities to deter or hurt us in connection with an assault on Taiwan.
So, take for example the blended threat where we see Russia—like China, Iran, and sometimes other nation states—essentially hiring cyber criminals, in effect cyber mercenaries.
We see Russian cyber criminals explicitly supporting, and taking actions to assist, the Russian government, as well as some just taking advantage of the very permissive operating environment that exists in Russia.
In some instances, we also see Russian intelligence officers, moonlighting, making money on the side, through cybercrime or using cybercriminal tools to conduct state-sponsored attacks because they think it gives them some plausible deniability or will hide who's behind it.
So one key question for us today is, when do criminal actors become agents of their host nation?
Does money have to change hands, or is publicly pledging support to a foreign government enough?
We are realizing the value of our accumulated investigative work, with our partners, against all manner of Russian cyber threats. That work has established connections, motives, and tactics among Russian hackers before the current crisis.
It gives us a basis for potentially holding the Russian government accountable for the actions of a Russian ransomware gang. Because we’ve been able to show that their government sometimes supports, uses, and protects, cybercriminals.
A second thing we’re thinking about is the speed and scope of attribution. How do we balance the need for speed, to get to an operational level of attribution, supporting actions we or our partners need to take next, against specificity?
It won’t surprise you to learn that we can figure out which country is responsible for something, or even which specific intel service, faster than we can identify which individual was sitting at the keyboard.
For victims, we’re helping as we respond to malicious cyber activity in this kinetic, destructive context, we’ve found that speed trumps pretty much everything else. It’s more important for us to get to their doorstep in an hour than it is to tell them whether we’re looking at nation-state cyber activity or cyber criminals.
But it’s also important to keep marching toward more-specific attribution even while we hand off defensive information before we build the full picture of who’s responsible. Because for the broader government’s response calculations—for us to meaningfully degrade, disrupt, and deter a cyber adversary—we often need to be a lot more specific about who’s responsible.
A third lesson, or really a reminder, from this conflict with broad application: When it comes to the threat of destructive attack, the adversary’s access is the problem.
This is something we’ve talked about a lot, but that has acquired heightened resonance lately. Russia has, for years and years, been trying to infiltrate companies to steal information.
In the course of doing so, they’ve gained illicit access to probably thousands of U.S. companies, including critical infrastructure. Just look at the scope of their Solar Winds campaign.
They can use the same accesses they gained for collection and intelligence purposes to do something intentionally destructive. It’s often not much more than a question of desire.
That’s why, when it comes to Russia today, we’re focused on acting as early, as far “left of boom,” as we can against the threat.
That is, launching our operations when we see the Russians researching targets, scanning, trying to gain an initial foothold on the network, not when we see them later exhibit behavior that looks potentially destructive.
As broad as Russia’s potential cyber accesses across the country may be, they pale in comparison to China’s.
So the same reminder that this conflict has given the community about the urgency of battling adversaries at the point of access, or earlier, applies in spades when we think about how to defend against the Chinese Communist Party’s potential aggression toward Taiwan.
We need to study what’s going on with Russia and learn from it because we’re clearly not the only ones paying attention.
Now, China is clearly a very different threat than Russia. The Chinese government is methodical, hacking in support of long-term economic goals.
And China operates on a scale Russia doesn’t come close to. They’ve got a bigger hacking program than all other major nations combined. They’ve stolen more American personal and corporate data than all nations combined. And they’re showing no sign of tempering their ambition and aggression.
Even their hacks that may seem noisy and reckless actually fit into a long-term, strategic plan to undermine U.S. national and economic security.
China’s economy also gives it leverage and tools, sway over companies, that Russia lacks. For many U.S. and foreign companies doing business in China, or looking to, the cost effectively amounts to a blanket consent to state surveillance in the name of security—at best.
At worst, they’ve got to accept the risk that their sensitive information may be co-opted to serve Beijing’s geopolitical goals.
In 2020, we became aware that some U.S. companies operating in China were being targeted through Chinese government-mandated tax software. The businesses were required to use certain government-sanctioned software to comply with the value-added tax system and other Chinese laws.
A number of U.S. companies then discovered that malware was delivered into their networks through this software. So, by complying with Chinese laws for conducting lawful business in China, they ended up with backdoors into their systems that enabled access into what should be private networks.
That’s just one example of how the Chinese government is pursuing their goal to lie, cheat, and steal their way into global domination of technology sectors. It’s really a whole-of-government operation to steal research and proprietary secrets from U.S. companies and then undercut prices on the global market. So that companies that play by the rules can’t compete.
That effort is not limited to cyber. Heck, we’ve caught Chinese agents out in the heartland of the U.S. targeting our agricultural innovation, sneaking into fields to dig up proprietary, experimental, genetically modified seeds.
But China’s other means of stealing technology—things like human spies, corporate transactions—often run in concert with, and even in service of, its cyber program. Like when the MSS recently used a human agent on the inside to enable hackers in mainland China to penetrate GE Aviation’s joint venture partner and steal proprietary engine technology.
The Chinese government sees cyber as the pathway to cheat and steal on a massive scale. In March 2021, Microsoft and other U.S. tech and cybersecurity companies disclosed some previously unknown vulnerabilities targeting Microsoft Exchange Server software.
The hackers, operating out of China, had compromised more than 10,000 U.S. networks, moving quickly and irresponsibly to do so prior to the public disclosure of the vulnerabilities. Through our private sector partnerships, we identified the vulnerable machines.
And learned the hackers had implanted webshells—malicious code that created a backdoor and gave them continued remote access to the victims’ networks. So, we pushed out a joint advisory with CISA to give network defenders the technical information they needed to disrupt the threat and eliminate those backdoors.
But some system owners weren’t able to remove the webshells themselves, which meant their networks remained vulnerable. So, we executed a surgical, court-authorized operation, copying and removing the harmful code from hundreds of vulnerable computers.
Those backdoors the Chinese government hackers had propped open?
We slammed them shut, so the cyber actors could no longer use them to access victim networks. So, while that’s another win we can celebrate, it is also a stark reminder that the Chinese government remains a prolific and effective cyber espionage threat.
Iran and Boston Children’s Hospital
And China and Russia aren’t the only nation states exhibiting malicious behavior on the international stage. Iran and North Korea also continue to carry out sophisticated intrusions targeting U.S. victims.
In fact, in the summer of 2021, hackers sponsored by the Iranian government tried to conduct one of the most despicable cyberattacks I’ve seen—right here in Boston—when they decided to go after Boston Children’s Hospital.
Let me repeat that, Boston Children’s Hospital.
We got a report from one of our intelligence partners indicating Boston Children’s was about to be targeted. And, understanding the urgency of the situation, the cyber squad in our Boston Field Office raced to notify the hospital.
Our folks got the hospital’s team the information they needed to stop the danger right away. We were able to help them ID and then mitigate the threat.
And quick actions by everyone involved, especially at the hospital, protected both the network and the sick kids who depend on it.
It’s a great example of why we deploy in the field the way we do, enabling that kind of immediate, before-catastrophe-strikes response.
Unfortunately, hospitals these days—and many other providers of critical infrastructure—have even more to worry about than Iranian government hackers.
If malicious cyber actors are going to purposefully cause destruction or are going to hold data and systems for ransom, they tend to hit us somewhere that’s going to hurt. That’s why we’ve increasingly seen cybercriminals using ransomware against U.S. critical infrastructure sectors.
In 2021, we saw ransomware incidents against 14 of the 16 U.S. critical infrastructure sectors, including healthcare, but also many of the other things we depend on.
Ransomware gangs love to go after things we can’t do without.
We’ve seen them compromise networks for oil and gas pipelines, grade schools, 9-1-1 call centers. They also go after local governments.
The FBI cyber team here in Boston, for example, last May uncovered important indicators of compromise for the Avaddon ransomware strain.
Avaddon was one of the most prolific ransomware variants in the world at the time. Our folks quickly published what they found to warn the public.
And just two days after that, a local police department in the Southwest told FBI Boston that they’d seen some of those indicators of compromise we published—newly identified malicious IP addresses—connecting to the department’s network.
The police department was able to use our Boston Division’s information to stop Avaddon from infecting their network.
So, that’s our folks here helping out a city on the other side of the country and a lot of other potential victims nationwide, but also a reminder of the kind of damage ransomware groups are able and willing to inflict.
Lessons Learned from Disrupting Hackers
Hopefully, as you listen, you’ve been gleaning a bit about our focus. We aim to stop attacks, and degrade actors, as early as we can.
It’s worth taking a few minutes to think about what we’ve learned from the operations of the past couple of years, as more and more of society has moved online, and as cyberattacks and intrusions have accelerated.
For one, we’ve learned that in cyber, as with other parts of our work countering criminal organizations, we can impose costs on cybercriminals by focusing on three things: the people, their infrastructure, and their money. We make the most durable impact when we disrupt all three together and when we set aside who gets credit and just equip the best athlete with the information they need to take action.
First: To go after the people, we work with like-minded countries to identify who’s responsible for the most damaging ransomware schemes and take them out of the game. That may mean arresting and extraditing them to the U.S. to face justice. Or it may mean prosecution by a foreign partner.
Crucially, we cast a broad net, going after everyone from the ransomware administrators building the malware, to affiliates deploying it, to the hosting providers and money launderers making the criminal enterprise possible.
Second: Simultaneously, taking down cybercriminals’ technical infrastructure disrupts their operations.
For instance, last year, the FBI led an international operation that seized control of a botnet called Emotet, consisting of tens of thousands of infected computers, which had been used in a range of cybercrime schemes including ransomware.
And that Russian botnet we just disrupted in March is another great example of how we can take infrastructure offline before it causes damage.
Third: By going after their money, when we seize virtual wallets and return stolen funds, we hit them where it hurts, taking resources away from the bad guys, helping to prevent future criminal operations.
And we’ve had even bigger successes in disrupting operations by shutting down illicit currency exchanges.
Bottom line: We believe in using every tool we’ve got to impose risk and consequences and to remove bad guys from cyberspace.That includes leveraging every partnership we have.
FBI’s Role and the Virtuous Cycle
So how do we make all that happen. How do we make sure the best athlete has the proverbial ball at the right time and that we’re all making each other stronger?
There's a symmetry to the way we identify threats and the way we deal with them.
At the FBI, as both a law enforcement and intelligence service, we're pulling in information about hostile cyber activity from a wide range of sources, from on one end of the spectrum, providers, incident response firms, victims, and others in the private sector, and from our partnerships with CISA, Treasury, and other SRMAs.
From our FISA collection, human sources, our fellow USIC agencies' signals and human collection, and from intelligence and law enforcement partners around the world, many of whom have overseas FBI cyber agents working alongside them daily.
Then, we analyze what the adversaries are trying to do, and how. We take, for example, information shared by one victim we know they hit and work back to find others either already being hit or about to be.
We dissect their malware to see what it's capable of and compare what we see in the field to what we know about their strategic intent.
Then—the other side of that symmetry I mentioned—we quickly push the information we've developed to wherever it can do the most good, whether that means employing our tools or arming partners to use theirs, or both. Often that means racing information to victims or potential victims.
We've developed the ability to get a technically trained agent out to just about any company in America in an hour, and we use it a lot.
Almost every week, we’re rushing cyber agents out to help companies figure out what they’ve got on their systems, how to disrupt it, how to interrupt it, how to mitigate, and how to prevent this from becoming something much worse.
Other times, we work jointly with CISA, and often NSA, to disseminate the information even more broadly, if more companies and public entities can make use of it.
For example, in the last couple of months you've seen us publish indicators of compromise for Russian cyber operations targeting U.S. critical infrastructure, helping companies prepare defenses and enabling threat hunting.
And not long ago, you saw us and NSA push out details on malware the GRU was using to help companies defend against it.
But we're also pushing what we learn to government partners in order to enable joint, sequenced operations that disrupt the harm at its source, at the same time we’re helping companies mitigate on their own networks.
We push targeting information about hostile infrastructure abroad either to foreign law enforcement, to seize or shut down; or to government partners here with a mandate to conduct offensive operations overseas; or to Treasury or Commerce, for sanctions.
And so on.
But it’s important to keep in mind that we aren’t playing a one-move game. What we need to do is kick off a virtuous cycle that feeds on itself.
We use the information one company might give us to develop information about who the adversary is, what they're doing, where, why, and how, taking pains to protect that company’s identity just as we do our other sources.
Then, when we pass what we develop to partners here and abroad—our fellow U.S. and foreign intel services, foreign law enforcement, CISA and sector risk management agencies, providers like Microsoft.
Crucially, those partners can then in turn leverage what we've given to provide us with more information.
Enhancing our Global Investigations
Helping us discover more malicious infrastructure we can target ourselves, or alert private sector partners to more opportunities to arrest or otherwise disrupt the adversaries, which leads us to more useful information to pass back to that first company, to better remediate and protect itself, maybe find more technical info it can share back to us and to our partners, to take further steps. And so on.
It's why we're deployed all over this country and in nearly 80 countries around the world.
What these partnerships let us do is hit our adversaries at every point—from the victims' networks, back all the way to the hackers' own computers.
Of course, for this virtuous cycle of information to work, we rely on companies to work with us the way WatchGuard and Boston Children’s Hospital did.
So, for companies that conduct any work on the internet, I would encourage you to have an incident response plan and to include contacting your local FBI field office as part of that plan. It’s immensely helpful for any business to have an existing relationship with their local office before an attack occurs.
In fact, that’s one of the reasons we were able to help Boston Children’s Hospital so quickly.
The FBI Boston Field Office had worked with Children’s on a series of attacks in 2014—those stemming from a misguided online protest. We worked closely with Children’s all the way through our investigation, which led to a conviction and sentencing of the hacker in 2019.
So, Children’s and our Boston office already knew each other well before the attack from Iran, and that made a difference.
So, I’d encourage everyone to give us a call and talk with your local FBI cyber team.
But whether you take that proactive step or not, if you suspect a cyber intrusion, please report the compromise by contacting your local field office immediately—the more quickly we get involved, the more we can do to help.
Thank you all for being here and for inviting me to speak.
Our goal at the FBI is to make sure Americans and our partners and families overseas can use cyberspace safely and securely. To do that, we rely on help from everyone in this room—whether you’re a government partner, a service provider, or an online content writer. And I want you to know you can rely on us to help you.
Thank you for your trust and for your ideas on how to do this better.
I’m looking forward to helping the Bureau work with each of you.