Bryan Vorndran
Assistant Director, Cyber Division
Federal Bureau of Investigation
Boston, Massachusetts
June 5, 2024

FBI Cyber Assistant Director Bryan Vorndran's Remarks at the 2024 Boston Conference on Cyber Security

FBI Cyber Division Assistant Director Bryan Vorndran delivers a keynote address at the 2024 Boston Conference on Cyber Security on June 5, 2024.

FBI Cyber Division Assistant Director Bryan Vorndran delivers a keynote address at the 2024 Boston Conference on Cyber Security on June 5, 2024.


Remarks as prepared for delivery.

Good morning. My name is Bryan Vorndran, and I’m the assistant director of the FBI’s Cyber Division. 
 
Director Wray and Deputy Director Abbate extend their regrets for not being able to make today’s important event.  

I want to begin by briefly discussing how FBI executes its strategy to disrupt our cyber adversaries.

First, given FBI’s history, it should not be surprising that one of our core focuses is investigating and attributing cyber activity to disrupt cybercriminals and raise their cost to operate. Bottom line, we want to punish cybercriminals and take them off of the playing field.

Next, we must gather and operationalize domestic intelligence to bolster victim recovery and support operational activity, or, as we say, we must pressure the common threats we face. We pressure these common threats by initiating joint and sequenced operations and on network operations to fight back against cyber adversaries from a domestic position and as a foothold for USIC [U.S. Intelligence Community] partners to engage. It’s an all-tools/all-partners approach.  
 
When I say “all-partners,” I mean it. We look to partner with domestic and global partners in both the public and private sectors. This is how we have the most significant impact on our adversaries. 

And the final way we execute the FBI’s cyber strategy is perhaps the most important one: victim engagement. We must provide rapid, comprehensive threat response and victim support in the wake of significant cyber intrusions, so, what authorities allow us to do our work.

Briefly:

  • We have Title 18 authority to investigate computer intrusions.
  • We have specific authorities within Rule 41, which governs search and seizure, allowing [the] FBI to seize malware covertly installed on U.S. infrastructure by our adversaries.
  • We have specific counterintelligence authorities allowing [the] FBI to be integrally involved in any nation-state campaigns targeting U.S.-based organizations.
  • And, then, we have FISA [Foreign Intelligence Surveillance Act] authority, including Title 1, Title 3, and Section 702. FISA Title I and Title III govern FBI’s activities inside the United States, and FISA Section 702 governs [the] FBI’s collection outside the United States. These authorities logically create two halves, the cybercriminal and national security investigations.

Almost all of the criminals developing sophisticated malware to enable ransomware attacks are based in Russian-speaking countries and operate as organized crime syndicates, similar to traditional organized crime elements. They’re entrepreneurial and have successfully lowered barriers to entry through ransomware-as-a-service. There are four key services to this business model: infrastructure, communications, malware, and currency. 

Specific to the malware key service, highly skilled malware coders are developing more-and-more sophisticated malware. Their affiliate model allows less technically skilled criminals who are obscured from the enterprise leaders to deploy highly sophisticated malware for their personal gain, while paying a percentage of their proceeds to the highly skilled malware coders.

Any organization’s goal should be to prevent these attacks, and prevention efforts should be commensurate with acceptable downtime. If acceptable downtime is one day, increasing prevention effort should be a high priority. Without effective steps taken in advance of the breach, an organization can find themselves wholly reliant on the honesty and integrity of bad actors to give them their data back.  

Let’s talk about target identification. 

Ransomware actors evaluate three key things.

  • First, who is easily targetable?
  • Second, who is likely to pay based on brand damage?
  • Finally, who will pay the most?

Put in more industry standard terms: who doesn’t have good net defense, has a high willingness to pay, and will suffer the most economic impact from the encryption of key systems?

Ransomware attacks are almost always coupled with data theft—which we refer to as "double extortion"—or data theft and harassment of the victims and company officials, called "triple extortion."
 
Let me make one additional note: When companies are extorted and choose to pay to prevent the leak of data, you are paying to prevent the release of data right now—not in the future. Even if you get the data back from the criminals, you should assume it may one day be released, or you may one day be extorted again for the same data.  

And when we are pursuing cybercriminal finances, infrastructure, and actors, one area we are specifically focused on is disrupting key services. 

One of the big developments from specialization is that malicious coders can write malware and then just sell access to other criminals who want to use it to attack or infect victims’ computer systems. 

By going after this key service, we can have a massive impact on cybercrime. 

Just a week ago, our field offices in Charlotte, Indianapolis, Jacksonville, Los Angeles, and Cleveland worked with the Defense Criminal Investigative Service and U.S. Secret Service—along with international partners from Denmark, France, Germany, and the Netherlands—to conduct a technical operation against four groups who offer malware as a service, in the first such operation ever conducted. 
 
That operation, Endgame, defeated multiple malware variants, took down more than 100 servers, and dismantled the infrastructure for four key pieces of global malware, which had been responsible for hundreds of millions of dollars in damages and had even compromised the critical-care online system a hospital needed to keep patients alive. 

Additionally, the five nations who conducted the technical operation worked with law enforcement in Portugal, Ukraine, and the U.K. [United Kingdom]—as well as with Europol and Eurojust—to arrest and interview suspects, conduct searches, and seize or take down servers all over the world.  

We’re still gathering information from that operation, but it is already a huge success, just in removing the malware that those groups were selling to other criminals. 

And let’s not forget about the Warzone Remote Access Trojan which was investigated by the FBI Boston Field Office, with support from the United States Attorney’s Office here in Boston. The Warzone RAT—the industry acronym for Remote Access Trojan—provided cybercriminals the ability to browse victim file systems, take screenshots, record keystrokes, steal victim usernames and passwords, and watch victims through their web cameras, all without the victims’ knowledge or permission. 

In February, 2024, the FBI Boston Cyber Task Force conducted a joint sequenced operation with authorities in Nigeria and Malta that included five lines of effort: 

  • The seizure of four domains; 
  • The destruction on infrastructure which facilitated Warzone’s operations;
  • The tracing and seizure of cryptocurrency;
  • The covert purchase of the malware; and
  • The arrest, conviction, and sentencing of the primary subject in Nigeria.  

This year, FBI also conducted a complex operation against LockBit—a huge operation that functioned with a ransomware-as-a-service model.  

LockBit was set up by a Russian coder named Dimitri Khoroshev.  

He maintains the image of a shadowy hacker, using online aliases like "Putinkrab," "Nerowolfe," and "LockBitsupp." But, really, he is a criminal, more caught up in the bureaucracy of managing his company than in any covert activities. 
 
Essentially, he licenses LockBit ransomware, allowing hundreds of affiliate criminal groups to run shakedowns. 

In exchange for the use of his software, he gets a 20% cut of whatever ransoms they collect from innocent people and companies around the world. 

To help his affiliates succeed, he provides them assistance through hosting and storage, by estimating optimal ransom demands, and by laundering cryptocurrency.  

He even offers discounts for high-volume customers. 

These LockBit scams run the way local thugs used to demand “protection money” from storefront businesses. LockBit affiliates steal your data, lock it down, and demand a payment to return your access to it. Then, if you pay the ransom, they return your access to your data. But they also keep a copy, and sometimes they demand a second payment to stop them from releasing your personal or proprietary information online. 

Since September 2019, Khoroshev has leased-out his virus and enabled his affiliates to extort people all over the world. 

They have used LockBit ransomware to attack people and organizations in financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation. 

By 2022, LockBit was the most-deployed ransomware variant in the world. 

It was used by hundreds of unconnected affiliates and has been responsible for over 1,800 attacks in the U.S. and more than 2,400 attacks globally, causing billions of dollars in damages to victims. 

Disrupting LockBit and its affiliates became a global effort, involving FBI work with agencies from 10 other countries, particularly the British National Crime Agency, over more than three years. 

In February, we announced the results of a major technical operation to disrupt and seize infrastructure, as well as to impose sanctions on LockBit and its affiliates.  

We determined that LockBit and its affiliates were still holding data they told LockBit victims they had deleted—after receiving ransom payments.  

Khoroshev then tried to get us to go easy on him by turning on his competitors, naming other ransomware-as-a-service operators. 

So, it really is like dealing with organized crime gangs, where the boss rolls over and asks for leniency. 

We will not go easy on him. 

Last month, the Justice Department unsealed charges against him and six co-conspirators for fraud, extortion, and other crimes. 

In total, that included 26 charges against Khoroshev. FBI will undoubtedly continue our pursuit of bringing him to justice here in the United States. 

Additionally, from our ongoing disruption of LockBit, we now have over 7,000 decryption keys and can help victims reclaim their data and get back online. 

We are reaching out to known LockBit victims and encouraging anyone who suspects they were a victim to visit our Internet Crime Complaint Center at ic3.gov. 

I want to briefly touch on some reflections about the cybercriminal ecosystem.

Doing the basics well in a repeatable fashion is the most important thing you can do. 

Well-established cybersecurity practices—including MFA [multi-factor authentication] and password management, effective logging and log management, vulnerability and patch management, and maintaining air-gapped, encrypted, and current backups—have to be done in a repeatable fashion by your entire organization. 

Next, you need to plan well. And I’ll spend some time here.  

These plans should cover business continuity, crisis management, disaster recovery, and computer intrusion incident response. 

It is very important these plans are not developed and exercised in isolation. It’s also important for the plans to be exercised at the operational, executive, and board levels. 

The goal of your exercises should be to:

  1. Develop synergy amongst decision makers; and
  2. Refine your decision-making process. 

Based on our experience, there are three key areas of focus for your exercises.

First, communications. Internal and external communications protocols (and decision making) should be the number-one focus area for all of your exercises.  

The second goal is related to a ransomware attack and focuses on the “pay/no-pay” decision. If you suffer a ransomware attack, does your organization and its board have clear expectations about when you will and won’t pay the ransom based on organizational impact (e.g. downtime)?  

The third goal of your exercises is determining whether you will or won’t share with the U.S. government. This is likely to be the most-debated topic during your exercises. And, even if there is an agreement to share, the second point of evaluation will be: “What do we want to share?”

Again, the most well-prepared organizations have worked through multiple scenarios and have scripted their decisions based on a host of variables. Having an information-sharing plan included in your incident-response plan can help you prepare to engage the USG [U.S. government] when the time comes. It is important your inside and outside counsel contribute to that plan.  

And one final note about the relationships you’ll need prior to an intrusion: Assuming you will retain outside counsel, what is the threshold for engaging outside counsel? What guidance have you agreed to with counsel about information sharing? Have you discussed what reports counsel will direct third-party incident response to draft (internal-eyes-only, privilege, non-privilege)? 

Who will you retain as third-party incident response, and what is the threshold for calling them? Do they know what reports they will be asked to write for the victim?  

The same questions apply for your insurance provider and negotiators. 

Specific to insurance providers, the gold standard is this: Your retained counsel must know what’s in your insurance policy prior to an intrusion. This will ensure efficiency in decision-making during a time of crisis. And from an FBI perspective, we’re looking right now at how we more holistically engage the insurance industry to ensure we’re being a force multiplier benefiting victims. 

With initial access brokers, criminals have the flexibility to lease as much power as they need for their crimes and to hold onto them as long as they need them. 

Another business model for bots is to string them together into a massive and powerful botnet and then sell use of it. 

Just last week, the FBI—working with partners in Thailand, Singapore, and Germany—disrupted the world’s largest botnet and residential proxy service: 911 S5. This botnet had victimized more than 19 million IP addresses in nearly 200 countries, including at least 600,000 in the U.S. alone. It was used to commit cyberattacks, large-scale fraud, child exploitation, harassment, bomb threats, and export violations.  
 
911 S5 allegedly enabled cybercriminals to bypass financial-fraud detection systems and steal billions of dollars from financial institutions, credit-card issuers, and federal lending programs. Most of the fraud enabled by the botnet came in the form of phony pandemic relief fund applications, taking advantage of government services at a time when the most vulnerable among us needed that assistance the most. That included more than half-a-million fraudulent unemployment applications and more then 47,000 fraudulent applications to the Economic Injury Disaster Loan program. 

Our international technical operation seized the botnet’s domains and $29 million dollars in cryptocurrency. Additionally, the U.S. Treasury imposed sanctions, and the botnet’s administrator, YunHe Wang, was arrested overseas.

When we talk about targeting by nation-states, our collective goal should focus on early detection, containment, and eviction.  

China is the most prolific threat. Other active nation-state actors include Russia, Iran, and North Korea. 

For private sector companies, the state-sponsored threat encompasses corporate espionage, destructive attacks, influence operations, and intelligence collection—either through direct adversarial action or through collateral collection.  

As we saw in SolarWinds, the Russian SVR [Russia's foreign intelligence service] surgically targeted a handful of U.S. government agencies through a sophisticated software-based supply-chain compromise and, in doing so, compromised an additional 18,000 companies, all of whom were rendered vulnerable.  

I want to briefly touch on 3rd party applications and the “outsized” risk they pose to sectors or industries.

Imagine, for a moment, an entire sector or industry uses a niche, but common, third-party application to facilitate its business. This common third-party application is depicted by the red box on the screen. 

From an adversary’s perspective, targeting this application can allow criminals or a nation-state to have an outsized impact throughout an entire sector or industry. 
 

This is why, within sectors and industries, we must use the term “peer” instead of “competitor.” In cyber, if you are being targeted, so are your sector and industry peers. Information sharing with your peers is absolutely critical for entire sectors and industries to be more resilient to cyber threats.  

Okay, let’s get back to the threats themselves.

Theft of intellectual property [IP] or personally identifiable information [PII], specifically by China, remains highly probable. China then takes this IP or information and attempts to monetize it. We remain deeply concerned about the monetization of stolen IP for China’s economic gain.

We could provide hundreds of examples, but one discussed openly is China’s attempted theft of COVID[-19] vaccine research from multiple U.S. universities. The same is true in other areas of emerging technology and research, including artificial intelligence and machine learning, quantum computing and communications, clean energy, etc. 

We also remain very concerned about the skills being developed by Chinese state-affiliated proxies and actors and their moonlighting for personal gain. 

When actors are uncontrolled, they operate with fewer constraints and will undoubtedly seek to profit personally from their “off-the-record” work.

We saw China-sponsored hackers compromise United States state.gov domains for various reasons, including profit. To effectuate this monetary gain, these China-sponsored hackers used stolen PII.  

Next, "hack and dumps." This is a term you don’t hear too much about but it’s our adversaries’ intent to compromise your network, acquire sensitive personal information, and then “dump” it onto the internet. This is often in an effort to promote competitive advantage. 

A simple question for you to ask your team is this: How long would it take for your organization to know there is sensitive information—or disinformation—on the internet about your organization that could influence others’ view of our reputation, or directly impact the short- or long-term valuation of our company?   
 
We should also assess internally if we have the ability to detect when sensitive information is removed from our networks.  
 
Lastly, access in furtherance of attacks. In military circles, this is referred to as “prepping the battlefield. It involves pre-positioning tools and capabilities to maximize advantage should a need for a future attack arise or should [a] specific red line be crossed. This access is generally very difficult to detect as the adversary sits dormant after initial exploit, which emphasizes the importance of penetration-testing and threat-hunting work.  

This is a really important conversation for companies who sit within critical infrastructure sectors, and the goal is simple: early detection and eviction. It’s the never-ending game of cat and mouse.  

However, while cybercriminals’ ecosystem and business models have changed and continue changing, and while our approach to disruption has changed with them, that does not mean the hostile nation-state threat from cyber has lessened in any way—nor that our efforts to disrupt hostile-government operations have slowed. 

For instance, in January, the FBI Field Office here in Boston led Operation Dying Ember, an international effort against Russian military intelligence: the GRU. This is the same Russian agency behind NotPetya, and the same one that attacked the Ukrainian electric grid in 2015, attacked the Winter Olympics and Paralympics in 2018, and conducted attacks against the country of Georgia in 2019. 

Often, sophisticated actors like the GRU will use the same sort of botnets that criminals use, aiming to cover their tracks. 

By weaponizing common devices and technologies, the Russian government continues to blur the line between criminal activity and their operations. 
 
In this case, the GRU was taking advantage of a botnet to target the U.S. government, cleared defense contractors, NATO allies, and the Ukrainian aid shipment network. 

Our court-authorized technical operation kicked the GRU off more than 1,000 home and small-business routers belonging to unwitting victims all over the world—including here in Massachusetts. 

A computer scientist and a case agent here in the FBI Boston Field Office worked together to figure out how to remediate the routers—to get GRU malware off of them and to prevent reinfections. We removed surreptitiously installed malware from more than 400 routers here in the United States and hardened them against GRU re-attacks, and our international counterparts did so for about twice as many overseas. 

This was an operation we could not have accomplished without corporate partners, particularly Microsoft and the Shadowserver Foundation. 

By killing the GRU’s access to a botnet they were using to run cyber operations around the world, we both helped to protect unwitting businesses and individuals and put a dent in Russia’s cyber-enabled intelligence operations. 

As the Russian government continues to be reckless in cyberspace, the Chinese government can only be characterized as relentless. 

The Chinese government has the largest cyber program in the world, and it continues to use sophisticated tools to gain access to places they should not be. 

You may have heard about a group of China-sponsored hackers known as Volt Typhoon. 

We found persistent Chinese-government access inside our critical telecommunications, energy, water, and other infrastructure sectors. 

They were hiding inside our networks using tactics known as living off the land, essentially exploiting built-in tools that already exist on victim networks to get their sinister job done—tools that network defenders expect to see in use, so they do not raise suspicions.

Volt Typhoon also operated botnets to further conceal their malicious activity and the fact that the intrusion was coming from China. 

All this, with the goal of giving the Chinese government the ability to wait for just the right moment to deal a devastating blow. 
 
When Volt Typhoon’s malware was discovered in critical infrastructure, we joined our U.S. and international partners—beginning last spring, and again this February—to first author a series of joint cybersecurity advisories about what we saw, effectively calling out the hackers and sharing technical information victims can use to protect themselves. 

And then, we followed up those warnings with action aimed at the hackers.  Working with our partners in the private sector, the FBI was able to identify the threat vector and lead a multi-agency, court-authorized operation to not only remove Volt Typhoon’s malware from the routers it had infected throughout the U.S., but also to sever their connection to that network of routers and prevent their reinfection. 

And while the recent Volt Typhoon story understandably caused a stir because of the sheer magnitude of the operation, the fact is the Chinese government’s targeting of our critical infrastructure is both broad and unrelenting. 

So, what about the future? 

For China, this has been—and remains—simple math: What do American organizations possess that the Chinese want?
 
You do not have to look further than China’s 14th Five-Year Plan published in English on the internet. Why is it published in English? so they can use every vector and sympathetic party to steal to support their growth.   
 
The Chinese want intellectual property associated with information technology, biotechnology, new energy, new materials, high-end equipment, new energy vehicles, quantum, environmental protection, aerospace, and marine equipment—those are areas of extreme focus.
 
[The] FBI is also very focused on current SVR [Russian foreign intelligence service] activity and the ransomware affiliate group referred to as Scattered Spider. 

And other current focus areas include artificial intelligence, machine learning, and doing everything we can to ensure the 2024 election is secure.  

As I close here today, I want to reflect on a few things.

All threats evolve, and our collective strategies need to evolve with them. 

The FBI had its most prolific year ever in terms of disruptions of cyber adversaries in 2023, something we’re exceptionally proud of. 
 
But we should all remember we face extremely capable adversaries in China, Russia, Iran, North Korea, and with Russian-based cybercriminals who have safe-haven status in Russia.  

We should also remember that 85-90% of the most powerful cyber-threat intelligence lies in the hands of those other than the United States government, which brings me to a final point about partnerships: Not one of our past—or future—disruptions is possible without exceptional partnerships. We have to realize, and execute upon this theme, that we are in this together. We are stronger together. 

My ask of each of you today is this: Please be an ambassador for this message. We need everyone—private industry, nonprofits, academia, the U.S. government—in the boat, rowing in the same direction. This is how we will be most effective.  

And while not a Celtics fan—as I’m from Philadelphia—I can absolutely appreciate a great sports town, and Boston is certainly that. 

It’s my understanding the Celtics have a “win song.” So, as a fellow sports fan, I hope they play “All I Do Is Win” by DJ Khaled in Boston at least four times between now and June 23. 

Thank you for your time today.