It’s good to be back here at BC, particularly since I couldn’t participate in the virtual conference last year. In fact, the last time I was able to participate was in March 2020, right before everything went into lockdown. It’s pretty incredible how quickly our lives—work, school, social events —shifted to being online.
I can’t say I was a fan of shifting from interacting with my staff around a conference table to seeing a fair number of folks show up only on screen, usually from elsewhere in the building.
It worked, sort of. But I’m glad we’ve been able to go back to meeting in person. For the FBI, a lot of our work is hard to accomplish online. We work with a lot of classified information that can’t go home, and we certainly can’t conduct crime scene investigations remotely.
But I recognize that we’re fairly unique, and a lot of businesses have been able to cut costs by keeping employees at home instead of leasing office spaces.
So, it’s clear that our world and our society are not just going back to where we were two-and-a-half years ago. And people are going to continue to take advantage of the connectivity that cyberspace provides.
But, at the same time, the shift of our personal and professional lives even more online has created new vulnerabilities. And malicious cyber actors are going to continue to take advantage of people and networks.
That includes cybercriminals holding data for ransom and nation states like China stealing defense and industrial secrets.
And lately, that’s included Russia trying to influence what happens in the ground war they started—by threatening attacks against the West in cyberspace.
I think, if we’re going to address cyber security properly, we’ve got to talk about how we’re responding to each of those threats.
We’ve got to hold the line on multiple fronts—all at once—to help people and businesses protect themselves, to support victims, and to inflict costs on criminals.
And we can’t let up on China or Iran or criminal syndicates while we’re focused on Russia. So that’s what we’re doing, taking on all these threats and shifting resources quickly to respond.
And I think it’s worth covering some of those threats with you today.
Russia
I do want to start with Russia because we’re laser focused on them right now.
I’m not breaking any new ground or compromising any intelligence sources by saying they’ve been absolutely reckless on the battlefield. They really don’t care who they hurt—civilians, noncombatants, women, children. And their recklessness with human lives carries over into how they act in cyberspace.
Of course, that’s not new. In 2017, the Russian military used the NotPetya malware to hit Ukrainian critical infrastructure. The attack was supposed to look like a criminal heist but was actually designed to destroy any systems it infected.
They targeted Ukraine but ended up also hitting systems throughout Europe, plus the U.S. and Australia, and even some systems within their own borders. They shut down a big chunk of global logistics.
That reckless attack ended up causing more than 10 billion dollars in damages—one of the most damaging cyberattacks in the history of cyberattacks—and spread world-wide before anyone knew to do anything.
Now, in Ukraine, we see them again launching destructive attacks, using tools like wiper malware. And we’re watching for their cyber activities to become more destructive as the war keeps going poorly for them.
At the FBI, we’re on what I’d call combat tempo.
We’ve got a 24/7 cyber command post running, and we’ve been pushing out intelligence products and technical indicators—not just to government partners, but also to private companies and others.
We’ve seen the Russian government taking specific preparatory steps towards potential destructive attacks, here and abroad. We’re racing out to potential targets to warn them about the looming threat, giving them technical indicators they can use to protect themselves. And we’re moving rapidly to disrupt Russian activity.
Russia/WatchGuard
Just this April, the FBI disrupted a botnet that the Russian GRU intelligence service had created and could have used to obfuscate malicious and damaging cyber activity.
This is the same Russian agency behind NotPetya and that attacked the Ukrainian electric grid in 2015, attacked the Winter Olympics and Paralympics in 2018, and conducted attacks against Georgia in 2019.
The GRU’s Sandworm team had implanted Cyclops Blink malware on ASUS home routers and Firebox devices, which are firewall devices produced by WatchGuard Technologies and largely used by small to medium businesses.
By infecting and controlling thousands of these devices worldwide, the GRU could string them together to use their computing power in a way that would hide who was really running the network.
This past November, we alerted WatchGuard about the malware targeting their devices, and we collaborated with CISA and WatchGuard on mitigation.
We collected additional malware samples from U.S. victims, while WatchGuard developed mitigation tools.
We reverse-engineered the malware samples and developed a sophisticated technical operation to sever the GRU’s ability to communicate with the botnet’s command-and-control layer.
And in March, we executed the operation and successfully cut their ability to control the botnet.
We removed malware from the “Firebox” devices—used by small businesses for network security all over the world—and then shut the door the Russians had used to access them.
Clearly, that’s not the only threat coming out of Russia, and we’re certainly not resting on our laurels. But that was a pretty solid hit against Russian intelligence. And it shows that we can do quite a bit to counter threats and help companies hit by threats like that posed by the Russian government.
Reminders and Lessons
As I mentioned earlier, even while we’re at full tilt against Russian cyber threats, we’re also countering other nation-state and criminal cyber actors. So we’re particularly attuned to lessons from the Ukraine conflict that apply more broadly.
We’re not the only ones. We know that China is studying the Ukraine conflict intently. They’re trying to figure out how to improve their own capabilities to deter or hurt us in connection with an assault on Taiwan.
So, take for example the blended threat where we see Russia—like China, Iran, and sometimes other nation states—essentially hiring cyber criminals, in effect cyber mercenaries.
We see Russian cyber criminals explicitly supporting, and taking actions to assist, the Russian government, as well as some just taking advantage of the very permissive operating environment that exists in Russia.
In some instances, we also see Russian intelligence officers, moonlighting, making money on the side, through cybercrime or using cybercriminal tools to conduct state-sponsored attacks because they think it gives them some plausible deniability or will hide who’s behind it.
So one key question for us today is, when do criminal actors become agents of their host nation?
Does money have to change hands, or is publicly pledging support to a foreign government enough?
We are realizing the value of our accumulated investigative work, with our partners, against all manner of Russian cyber threats. That work has established connections, motives, and tactics among Russian hackers before the current crisis.
It gives us a basis for potentially holding the Russian government accountable for the actions of a Russian ransomware gang. Because we’ve been able to show that their government sometimes supports, uses, and protects, cybercriminals.
A second thing we’re thinking about is the speed and scope of attribution. How do we balance the need for speed, to get to an operational level of attribution, supporting actions we or our partners need to take next, against specificity?
It won’t surprise you to learn that we can figure out which country is responsible for something, or even which specific intel service, faster than we can identify which individual was sitting at the keyboard.
For victims, we’re helping as we respond to malicious cyber activity in this kinetic, destructive context, we’ve found that speed trumps pretty much everything else. It’s more important for us to get to their doorstep in an hour than it is to tell them whether we’re looking at nation-state cyber activity or cyber criminals.
But it’s also important to keep marching toward more-specific attribution even while we hand off defensive information before we build the full picture of who’s responsible. Because for the broader government’s response calculations—for us to meaningfully degrade, disrupt, and deter a cyber adversary—we often need to be a lot more specific about who’s responsible.
A third lesson, or really a reminder, from this conflict with broad application: When it comes to the threat of destructive attack, the adversary’s access is the problem.
This is something we’ve talked about a lot, but that has acquired heightened resonance lately. Russia has, for years and years, been trying to infiltrate companies to steal information.
In the course of doing so, they’ve gained illicit access to probably thousands of U.S. companies, including critical infrastructure. Just look at the scope of their Solar Winds campaign.
They can use the same accesses they gained for collection and intelligence purposes to do something intentionally destructive. It’s often not much more than a question of desire.
That’s why, when it comes to Russia today, we’re focused on acting as early, as far “left of boom,” as we can against the threat.
That is, launching our operations when we see the Russians researching targets, scanning, trying to gain an initial foothold on the network, not when we see them later exhibit behavior that looks potentially destructive.
As broad as Russia’s potential cyber accesses across the country may be, they pale in comparison to China’s.
So the same reminder that this conflict has given the community about the urgency of battling adversaries at the point of access, or earlier, applies in spades when we think about how to defend against the Chinese Communist Party’s potential aggression toward Taiwan.
We need to study what’s going on with Russia and learn from it because we’re clearly not the only ones paying attention.
China
Now, China is clearly a very different threat than Russia. The Chinese government is methodical, hacking in support of long-term economic goals.
And China operates on a scale Russia doesn’t come close to. They’ve got a bigger hacking program than all other major nations combined. They’ve stolen more American personal and corporate data than all nations combined. And they’re showing no sign of tempering their ambition and aggression.
Even their hacks that may seem noisy and reckless actually fit into a long-term, strategic plan to undermine U.S. national and economic security.
China’s economy also gives it leverage and tools, sway over companies, that Russia lacks. For many U.S. and foreign companies doing business in China, or looking to, the cost effectively amounts to a blanket consent to state surveillance in the name of security—at best.
At worst, they’ve got to accept the risk that their sensitive information may be co-opted to serve Beijing’s geopolitical goals.
In 2020, we became aware that some U.S. companies operating in China were being targeted through Chinese government-mandated tax software. The businesses were required to use certain government-sanctioned software to comply with the value-added tax system and other Chinese laws.
A number of U.S. companies then discovered that malware was delivered into their networks through this software. So, by complying with Chinese laws for conducting lawful business in China, they ended up with backdoors into their systems that enabled access into what should be private networks.
That’s just one example of how the Chinese government is pursuing their goal to lie, cheat, and steal their way into global domination of technology sectors. It’s really a whole-of-government operation to steal research and proprietary secrets from U.S. companies and then undercut prices on the global market. So that companies that play by the rules can’t compete.
That effort is not limited to cyber. Heck, we’ve caught Chinese agents out in the heartland of the U.S. targeting our agricultural innovation, sneaking into fields to dig up proprietary, experimental, genetically modified seeds.
But China’s other means of stealing technology—things like human spies, corporate transactions—often run in concert with, and even in service of, its cyber program. Like when the MSS recently used a human agent on the inside to enable hackers in mainland China to penetrate GE Aviation’s joint venture partner and steal proprietary engine technology.
The Chinese government sees cyber as the pathway to cheat and steal on a massive scale. In March 2021, Microsoft and other U.S. tech and cybersecurity companies disclosed some previously unknown vulnerabilities targeting Microsoft Exchange Server software.
The hackers, operating out of China, had compromised more than 10,000 U.S. networks, moving quickly and irresponsibly to do so prior to the public disclosure of the vulnerabilities. Through our private sector partnerships, we identified the vulnerable machines.
And learned the hackers had implanted webshells—malicious code that created a backdoor and gave them continued remote access to the victims’ networks. So, we pushed out a joint advisory with CISA to give network defenders the technical information they needed to disrupt the threat and eliminate those backdoors.
But some system owners weren’t able to remove the webshells themselves, which meant their networks remained vulnerable. So, we executed a surgical, court-authorized operation, copying and removing the harmful code from hundreds of vulnerable computers.
Those backdoors the Chinese government hackers had propped open?
We slammed them shut, so the cyber actors could no longer use them to access victim networks. So, while that’s another win we can celebrate, it is also a stark reminder that the Chinese government remains a prolific and effective cyber espionage threat.
Iran and Boston Children’s Hospital
And China and Russia aren’t the only nation states exhibiting malicious behavior on the international stage. Iran and North Korea also continue to carry out sophisticated intrusions targeting U.S. victims.
In fact, in the summer of 2021, hackers sponsored by the Iranian government tried to conduct one of the most despicable cyberattacks I’ve seen—right here in Boston—when they decided to go after Boston Children’s Hospital.
Let me repeat that, Boston Children’s Hospital.
We got a report from one of our intelligence partners indicating Boston C
Share on Facebook «||» Share on Twitter «||» Share on Reddit «||» Share on LinkedIn