News and commentary on organized crime, street crime, white collar crime, cyber crime, sex crime, crime fiction, crime prevention, espionage and terrorism.
Tuesday, April 19, 2022
FBI Director Christopher Wray Announces Actions To Disrupt And Prosecute Russian Criminal Activity
FBI Director Christopher Wray delivered the following remarks during a press conference at the Department of Justice in Washington, D.C., with partner agency officials announcing actions to prosecute criminal Russian activity. (Remarks as delivered):
I’m pleased to be here today to help announce this series of actions countering threats originating from Russia.
I want to focus for a few minutes on the FBI’s role in one of the actions the Attorney General mentioned, and what it says about the FBI’s unique cyber capabilities and what we can accomplish together with the private sector.
Today, we’re announcing a sophisticated, court-authorized operation disrupting a botnet of thousands of devices controlled by the Russian government—before it could do any harm.
We removed malware from devices used by thousands of mostly small businesses for network security all over the world. And then we shut the door the Russians had used to get into them.
Yesterday’s Darknet takedown struck a blow against Russian criminals and the ecosystem of cryptocurrency tumblers, money launders, malware purveyors, and other supporting them. The botnet disruption we’re announcing today strikes a blow against Russian intelligence, the Russian government.
The bot network we disrupted was built by the GRU—the Russian government’s military intelligence agency. And in particular it was the unit within GRU known to security researchers as Sandworm Team.
This GRU team, Sandworm, had implanted a specific type of malware known as Cyclops Blink on thousands of WatchGuard Technologies’ Firebox devices—these are security appliances, mainly firewalls, that are typically deployed in home office environments and in small to mid-size businesses.
Sandworm strung them together to use their computing power in a way that would obfuscate who was really running the network and let them then launch malware or to orchestrate distributed denial of service attacks like the GRU has already used to attack Ukraine. I should note here, that the GRU’s Sandworm team has a long history of outrageous, destructive attacks: The disruption of the Ukrainian electric grid in 2015, attacks against the Winter Olympics and the Paralympics in 2018, a series of disruptive attacks against the nation of Georgia in 2019, and, in 2017, the NotPetya attack that devastated Ukraine but also ended up hitting systems here in the U.S., throughout Europe, and elsewhere, causing more than 10 billion dollars in damages—one of the most damaging cyberattacks in the history of cyberattacks.
With the court-authorized operations we’re announcing today, we’ve disrupted this botnet before it could be used. We were largely able to do that because we had close cooperation with WatchGuard.
We’ve worked closely with WatchGuard to analyze the malware and develop detection tools and remediation techniques over the past several weeks. And our operation removed Russia’s ability to control these Firebox devices on the botnet network, and then copied and removed malware from the infected devices. Now I should caution that as we move forward, any Firebox devices that acted as bots may still remain vulnerable in the future until mitigated by their owners, so those owners should still go ahead and adopt WatchGuard’s recommended detection and remediation steps as soon as possible.
We’re continuing to conduct a thorough and methodical investigation, but as we’ve shown, we are not going to wait for our investigations to end to act. We are going to act as soon as we can, with whatever partners are best situated to help, to protect the public.
This announcement today shows the value of the FBI’s technical expertise and unique authorities—both as a law enforcement agency and an intelligence service. And that unique combination, both of which were essential to the success of this operation.
It also shows what we can accomplish with our partners to help companies—like the thousands of mostly small business affected by this botnet—hit by threats like these posed by the Russian government.
Our partnership with the private sector was key here. WatchGuard enthusiastically cooperated with the FBI to figure out the source of the infection and to counter it. That kind of cooperation makes successes like the one we’re announcing today possible, and it will continue to be important going forward.
The Russian government has shown it has no qualms about conducting this kind of criminal activity, and they continue to pose an imminent threat. And this global botnet disruption, in conjunction with the other actions discussed today, reflect an aggressive effort by the FBI and our partners to go on offense against Russian cyber threats, wherever they appear.
I’d also like to commend our partners at the DEA, IRS, and our foreign partners on the Hydra Darknet takedown and all of the men and women of the FBI involved with both of those operations, as well as the indictments and property seizures involving Russian oligarchs this week.
I should emphasize that we will continue to rely on companies to work with us the way WatchGuard has so that we can protect our nation’s cybersecurity together. For businesses, I would encourage you to have a cybersecurity plan and to include contacting your local FBI field office as an important part of that plan. And if you suspect a cyber intrusion, please contact your local FBI field office immediately—the more quickly we get involved, the more we can do to protect you. We are laser focused on disrupting the threat, on preventing harm from dangerous adversaries. Sometimes that means making arrests, and other times—like both yesterday and today—that means taking adversaries’ capabilities off the field.
No agency or business can do this alone. It takes everyone's cooperation. And the FBI will be there to work with you on cyber threats from Russia or anywhere else.
Finally, I would like to thank and congratulate our FBI teams in a wide number of field offices here in the U.S. and our legal attaches overseas for their work that has paid off this week—with seizing sanctioned assets here and in Spain, with the indictments we’re announcing today, and with the disruption of both criminal and hostile intelligence activities that we’re here to discuss this morning.
Paul Davis is a writer who covers crime. He has written extensively about organized crime, cybercrime, street crime, white collar crime, crime fiction, crime prevention, espionage and terrorism. His 'On Crime' column appears in the Washington Times and his 'Crime Beat' column appears here. He is also a regular contributor to Counterterrorism magazine and writes their online 'Threatcon' column. Paul Davis' crime fiction appears in American Crime Magazine. His work has also appeared in the Philadelphia Inquirer, the Philadelphia Daily News, Philadelphia Weekly and other publications. As a writer, he has attended police academy training, gone out on patrol with police officers, accompanied detectives as they worked cases, accompanied narcotics officers on drug raids, observed criminal court proceedings, visited jails and prisons, and covered street riots, mob wars and murder investigations. He has interviewed police commissioners and chiefs, FBI, DEA, HSI and other federal special agents, prosecutors, public officials, WWII UDT frogmen, Navy SEALs, Army Delta operators, Israeli commandos, military intelligence officers, Scotland Yard detectives, CIA officers, former KGB officers, film and TV actors, writers and producers, journalists, novelists and true crime authors, gamblers, outlaw bikers, and Cosa Nostra organized crime bosses. Paul Davis has been a student of crime since he was a 12-year-old aspiring writer growing up in South Philadelphia. He enlisted in the U.S. Navy when he was 17 in 1970. He served aboard the aircraft carrier U.S.S. Kitty Hawk during the Vietnam War and he later served two years aboard the Navy harbor tugboat U.S.S. Saugus at the U.S. floating nuclear submarine base at Holy Loch, Scotland. He went on to do security work as a Defense Department civilian while working part-time as a freelance writer. From 1991 to 2005 he was a producer and on-air host of "Inside Government," a public affairs interview radio program that aired Sundays on WPEN AM and WMGK FM in the Philadelphia area. You can read Paul Davis' crime columns, crime fiction, book reviews and news and feature articles on this website. You can read his full bio by clicking on the above photo. And you can contact Paul Davis at firstname.lastname@example.org