The FBI released the speech FBI Director Chrsitopher Wray presented to the Boston Conference on Cyber Security yesterday.:
I’s good to be back here at BC, particularly since I couldn’t participate in the virtual conference last year. In fact, the last time I was able to participate was in March 2020, right before everything went into lockdown. It’s pretty incredible how quickly our lives—work, school, social events —shifted to being online.
I
can’t say I was a fan of shifting from interacting with my staff around a
conference table to seeing a fair number of folks show up only on screen,
usually from elsewhere in the building.
It
worked, sort of. But I’m glad we’ve been able to go back to meeting in person.
For the FBI, a lot of our work is hard to accomplish online. We work with a lot
of classified information that can’t go home, and we certainly can’t conduct
crime scene investigations remotely.
But I
recognize that we’re fairly unique, and a lot of businesses have been able to
cut costs by keeping employees at home instead of leasing office spaces.
So,
it’s clear that our world and our society are not just going back to where we
were two-and-a-half years ago. And people are going to continue to take
advantage of the connectivity that cyberspace provides.
But,
at the same time, the shift of our personal and professional lives even more
online has created new vulnerabilities. And malicious cyber actors are going to
continue to take advantage of people and networks.
That
includes cybercriminals holding data for ransom and nation states like China
stealing defense and industrial secrets.
And
lately, that’s included Russia trying to influence what happens in the ground
war they started—by threatening attacks against the West in cyberspace.
I
think, if we’re going to address cyber security properly, we’ve got to talk
about how we’re responding to each of those threats.
We’ve
got to hold the line on multiple fronts—all at once—to help people and
businesses protect themselves, to support victims, and to inflict costs on
criminals.
And we
can’t let up on China or Iran or criminal syndicates while we’re focused on
Russia. So that’s what we’re doing, taking on all these threats and shifting
resources quickly to respond.
And I
think it’s worth covering some of those threats with you today.
Russia
I do
want to start with Russia because we’re laser focused on them right now.
I’m
not breaking any new ground or compromising any intelligence sources by saying
they’ve been absolutely reckless on the battlefield. They really don’t care who
they hurt—civilians, noncombatants, women, children. And their recklessness
with human lives carries over into how they act in cyberspace.
Of
course, that’s not new. In 2017, the Russian military used the NotPetya malware
to hit Ukrainian critical infrastructure. The attack was supposed to look like
a criminal heist but was actually designed to destroy any systems it infected.
They
targeted Ukraine but ended up also hitting systems throughout Europe, plus the
U.S. and Australia, and even some systems within their own borders. They shut
down a big chunk of global logistics.
That
reckless attack ended up causing more than 10 billion dollars in damages—one of
the most damaging cyberattacks in the history of cyberattacks—and spread
world-wide before anyone knew to do anything.
Now,
in Ukraine, we see them again launching destructive attacks, using tools like
wiper malware. And we’re watching for their cyber activities to become more
destructive as the war keeps going poorly for them.
At the
FBI, we’re on what I’d call combat tempo.
We’ve
got a 24/7 cyber command post running, and we've been pushing out intelligence
products and technical indicators—not just to government partners, but also to
private companies and others.
We’ve
seen the Russian government taking specific preparatory steps towards potential
destructive attacks, here and abroad. We’re racing out to potential targets to
warn them about the looming threat, giving them technical indicators they can
use to protect themselves. And we’re moving rapidly to disrupt Russian
activity.
Russia/WatchGuard
Just
this April, the FBI disrupted a botnet that the Russian GRU intelligence
service had created and could have used to obfuscate malicious and damaging
cyber activity.
This
is the same Russian agency behind NotPetya and that attacked the Ukrainian
electric grid in 2015, attacked the Winter Olympics and Paralympics in 2018,
and conducted attacks against Georgia in 2019.
The
GRU’s Sandworm team had implanted Cyclops Blink malware on ASUS home routers
and Firebox devices, which are firewall devices produced by WatchGuard
Technologies and largely used by small to medium businesses.
By
infecting and controlling thousands of these devices worldwide, the GRU could
string them together to use their computing power in a way that would hide who
was really running the network.
This
past November, we alerted WatchGuard about the malware targeting their devices,
and we collaborated with CISA and WatchGuard on mitigation.
We
collected additional malware samples from U.S. victims, while WatchGuard
developed mitigation tools.
We
reverse-engineered the malware samples and developed a sophisticated technical
operation to sever the GRU’s ability to communicate with the botnet’s
command-and-control layer.
And in
March, we executed the operation and successfully cut their ability to control
the botnet.
We
removed malware from the “Firebox” devices—used by small businesses for network
security all over the world—and then shut the door the Russians had used to
access them.
Clearly,
that’s not the only threat coming out of Russia, and we’re certainly not
resting on our laurels. But that was a pretty solid hit against Russian
intelligence. And it shows that we can do quite a bit to counter threats and
help companies hit by threats like that posed by the Russian government.
Reminders and Lessons
As I
mentioned earlier, even while we’re at full tilt against Russian cyber threats,
we’re also countering other nation-state and criminal cyber actors. So we’re
particularly attuned to lessons from the Ukraine conflict that apply more
broadly.
We’re
not the only ones. We know that China is studying the Ukraine conflict
intently. They’re trying to figure out how to improve their own capabilities to
deter or hurt us in connection with an assault on Taiwan.
So,
take for example the blended threat where we see Russia—like China, Iran, and
sometimes other nation states—essentially hiring cyber criminals, in effect
cyber mercenaries.
We see
Russian cyber criminals explicitly supporting, and taking actions to assist,
the Russian government, as well as some just taking advantage of the very
permissive operating environment that exists in Russia.
In
some instances, we also see Russian intelligence officers, moonlighting, making
money on the side, through cybercrime or using cybercriminal tools to conduct
state-sponsored attacks because they think it gives them some plausible
deniability or will hide who's behind it.
So one
key question for us today is, when do criminal actors become agents of their
host nation?
Does
money have to change hands, or is publicly pledging support to a foreign
government enough?
We are
realizing the value of our accumulated investigative work, with our partners,
against all manner of Russian cyber threats. That work has established
connections, motives, and tactics among Russian hackers before the current
crisis.
It
gives us a basis for potentially holding the Russian government accountable for
the actions of a Russian ransomware gang. Because we’ve been able to show that
their government sometimes supports, uses, and protects, cybercriminals.
A
second thing we’re thinking about is the speed and scope of attribution. How do
we balance the need for speed, to get to an operational level of attribution,
supporting actions we or our partners need to take next, against
specificity?
It
won’t surprise you to learn that we can figure out which country is responsible
for something, or even which specific intel service, faster than we can
identify which individual was sitting at the keyboard.
For
victims, we’re helping as we respond to malicious cyber activity in this
kinetic, destructive context, we’ve found that speed trumps pretty much
everything else. It’s more important for us to get to their doorstep in an hour
than it is to tell them whether we’re looking at nation-state cyber activity or
cyber criminals.
But
it’s also important to keep marching toward more-specific attribution even
while we hand off defensive information before we build the full picture of
who’s responsible. Because for the broader government’s response
calculations—for us to meaningfully degrade, disrupt, and deter a cyber
adversary—we often need to be a lot more specific about who’s responsible.
A
third lesson, or really a reminder, from this conflict with broad application:
When it comes to the threat of destructive attack, the adversary’s access is
the problem.
This
is something we’ve talked about a lot, but that has acquired heightened
resonance lately. Russia has, for years and years, been trying to infiltrate
companies to steal information.
In the
course of doing so, they’ve gained illicit access to probably thousands of U.S.
companies, including critical infrastructure. Just look at the scope of their
Solar Winds campaign.
They
can use the same accesses they gained for collection and intelligence purposes
to do something intentionally destructive. It’s often not much more than a
question of desire.
That’s
why, when it comes to Russia today, we’re focused on acting as early, as far
“left of boom,” as we can against the threat.
That
is, launching our operations when we see the Russians researching targets,
scanning, trying to gain an initial foothold on the network, not when we see
them later exhibit behavior that looks potentially destructive.
As
broad as Russia’s potential cyber accesses across the country may be, they pale
in comparison to China’s.
So the
same reminder that this conflict has given the community about the urgency of
battling adversaries at the point of access, or earlier, applies in spades when
we think about how to defend against the Chinese Communist Party’s potential
aggression toward Taiwan.
We
need to study what’s going on with Russia and learn from it because we’re
clearly not the only ones paying attention.
China
Now,
China is clearly a very different threat than Russia. The Chinese government is
methodical, hacking in support of long-term economic goals.
And
China operates on a scale Russia doesn’t come close to. They’ve got a bigger
hacking program than all other major nations combined. They’ve stolen more
American personal and corporate data than all nations combined. And they’re
showing no sign of tempering their ambition and aggression.
Even
their hacks that may seem noisy and reckless actually fit into a long-term,
strategic plan to undermine U.S. national and economic security.
China’s
economy also gives it leverage and tools, sway over companies, that Russia
lacks. For many U.S. and foreign companies doing business in China, or looking
to, the cost effectively amounts to a blanket consent to state surveillance in
the name of security—at best.
At
worst, they’ve got to accept the risk that their sensitive information may be
co-opted to serve Beijing’s geopolitical goals.
In
2020, we became aware that some U.S. companies operating in China were being
targeted through Chinese government-mandated tax software. The businesses were
required to use certain government-sanctioned software to comply with the
value-added tax system and other Chinese laws.
A
number of U.S. companies then discovered that malware was delivered into their
networks through this software. So, by complying with Chinese laws for
conducting lawful business in China, they ended up with backdoors into their
systems that enabled access into what should be private networks.
That’s
just one example of how the Chinese government is pursuing their goal to lie,
cheat, and steal their way into global domination of technology sectors. It’s
really a whole-of-government operation to steal research and proprietary
secrets from U.S. companies and then undercut prices on the global market. So
that companies that play by the rules can’t compete.
That
effort is not limited to cyber. Heck, we’ve caught Chinese agents out in the
heartland of the U.S. targeting our agricultural innovation, sneaking into
fields to dig up proprietary, experimental, genetically modified seeds.
But
China’s other means of stealing technology—things like human spies, corporate
transactions—often run in concert with, and even in service of, its cyber
program. Like when the MSS recently used a human agent on the inside to enable
hackers in mainland China to penetrate GE Aviation’s joint venture partner and
steal proprietary engine technology.
The
Chinese government sees cyber as the pathway to cheat and steal on a massive
scale. In March 2021, Microsoft and other U.S. tech and cybersecurity companies
disclosed some previously unknown vulnerabilities targeting Microsoft Exchange
Server software.
The
hackers, operating out of China, had compromised more than 10,000 U.S.
networks, moving quickly and irresponsibly to do so prior to the public
disclosure of the vulnerabilities. Through our private sector partnerships, we
identified the vulnerable machines.
And
learned the hackers had implanted webshells—malicious code that created a
backdoor and gave them continued remote access to the victims’ networks. So, we
pushed out a joint advisory with CISA to give network defenders the technical
information they needed to disrupt the threat and eliminate those backdoors.
But
some system owners weren’t able to remove the webshells themselves, which meant
their networks remained vulnerable. So, we executed a surgical,
court-authorized operation, copying and removing the harmful code from hundreds
of vulnerable computers.
Those
backdoors the Chinese government hackers had propped open?
We
slammed them shut, so the cyber actors could no longer use them to access
victim networks. So, while that’s another win we can celebrate, it is also a
stark reminder that the Chinese government remains a prolific and effective
cyber espionage threat.
Iran and Boston Children’s Hospital
And China
and Russia aren’t the only nation states exhibiting malicious behavior on the
international stage. Iran and North Korea also continue to carry out
sophisticated intrusions targeting U.S. victims.
In
fact, in the summer of 2021, hackers sponsored by the Iranian government tried
to conduct one of the most despicable cyberattacks I’ve seen—right here in
Boston—when they decided to go after Boston Children’s Hospital.
Let me
repeat that, Boston Children’s Hospital.
We got
a report from one of our intelligence partners indicating Boston Children’s was
about to be targeted. And, understanding the urgency of the situation, the
cyber squad in our Boston Field Office raced to notify the hospital.
Our
folks got the hospital’s team the information they needed to stop the danger
right away. We were able to help them ID and then mitigate the threat.
And
quick actions by everyone involved, especially at the hospital, protected both
the network and the sick kids who depend on it.
It’s a
great example of why we deploy in the field the way we do, enabling that kind
of immediate, before-catastrophe-strikes response.
Ransomware
Unfortunately,
hospitals these days—and many other providers of critical infrastructure—have
even more to worry about than Iranian government hackers.
If
malicious cyber actors are going to purposefully cause destruction or are going
to hold data and systems for ransom, they tend to hit us somewhere that’s going
to hurt. That’s why we’ve increasingly seen cybercriminals using ransomware
against U.S. critical infrastructure sectors.
In
2021, we saw ransomware incidents against 14 of the 16 U.S. critical infrastructure
sectors, including healthcare, but also many of the other things we depend on.
Ransomware
gangs love to go after things we can’t do without.
We’ve
seen them compromise networks for oil and gas pipelines, grade schools, 9-1-1
call centers. They also go after local governments.
The
FBI cyber team here in Boston, for example, last May uncovered important
indicators of compromise for the Avaddon ransomware strain.
Avaddon
was one of the most prolific ransomware variants in the world at the time. Our
folks quickly published what they found to warn the public.
And
just two days after that, a local police department in the Southwest told FBI
Boston that they’d seen some of those indicators of compromise we
published—newly identified malicious IP addresses—connecting to the
department’s network.
The
police department was able to use our Boston Division’s information to stop
Avaddon from infecting their network.
So,
that’s our folks here helping out a city on the other side of the country and a
lot of other potential victims nationwide, but also a reminder of the kind of
damage ransomware groups are able and willing to inflict.
Lessons Learned from Disrupting Hackers
Hopefully,
as you listen, you’ve been gleaning a bit about our focus. We aim to stop attacks,
and degrade actors, as early as we can.
It’s
worth taking a few minutes to think about what we’ve learned from the
operations of the past couple of years, as more and more of society has moved
online, and as cyberattacks and intrusions have accelerated.
For
one, we’ve learned that in cyber, as with other parts of our work countering
criminal organizations, we can impose costs on cybercriminals by focusing on
three things: the people, their infrastructure, and their money. We make the
most durable impact when we disrupt all three together and when we set aside
who gets credit and just equip the best athlete with the information they need
to take action.
First:
To go after the people, we work with like-minded countries to identify who’s
responsible for the most damaging ransomware schemes and take them out of the
game. That may mean arresting and extraditing them to the U.S. to face justice.
Or it may mean prosecution by a foreign partner.
Crucially,
we cast a broad net, going after everyone from the ransomware administrators
building the malware, to affiliates deploying it, to the hosting providers and
money launderers making the criminal enterprise possible.
Second:
Simultaneously, taking down cybercriminals’ technical infrastructure disrupts
their operations.
For
instance, last year, the FBI led an international operation that seized control
of a botnet called Emotet, consisting of tens of thousands of infected
computers, which had been used in a range of cybercrime schemes including
ransomware.
And that
Russian botnet we just disrupted in March is another great example of how we
can take infrastructure offline before it causes damage.
Third:
By going after their money, when we seize virtual wallets and return stolen
funds, we hit them where it hurts, taking resources away from the bad guys,
helping to prevent future criminal operations.
And
we’ve had even bigger successes in disrupting operations by shutting down
illicit currency exchanges.
Bottom
line: We believe in using every tool we’ve got to impose risk and consequences
and to remove bad guys from cyberspace.That includes leveraging every
partnership we have.
FBI’s Role and the Virtuous Cycle
So how
do we make all that happen. How do we make sure the best athlete has the
proverbial ball at the right time and that we’re all making each other
stronger?
There's
a symmetry to the way we identify threats and the way we deal with them.
At the
FBI, as both a law enforcement and intelligence service, we're pulling in
information about hostile cyber activity from a wide range of sources, from on
one end of the spectrum, providers, incident response firms, victims, and
others in the private sector, and from our partnerships with CISA, Treasury,
and other SRMAs.
From
our FISA collection, human sources, our fellow USIC agencies' signals and human
collection, and from intelligence and law enforcement partners around the
world, many of whom have overseas FBI cyber agents working alongside them
daily.
Then,
we analyze what the adversaries are trying to do, and how. We take, for
example, information shared by one victim we know they hit and work back to
find others either already being hit or about to be.
We
dissect their malware to see what it's capable of and compare what we see in
the field to what we know about their strategic intent.
Then—the
other side of that symmetry I mentioned—we quickly push the information we've
developed to wherever it can do the most good, whether that means employing our
tools or arming partners to use theirs, or both. Often that means racing
information to victims or potential victims.
We've
developed the ability to get a technically trained agent out to just about any
company in America in an hour, and we use it a lot.
Almost
every week, we’re rushing cyber agents out to help companies figure out what
they’ve got on their systems, how to disrupt it, how to interrupt it, how to
mitigate, and how to prevent this from becoming something much worse.
Other
times, we work jointly with CISA, and often NSA, to disseminate the information
even more broadly, if more companies and public entities can make use of it.
For
example, in the last couple of months you've seen us publish indicators of
compromise for Russian cyber operations targeting U.S. critical infrastructure,
helping companies prepare defenses and enabling threat hunting.
And
not long ago, you saw us and NSA push out details on malware the GRU was using
to help companies defend against it.
But
we're also pushing what we learn to government partners in order to enable
joint, sequenced operations that disrupt the harm at its source, at the same
time we’re helping companies mitigate on their own networks.
We
push targeting information about hostile infrastructure abroad either to foreign
law enforcement, to seize or shut down; or to government partners here with a
mandate to conduct offensive operations overseas; or to Treasury or Commerce,
for sanctions.
And so
on.
But
it’s important to keep in mind that we aren’t playing a one-move game. What we
need to do is kick off a virtuous cycle that feeds on itself.
We use
the information one company might give us to develop information about who the
adversary is, what they're doing, where, why, and how, taking pains to protect
that company’s identity just as we do our other sources.
Then,
when we pass what we develop to partners here and abroad—our fellow U.S. and
foreign intel services, foreign law enforcement, CISA and sector risk
management agencies, providers like Microsoft.
Crucially,
those partners can then in turn leverage what we've given to provide us with
more information.
Enhancing our Global Investigations
Helping
us discover more malicious infrastructure we can target ourselves, or alert
private sector partners to more opportunities to arrest or otherwise disrupt
the adversaries, which leads us to more useful information to pass back to that
first company, to better remediate and protect itself, maybe find more
technical info it can share back to us and to our partners, to take further
steps. And so on.
It's
why we're deployed all over this country and in nearly 80 countries around the
world.
What
these partnerships let us do is hit our adversaries at every point—from the
victims' networks, back all the way to the hackers' own computers.
Of
course, for this virtuous cycle of information to work, we rely on companies to
work with us the way WatchGuard and Boston Children’s Hospital did.
So,
for companies that conduct any work on the internet, I would encourage you to
have an incident response plan and to include contacting your local FBI field
office as part of that plan. It’s immensely helpful for any business to have an
existing relationship with their local office before an attack occurs.
In
fact, that’s one of the reasons we were able to help Boston Children’s Hospital
so quickly.
The
FBI Boston Field Office had worked with Children’s on a series of attacks in
2014—those stemming from a misguided online protest. We worked closely with
Children’s all the way through our investigation, which led to a conviction and
sentencing of the hacker in 2019.
So,
Children’s and our Boston office already knew each other well before the attack
from Iran, and that made a difference.
So,
I’d encourage everyone to give us a call and talk with your local FBI cyber
team.
But
whether you take that proactive step or not, if you suspect a cyber intrusion,
please report the compromise by contacting your local field office
immediately—the more quickly we get involved, the more we can do to help.
Conclusion
Thank
you all for being here and for inviting me to speak.
Our
goal at the FBI is to make sure Americans and our partners and families
overseas can use cyberspace safely and securely. To do that, we rely on help
from everyone in this room—whether you’re a government partner, a service
provider, or an online content writer. And I want you to know you can rely on
us to help you.
Thank
you for your trust and for your ideas on how to do this better.
I’m looking forward to helping the Bureau work with each of you.
No comments:
Post a Comment