And, of course, I should add, those are just some of the threats we’re focused on at the FBI, where we’re also tackling the trafficking and exploitation of children, alarming levels of violent crime and hate crimes, the epidemic of deadly narcotics, and malign foreign influence aimed at undermining our government, just to name a few others.
As I like to say: A lot of people seem to have ideas about things they think the FBI should be doing more of, but I haven’t heard any responsible suggestions for things we could be doing less of.
So, in order for the FBI to be at the forefront and stay ahead of all these threats, we rely on the partnerships we’ve developed with folks in the private sector—including many of you represented here today—and across all levels of government, both here at home and abroad.
And the importance of those partnerships is really the core of the message I hope you’ll take away from my time with you here today.
Cyber Threats
So, what are we dealing with?
In cyberspace, the threats only seem to evolve, and the stakes have never been higher.
One bad actor targeting a single supply chain can cause cascading effects across multiple sectors and communities.
One unpatched vulnerability can mean the difference between business as usual and a scramble to get scores of systems back online.
And over the past few years, we’ve increasingly seen cybercriminals using ransomware against U.S. critical infrastructure sectors. In 2021, we saw ransomware incidents against 14 of the 16 U.S. critical infrastructure sectors.
In a perverse way, that makes sense, right?
If you want someone to quickly pay a ransom, you threaten the very basic things they rely on for their day-to-day lives—something like an oil pipeline, an elementary school, or an electrical grid. Malicious actors assume—and, perhaps, rightly so—that if they attack these things we depend on every day, they can inflict more pain, and people will pay more quickly.
And these actors have demonstrated there’s really no bar too low. They have no problem, for instance, threatening to shut down a children’s hospital to make a quick buck.
Let me be clear: That’s not a hypothetical example.
And while you would expect that cybercriminals are focused on operations for their own financial gain, really, any malicious cyber actor could also be trying to steal information or conduct influence operations, or laying the groundwork to disrupt our critical infrastructure. And those threats are not only proliferating, but becoming more complex.
There is no bright line where cybercriminal activity ends and hostile government activity begins, which both compounds and complicates the threat landscape.
We’re seeing blended threats where—for instance—the Iranian government has sponsored cybercriminals to perpetuate attacks to gather intelligence or gain access.
In other instances, hostile governments have attempted to make their cyberattacks look like criminal activity, which caused whole operations to go sideways.
That’s what we saw in 2017, when the Russian military used the NotPetya malware to hit Ukrainian critical infrastructure. The attack was supposed to look like a criminal heist, but was actually designed to destroy any systems it infected. They targeted Ukraine, but ended up also hitting systems throughout Europe, plus the U.S. and Australia, and even some systems within their own borders. They shut down a big chunk of global logistics, and, ultimately, their recklessness ended up causing more than $10 billion in damages—maybe the most damaging cyberattack in history.
Add to that, cyber adversaries have also obtained an increasing capacity for stealth in recent years, facilitating more comprehensive access to U.S. networks. They’ve demonstrated the ability to maintain persistent access across various networks and environments by using seemingly legitimate credentials, accessing administrator accounts, and laterally traversing networks. They will park on a system quietly and then just wait for the right opportunity.
So, to sum up the cyber threat picture: There’s a persistent, multi-vector, blended threat that’s constantly evolving and a continual challenge to assess, so we’re battling back against a constant barrage of attacks.
China
In this cyber threat landscape, China is the most dangerous actor to industry.
The Chinese government sees cyber as the pathway to cheat and steal on a massive scale, and more broadly, there’s simply no country that presents a broader or more severe threat to our ideas, innovation, and economic security than the Chinese government because they’ve shown themselves willing to lie, cheat, and steal to dominate major technology and economic sectors, crushing and putting companies from other nations out of business.
The Chinese government’s hacking program is bigger than that of every other major nation combined, and Chinese government hackers have stolen more of our personal and corporate data than all other countries—big and small—combined.
But the threat from the PRC [People’s Republic of China] government is particularly dangerous because they use that massive cyber effort in concert with every other tool in their government’s toolbox. What makes the Chinese government’s strategy so insidious is the way it exploits multiple avenues at once, and often in seemingly innocuous ways.
They identify key technologies to target. Their “Made in China 2025” plan, for example, lists ten broad areas—spanning industries like robotics, green energy production and vehicles, aerospace, and biopharma.
Then, they throw every tool in their arsenal at stealing the technology in those areas. And they are fine with causing indiscriminate damage to get to what they want, like in the Microsoft Exchange hack—the Hafnium attack—from 2021, which compromised the networks of more than 10,000 companies in just a single campaign.
At the same time, the Chinese government uses intelligence officers to target the same information.
And to knock down a few misconceptions about what it’s like to be targeted by Chinese intelligence, first of all, most Chinese spies aren’t just targeting people with government secrets. They’re after people with accesses to innovation, trade secrets, and intellectual property they feel would give them an advantage—economically or militarily.
Second, many U.S. citizens who are compromised don’t realize they are working for the Chinese government. Chinese intelligence officers often use co-opted staff from Chinese universities or national businesses—effectively contract intelligence officers—to contact targets and develop what seems like a “collaborative” relationship, and the Chinese intelligence officer actually running the operation might never personally be in contact with the target.
Third, and finally: With Chinese intelligence, the spy may not ever ask for information, but may, instead, just be looking for access to people and to networks, and that access may, in turn, be just enough to create a vulnerability for a cyber intrusion. So, their intelligence and cyber efforts are working hand-in-hand.
They also use elaborate shell games to disguise their efforts—both from our companies, and from our government investment screening program CFIUS, the Committee on Foreign Investment in the United States.
And for non-Chinese companies operating in China, the Chinese government takes advantage of its laws and regulations to enable its stealing.
For example, in 2022, we learned that a number of U.S. companies operating in China had malware delivered into their networks through tax software the Chinese government required them to use. To put it plainly: By complying with Chinese laws, these companies unwittingly installed backdoors for Chinese state hackers. The overall result of PRC efforts like these is deep, job-destroying damage across a wide range of industries—and it’s damage that hits across the country, too, which is why we’re running 2,000 or so PRC-related counterintelligence investigations, out of every one of our 56 field offices.
Disrupting the Threat
In the cyber and espionage realm, just as in our other programs, our goal is disruption: getting ahead of and thwarting cyberattacks as early as possible, seizing infrastructure, and denying hackers the benefit of their crimes.
Just a few weeks ago, we announced the success we’ve had with the year-and-a-half-long disruption campaign against the Hive ransomware group, dismantling their infrastructure and taking it offline.
Since 2021, they’ve been one of the larger and more active ransomware groups we know of, targeting businesses and other victims in over 80 countries, and demanding hundreds of millions of dollars in ransom.
Last July, the FBI gained clandestine, persistent access to Hive’s control panel—essentially, hacking the hackers.
From last July to this January, we repeatedly exploited that access to get Hive’s decryption keys and identify victims, and we offered those keys to more than 1,300 victims around the world so they could decrypt their infected networks—preventing at least $130 million in ransom payments—all without Hive catching on.
The victims targeted by the Hive group reinforced what we know—that ransomware groups don’t discriminate. They went after big and small businesses.
We rushed an FBI case agent and computer scientist to one specialty medical clinic that was so small, the doctor there also managed the clinic’s IT security. We helped larger companies, and we also shared keys with victims overseas through our foreign-based legal attaché offices—like when we gave a foreign hospital a decryptor, which they used to get their systems back up before ransom negotiations even began, possibly saving lives.
As we consider how best to focus our efforts at disrupting the hackers, we’re not only providing intelligence to current victims to help them quickly recover from an attack, but also on preventing attacks before they happen.
So, for example, while on Hive’s systems, when we saw the initial stages of one attack against a university, we notified the school and gave their IT staff the technical information they needed to kick Hive off of their network before ransomware was deployed.
But our ability to help often hinges on victims—both private and public—reaching out to us when they are attacked.
Unfortunately, during these past seven months, we found that only about 20% of Hive’s victims reported to law enforcement they had been attacked, which means we wouldn’t have been able to help 80% of their victims if we hadn’t managed to get into Hive’s infrastructure, seeing what was happening from the bad guys’ side. So, while an important success, the Hive disruption was somewhat unusual.
We can’t count on that level of visibility into adversaries’ systems, so we’re counting on our relationships with the private sector to let us know about a problem in time to fix or mitigate it.
As part of those relationships, we share threat intelligence to help companies fortify their defenses, and we rely on organizations in the private and public sector to let us know when they’ve been attacked, because once we learn about an attack, we work with our partners to broadly share what we can with public and private industry partners and international security agencies to improve overall network defense and prevent attacks.
Dissemination of attack information helps overcome typical silos that thwart recovery efforts, and in many instances, public and private sector partners provide us information in return that we can take back and use to help you with your recovery efforts.
For example, in 2021, the Port of Houston was attacked by cybercriminals. Because the Port reached out to us quickly, we were able to get technically trained agents out to the scene. There, they discovered a brand-new, zero-day exploit used to commit the attack—that is, a vulnerability and means of exploiting it that no one knew about yet. We immediately deployed our investigative tools to search for other victims where the same exploit was being deployed, and by the time the software provider developed a patch, we’d already enlisted our partners at CISA [the Cybersecurity and Infrastructure Security Agency] to work with us to help victims already being targeted, for whom that fix would otherwise have been too late. And, of course, the Port—and Houston—benefited greatly, too.
The FBI is determined to use all of our tools and resources to help victims, whether we’re talking about single individuals or whether they number in the thousands.
When the FBI determined the Chinese had executed the Hafnium attack to install backdoors into at least 10,000 U.S. and international partner networks and computers, we worked with a private sector partner to conduct the arduous task of identifying those victims using only IP addresses, including developing a custom tool for the task. We then employed advanced analytics to geolocate victims to specific field offices and legal attaché offices, and triaged over 1,700 victim notifications. And when some system owners weren’t able to remove the Chinese government’s backdoors themselves, we executed a first-of-its-kind, surgical, court-authorized operation, copying and removing the harmful code from hundreds of vulnerable computers—slamming those backdoors shut.
That example illustrates how today’s FBI views success: disruption of our adversaries by leveraging our capabilities, tools, and resources to get ahead of and thwart cyber attacks as early as possible.
As these examples demonstrate, a lot of good can come from mutual trust and working together—from strong partnership. And strong public and private sector partners not only help us at the FBI get ahead of the threat and aid in recovery, but they also help us leverage our traditional law enforcement authorities to further our disruption goals—not just arresting and extraditing more hackers, but dismantling their infrastructure and seizing their funds. Through seizures, we can also help a company recover funds that would otherwise be lost.
For instance, from January through November 2022, our Internet Crime Complaint Center’s Recovery Asset Team used the Financial Fraud Kill Chain over two thousand times, successfully freezing more than $328 million—a 74% success rate—that could then be returned to individuals and businesses who had been defrauded.
Greed is a primary motivator of the cyber threat, and by hitting cyber actors where it hurts—their wallets—we can disincentivize more attacks before they occur.
A few weeks ago, we announced the arrest of a Russian national who administered the Bitzlato Limited cryptocurrency exchange, which laundered over $15 million in ransomware proceeds and over $700 million in darknet illicit transactions. At the same time, we worked with our international law enforcement partners to seize Bitzlato’s servers and execute additional arrests. Cryptocurrency exchanges like Bitzlato are a vital part of the infrastructure cybercriminals use to launder the funds extorted from their victims. In thinking about how we, at the FBI, can have the most durable disruptive impact, our goal is not only to take away the motivation for ransomware attacks, but also to deprive ransomware groups of the resources they need to successfully conduct these attacks.
Conclusion and Partnerships
Bottom line: We believe in using every tool we’ve got to protect American innovation and critical infrastructure, but, as I said before, that’s not something the FBI can do alone.
That’s a big reason conferences like this—focused on building a dialogue between the public and private sector on current and emerging threats—are so important to the Bureau. They build the partnerships necessary for us to understand and stay ahead of the threat.
So, again, thank you for inviting me to kickstart the discussions today. Now, let’s turn this into a conversation.