The hot pursuit of ransomware cyberattackers laying siege to critical U.S. infrastructure presents a challenge akin to hunting serial killers, according to Tonya Ugoretz, an FBI Cyber Division deputy assistant director.
Shrouded in secrecy and striking with reckless abandon, the cyber villains nevertheless provide a digital trail for the bureau’s cyber division to trace. Ms. Ugoretz‘s team collects information needed for the U.S. and its international partners to go on offense around the globe against the criminals flooding the U.S. with ransomware that holds data and information systems hostage until desperate victims pay up.
“I’ve compared this a little bit to pursuing a serial killer,” said Ms. Ugoretz. “You know that every cyber intrusion, for the most part, is part of a larger campaign and that these actors are using essentially the same tactics, the same M.O. to target largely the same victim set. And each one of those intrusions that we can investigate and respond to gives us another clue that helps us not only attribute the activity and identify who’s responsible and hold them accountable, but also try to move quickly to prevent the next attack.”
Indictments and arrests are great for the FBI’s cyber sleuths, but Ms. Ugoretz said her unit’s real focus is getting information it has the unique authority to access as a member of the intelligence community and a law enforcement agency. Ms. Ugoretz oversees the cyber division’s national-level policy and intelligence work.
Her team shares its information with the national security community and allies “who take the fight to our adversaries overseas.” The team also shares its information with computer network defenders like the federal government’s Cybersecurity and Infrastructure Security Agency (CISA) inside the U.S.
The FBI has also reorganized internally to meet the growing challenge of ransomware. While it has 56 field offices organized around regional areas of responsibility, the cyber team put individual offices in charge of responding to certain threats and the attackers behind them.
A “center of excellence” from the FBI’s San Francisco office dedicated to the ransomware gang DarkSide responded when that gang hit major U.S. fuel supplier Colonial Pipeline in May, Colonial Pipeline CEO Joseph Blount recently told a Senate hearing.
The attackers directed the pipeline company to pay approximately $4.3 million in cryptocurrency, or 75 Bitcoin at the time of the attack, and the company agreed to do so, according to an affidavit filed by an FBI special agent in federal court in the Northern District of California. The agent from the San Francisco unit — whose name was redacted from the affidavit — watched the cryptocurrency move from the pipeline company to several different virtual locations using a database containing transactional information.
The funding was eventually transferred to an address for which the FBI had the “private key” — a cryptographic password needed to access the address. The U.S. government then recovered about $2.3 million paid by the pipeline company.
Debate over the FBI’s speed in tracing the fast-moving crypto transactions and how it obtained the private key raged, with some cyber experts speculating that the U.S. government may have flipped an insider in the DarkSide gang or hacked an affiliate of the gang.
The FBI does not discuss ongoing investigations and Ms. Ugoretz demurred when asked whether the FBI’s action to recover the cryptocurrency could be repeated against future ransomware attackers.
“I don’t want to get into too much detail on that, but I will say it is in line with the FBI’s cyber strategy to impose risk and consequences on cyber adversaries and what that means is raising the costs to them of what they’re trying to do and make it harder for them to do the things that they have felt like they have been able to do over time without really incurring any risk,” said Ms. Ugoretz.
The FBI has had mixed results helping recover funds lost to cyber criminals. The FBI’s Internet Crime Complaint Center received a record-high number of complaints from Americans last year, nearly 800,000, totaling more than $4.1 billion, according to the center’s 2020 Internet Crime Report.
In some instances, the FBI successfully froze funding, but how much of the money was recovered by victims is difficult to quantify. Ms. Ugoretz said the portion of the frozen funding returned to the victims is often worked out between the financial institution and the victim, which makes it difficult for the FBI to ascertain how much the victim eventually recovered.
Ms. Ugoretz noted that ransom recovery is not a primary purpose of her agency and that CISA plays a key role in that realm. She said the sooner the FBI gets contacted by victims, the better odds it has of freezing the assets.
The capabilities and authorities of several different agencies working together are necessary to deter America’s digital adversaries over time, she said.
“For us, it’s not about whether it’s a law enforcement action or who gets credit, it’s about making sure we’re getting information to the partners who can act on it and can work with us on joint sequenced operations that are going to have the most impact,” she said.