Last week saw a flurry of U.S. indictments of alleged Chinese and Iranian hackers as part of a multi-agency crackdown on foreign intelligence services.
The Department of Treasury issued sanctions, the Department of Homeland Security advised companies on how to fend off hackers and U.S. intelligence agencies likely kept a close eye on possible reactions from Beijing and Tehran. At the center of the coordinated crackdowns, though, were the FBI agents who tracked the computer infrastructure used by the suspects.
The series of events was one of the first examples of the FBI’s new cybersecurity strategy in action. The goal of the effort, which officials revealed this month, is simple: impose harsher consequences on America’s digital adversaries by working more closely with intelligence agencies and data-rich private companies.
For the FBI, that could mean trying to put a suspect in handcuffs, burning their identity through an indictment or opting to provide targeting data about an individual for a U.S. government hacking operation.
“Whatever it is that’s going to cause maximum impact on the adversary, that’s what the goal is,” Tonya Ugoretz, deputy assistant director in the FBI’s cyber division, said in an exclusive interview.
Unsealing indictments can be an implicit acknowledgment by prosecutors that the accused is unlikely to travel to a country with an extradition agreement with the U.S. And it is difficult to measure how an indictment impacts a hacker’s behavior, if it does at all.
The FBI has been tracking foreign state-backed and criminal hackers for decades, and the Department of Justice has not been shy about indicting them in recent years. Now, through a strategy that has been nearly a year in the making, FBI officials are trying to emphasize that they want to see more results. And foreign hackers’ relentless pursuit of U.S. companies demands a shift in approach, they say.
“You’re looking at foreign actors using global infrastructure to compromise U.S. networks,” Ugoretz said. “That requires authorities and visibility and a way of working with a lot of different partners in order to be able to understand what’s happening and to respond at speed.”
Emblematic of the FBI’s new approach was a decision last month to publish, along with the National Security Agency, a detailed analysis of the malware Russia’s GRU military intelligence agency allegedly uses for cyber-espionage operations. Ugoretz said the FBI was able to obtain important data on the Russian activity from a foreign partner, which she declined to name.
“When you talk about imposing costs, some of these bespoke tools and capabilities, they take time and they take resources to develop,” Ugoretz said, referring to the Russians’ so-called Drovorub malware, which is designed to target Linux systems. “Anytime that we can work with a partner to make that investment by a foreign adversary now be futile, is a good thing.”
What’s worked and what hasn’t
In the last several years, the FBI has shaken up how it tracks foreign hacking groups, with one field office taking the lead on a given threat and others providing support. Some field offices are more adept at knowing when to share that threat information with U.S. intelligence agencies or other partners that can act on it, Ugoretz told CyberScoop.
“Right now, we can do that in pockets,” she said. “What the focus will be on going forward is making sure we can do that everywhere…throughout the FBI.”
In practice, carrying out the strategy could mean expanding the number of cyber-focused personnel the Bureau has at U.S. embassies, Ugoretz said. Those personnel, known as legal attachés, have played a key role in cybercrime investigations and arrests in Eastern Europe. There are about 15 of them now around the world, but there is a demand for more, according to Ugoretz. She said she has attended meetings between FBI Director Christopher Wray and his foreign counterparts, many of whom have expressed interest in hosting the cyber-attachés.
While the legal attachés hunt for hackers abroad, FBI agents in the U.S. have contended with a spate of ransomware attacks on local governments and companies of all sizes. Addressing the problem has required humility: FBI officials appealed to private-sector experts for ideas in an unprecedented “ransomware summit” last year.
Those kinds of listening sessions, in which FBI officials provide more data to private-sector experts than they’re accustomed to, are also part of the new strategy.
“I’ve had conversations with folks in industry who, to be frank, have shared some frustrations over the years of sometimes wanting to work with the FBI more and wanting to have more give and take, and wanting to team up to do some of these coordinated takedowns,” Ugoretz told CyberScoop.
If the FBI can share more feedback with private firms on cybercrime investigations, she added, those firms will likely share more data with the Bureau in return.
To succeed, the strategy will have to force noticeable changes in foreign computer operatives’ behavior. Some jobs will need to be too risky to take, some operations too brazen to execute. That’s a tall task.
“As you can see through the [recent] indictments, these are individuals who are making decisions about how they want to use their talents,” Ugoretz said. “They could use them in a legit private-sector job to…provide for their family. Or they could incur risk by working for a foreign intelligence service that’s conducting activity that violates U.S. law.”