It’s been a wild year in cybersecurity, one where ransomware jumped from a criminal enterprise to a bonafide national security threat regularly discussed by the President of the United States, software (insecurity) continued to eat the world and a series of damaging supply chain hacks shocked the public and private sectors alike.
At a May 26 event hosted by the Armed Forces Communications and Electronics Association, three U.S. law enforcement officials reflected on what was, to them, the cybercrime incidents or developments over the past year that will have the biggest impact on the cybersecurity landscape going forward.
Not surprisingly, the Colonial Pipeline ransomware attack and its fallout was still fresh on the minds of several officials. Sean Newell, deputy chief for the Counterintelligence and Export Control Section at the Department of Justice, cited it as a rare instance of a long simmering issue breaking through to become the subject of mainstream American discourse virtually overnight. In this case it was the threat that ransomware can pose to critical infrastructure and broader society, something law enforcement and cybersecurity officials have been warning for years.
“When that happened, I was like ‘this is very high profile, everyday Americans are going to be able to see the effects of ransomware, not just the business person who might be impacted,’” said Newell.
Beyond that, the incident has appeared to elevate the issue of ransomware out of the siloed bureaucracy of the FBI and other agencies and is forcing a more holistic response across the U.S. government to tackle the problem more aggressively.
“Since [the Colonial attack] occurred, you do see the president take the podium to discuss it from an interagency perspective. It’s taking the conversation out of various independent agencies and departments within government and into that whole of government conversation,” said Newell. “Hopefully we see some benefits from that in the coming months and years.”
Michael Christman, assistant director of the Criminal Justice Information Services Division at the FBI, also cited the Colonial Pipeline attack as the most significant, but for different reasons. To Christman, the attack “epitomizes” both the ambiguous relationship that groups like DarkSide have with their home governments like Russia as well as the broader shift in cybercrime to “crime-as-a-service,” such as the rise of initial access brokers and ransomware groups and other actors licensing their malware to other parties in exchange for a cut of the ransom.
As SC Media reported earlier this year, initial access brokers (criminal hackers who specialize in gaining and then selling exploits or direct access to victim networks) have become an integral part of many ransomware campaigns. The Colonial attack exposed just how vulnerable American society is, particularly in a post-pandemic world where every employee signing into work is a potential vector for the next attack.
“We see that our critical infrastructure is probably more vulnerable than we want to believe. I think with the pandemic, lots of us have had successes around telework or remote work. But what we see here, in the context of ransomware is [remote] employees can create a vulnerability or a side door, so to speak,” said Christman.
Of course, virtually all of the ransoms paid out over the past year were done through pseudo-anonymous and difficult to trace cryptocurrencies like bitcoin. Despite much of the hype and marketing around the technology, law enforcement agencies have for years been able to turn to private sector companies like Chainalysis to pierce the veil of anonymity behind some of the most popular currencies.
Still, U.S. policymakers appear to be coalescing around a larger push to more tightly regulate the cryptocurrency market in order to force exchanges to know more about who is using their platform, and cut off the primary avenue through which ransomware groups receive and launder their extorted money. Jarod Koopman, director of cyber crime at the IRS Criminal Investigation Division, said he and other agencies will be spending the next few years continuing to map out the various ways cyber criminals hide and obfuscate their ill-gotten gains. “It’s just a sophistication level of these criminals to deploy these technologies in unique ways that make it much more challenging for law enforcement to really find and make attribution, whether it’s the use of these specialized crypto attribution methods such as mixers, tumblers…cross chain transactions. It’s really that type of activity that we’re really trying to stay ahead of,” said Koopman.
The Microsoft Exchange hack, and the subsequent FBI operation to remove malicious webshells from hundreds of U.S. computers that were running on-premise versions of Microsoft Exchange, was also noted as a critical moment. Although they sought and received a court order to do so, the incident still raised questions about the underlying legal authorities that FBI and other government agencies were relying on to intervene in private sector cybersecurity matters and where to draw the line.
Newell defended the Bureau's decision, saying they did not search the computers or root through the end user's files, nor did they patch the original, underlying vulnerability as some reported at the time. They also publicly released the command they used to delete the shells. He described the action as a natural continuation of previous takedowns by U.S. law enforcement agencies, such as the operations against the Trickbot and Emotet botnets.
Of course, there's a big difference between the government seizing the property and infrastructure of known cyber criminals who are the subject of criminal investigations or indictments and making cybersecurity decisions for private industry. Newell said he welcomed the scrutiny but argued it was in line with previous U.S. and FBI efforts to find and disrupt foreign and criminal hacking operations, especially those with broad societal impacts like the Microsoft Exchange attacks.
"I think it garnered a lot of attention, and rightfully so, which is why we're very transparent about the operation," he said. "But I think it's important to actually place that in the context of what is now over 10 years of the Department of Justice, the FBI, actually taking these types of steps to disrupt hackers and their activities, to target their networks."