They got their chance earlier this year after state-backed Chinese hackers compromised thousands of private Microsoft Exchange email servers with the press of a button. In response, an FBI special agent petitioned a Houston federal judge on April 9 for authorization to remotely access hundreds of hacking victims’ to topple the attackers’ digital points of entry.
Put more simply, the FBI out-hacked the hackers.
While some civil liberties advocates worried about potential future abuses, the FBI operation signaled the public unveiling of a more aggressive, all-of-government approach toward cybersecurity.
“The FBI has definitely decided to be more aggressive,” said Elvis Chan, the assistant special agent in charge of cyber investigations in the FBI’s San Francisco field office, in an interview. “Our toolkit hasn’t changed. We’re just using the tools a little bit more.”
Other examples of the FBI’s feistier posture include a joint FBI-National Security Agency operation to disrupt a Russian cyber-espionage campaign, and the FBI’s recent successful claw back of cryptocurrency paid to hackers after the Colonial Pipeline Co. ransomware attack.
Eight months removed from the election, the government’s emboldened approach has surfaced publicly after a rash of devastating hacks -- including the Colonial Pipeline breach and a ransomware attack against meatpacking giant JBS SA -- exposed glaring security gaps in vital U.S. industries. It also reflects a growing acknowledgment that previous efforts to thwart cyberattacks, including criminal indictments and sanctions, have done little to slow the onslaught.
The effort isn’t confined to the FBI but is rather a “whole of government” priority, said Anne Neuberger, deputy national security advisor for cyber and emerging technologies, in an interview with Bloomberg. “It’s a dramatic difference in terms of saying this is a priority.” In one recent example, Neuberger’s former employer, the ultra-secretive NSA, opened a collaboration center that is intended to foster information sharing with the private sector.
The government’s effort to fast-track cybersecurity operations has its roots in a 2018 FBI and Department of Justice takedown of a malicious hacking operation called VPNFilter. According to FBI Supervisory Special Agent Chad Hunt, who helps run a cybersecurity squad in Atlanta, the VPNFilter case was among the first to use legal tools to identify and disrupt essential pieces of a malicious Russian network.
Since then, ransomware attacks have steadily increased, and the pandemic spurred a surge in hacks last year as people moved from the office to their home office.
“If there’s been a silver lining in this last year it’s that because of Covid, cybercrime has been so nonstop that we’ve had to be more aggressive and more creative,” said Chan. “Since the pandemic, it has gotten bananas. It really supercharged the bad guys, which has led us to have to supercharge as well.”
In September, FBI Director Christopher Wray announced a new cyber strategy to pivot away from what he described as a constant game of “whack-a-mole.” The FBI’s new objective, he said was to “make it harder and more painful for hackers and criminals to do what they’re doing.”
But the bolder tactics could lead to abuses, several civil liberties experts said. Executing a warrant to remotely access computer networks raises questions about how network administrators are notified and the ways such tools can be abused, said Kurt Opsahl, deputy executive director and general counsel of the Electronic Frontier Foundation. In the Microsoft Exchange case, FBI agents told the court that they planned to send an email to the address each victim provided when they last registered their domain with a web registrar -- but would do so 30 days after gaining entry.
Jennifer Stisa Granick, surveillance and cybersecurity counsel at the American Civil Liberties Union, said the bolder tactics raised concerns about the “limits of government authority to mess with private property.” “During the history of novel surveillance techniques, law enforcement starts using them in a compelling case then eventually uses them in a case that’s far more questionable, once there’s a pattern and comfort established,” she said.
The FBI’s Microsoft Exchange initiative was followed in May by a campaign to clawback 63.7 of the 75 Bitcoin (worth $4.4 million at the time) that Colonial Pipeline paid in ransom to hackers on May 8. While federal officials said it wasn’t the first time they have recouped cryptocurrency from criminals, it is among the first known cases involving ransomware.
After Colonial paid the hackers, its ransom was split between two digital cryptocurrency wallets. Over the next 19 days, it was shuffled and rerouted a dozen times, a tactic ransomware operators often use to hide their tracks while attempting to launder their digital loot, according to court filings.
An FBI agent tracked the cryptocurrencies many pit stops until it finally landed on a cryptowallet on May 27 containing 63.7 in Bitcoin, according to court filings. In the meantime, the FBI in San Francisco got their hands on the cryptographic password, also known as a private key, to access the money inside that particular wallet. The FBI’s Chan declined to explain how agents landed the private key.
A federal judge awarded the agent a warrant to seize the funds within just a few hours of the FBI’s application, according to court filings.
So what took federal authorities so long to try more aggressive tactics?
For one, ransomware was long seen as noisy malware that hackers might leverage on the side to make a quick buck, but wasn’t considered a national security threat, according to cybersecurity experts. In addition, victims of ransomware attacks are often slow to report breaches making it hard for the FBI and U.S. government to track them, according to one former U.S. intelligence community official.
That official, who was granted anonymity to speak about this work, said providing incentives to disclose hacks would allow the FBI to quickly involve the right people in these cases.
With hackers coming after gas pipelines, food production and the water supply, bureaucratic bottlenecks are now unlikely to hinder federal agents proposing aggressive measures to defend U.S. critical networks, said Milan Patel, a former FBI cyber-agent who is now the global head of managed security services at the cybersecurity firm, BlueVoyant.
“The reality is that the FBI is under extreme pressure to find ways using existing laws and regulations to thwart these attacks,” he said.