Decoding the Cyber Threat
Steve Lewis: This past summer, the impact of ransomware attacks and cyber intrusions became impossible to ignore. With long lines at gas stations and missing products at the meat counter, we could all see what is at stake.
As adversaries look to exploit gaps in our intelligence and information security networks, the FBI has been committed to working with other federal agencies, foreign partners, and the private sector to close these gaps. Whether it’s through developing innovative investigative techniques, using cutting-edge analytic tools, or forging new partnerships in our communities, the FBI continues to adapt to meet the challenges posed by the evolving cyber threat.
To talk more about the evolution of cyber threats and what the FBI is doing to combat them, we have Deputy Assistant Director Tonya Ugoretz of the Bureau’s Cyber Division with us in the studio today. Not only will we be discussing how cyber threats have impacted all of us, we will also focus in on how businesses and organizations can work with the FBI to get ahead of the threat and make a major, real impact on our cyber adversaries.
I'm Steve Lewis, and thanks for joining. This is Inside the FBI.
* * *
Lewis: Tonya Ugoretz oversees national-level cyber policy, analysis of cybercriminal and national security threats, and partner engagement. Tonya, welcome to the show.
Can you tell us more about what you do in your role, especially as it relates to forging partnerships?
Ugoretz: Thanks Steve. I’m very happy to be here.
I know it’s said often that cyber is a team sport, but it’s really true. Because of the complexity of the cyber threat, the fact that it deals with foreign actors using global infrastructure to target U.S. networks, what that means is that really no single agency can tackle cyber threats alone, and even if you look at the fact that most of the networks that are being targeted aren’t owned by the government, they’re owned by the private sector, it means that even no single government can tackle threats alone.
We need partnerships, so my branch is really looking at: How do we build those relationships across government and with the private sector and how do we use the FBI’s unique role as both a law enforcement agency and a domestic intelligence agency to feed those partnerships?
So, what does that mean? I think everyone’s getting kind of tired of “public-private partnerships.” It’s this phrase we’ve been using for years to talk about how we all need to work together. But when it comes to cyber threats, like I mentioned, the complexity is so great and the speed that the threats move is so great that we need to find different ways of working together.
So, it used to be that when we looked at intelligence, we would start with a very highly classified product—something that the FBI or maybe another agency like NSA or CIA had collected, often at the top secret level. And we could spend weeks or months trying to figure out how do we get that intelligence into a form that we can share with our partners to defend their networks?
Well, today, that type of very transactional sharing, it just doesn’t scale to the type of threats we have. So, what we’re looking at, and, I think the benefit I have having both intelligence and engagement in my branch, is we’re trying to see how we speed those interactions. How do we take the intelligence we uniquely collect and think first of those partners in the private sector who need it, but also what are we asking back from them? What are our intelligence gaps that those companies can help us fill?
I mean, the reality is, because of the way our laws are structured here in the U.S., the government—including the FBI—we don’t have visibility on U.S. networks, so we’re really reliant on those private companies to tell us what type of malicious and anomalous activity they’re seeing. So, if we can be a little bit more open and transparent about the gaps we have, we have many good partners out in the private sector who are looking for ways to help us and are happy to share that information back.
And then, collectively, we end up being in a stronger place.
Lewis: I wanted to play a clip about a frog from a briefing you provided during CyberScoop’s 2021 Cyber Talks. Let’s take a quick listen.
Ugoretz [CyberScoop clip]: Since at least 2014, malicious cyber activity and how we perceive it has been compared to a frog in gradually boiling water. Year over year, the number of incidents, the scale of their impact, and the threat to our national and economic security and to our public safety grows, but it grows in such a way that it continuously feels like the new normal. That’s not sustainable and it’s not acceptable.
Lewis: Based off what we just heard, just how have the threats evolved over the years?
Ugoretz: Well, I have to credit my good friend and colleague, Tom Donahue, who I worked with at the Office of the Director of National Intelligence, a great leader in all-things cyber, with that frog analogy, but it’s really true. I mean, some years, we would have one major cyber incident—if you think back to the Sony hack or the OPM breach—and it would be, you know, the thing that would kinda galvanize attention against cyber threats for a moment, at least for, you know, those who didn’t follow the cyber issues closely. And then it would, you know, the attention would kind of dissipate.
If you look at 2021 alone, I mean, the number of highly significant cyber incidents is unparalleled, and so is their impact and their reach.
We started off 2021 responding to a significant cyber incident targeting Solar Winds, which has since been attributed to Russia’s SVR. Ended up compromising the networks of about 18,000 victims and then kind of narrowed down from there to the targets that the actors most wanted to exploit. That was quickly followed up by Chinese cyber activity that we and the interagency have attributed to actors affiliated with China’s Ministry of State Security, where they, too, undertook a global intrusion campaign. And then, it just hasn’t let up since. And then we segue into the ransomware threats of the past few months, which really, I think changed the public’s perception of how cyber intrusions can affect the average American.
So in any other previous year, any one of those incidents would have been kind of, you know, the focus for the U.S. government. And so I think the worry with the boiling frog analogy is do we start to get used to that? Do we start to accept it as, well, this is just the current threat landscape? And I think my point in those remarks is that we just cannot consider it as acceptable.
And so I think that’s why over the past, you know, six months to a year, you’ve really seen the U.S. government pull together in terms of, how are we going to respond as a whole of government against these threats, not only after the fact, but to work proactively to disrupt them?
Lewis: Talking about the evolution, I want to bring it to right now and maybe even touch upon the future, which we’ll talk more about toward the end. What kinds of threats are many organizations faced with right now that they need to be really worried about?
Ugoretz: Spearphishing and phishing are still the number one means by which successful intrusions occur.
And I think the challenge when companies are looking at malicious activity is you don’t know at the outset what the intent of the adversary behind it is. Someone could be trying to get you to click that link because they wanna steal your intellectual property as a company. Maybe they just want to get in and take a look around and see if there’s something of value that they could either steal for their own use if they’re a nation-state or maybe sell if they’re a criminal. Or they could have a more destructive purpose—maybe to encrypt your networks and hold them for ransom? Or, if you’re a truly malicious nation-state actor, actually try to wipe or destroy your networks altogether, which we’ve seen less of in the United States, but is certainly a concern going forward. And then, I think the other real trend in activity we’ve seen over the past year are supply chain compromises.
Lewis: Now, this is essentially when a cybercriminal is able to compromise a product that will go out to the customers. You talked about supply chain compromises in a presentation to Microsoft. Let’s listen to that
Ugoretz [Microsoft presentation clip]: What worries me are these very deliberate efforts we see by our adversaries to undermine trust, to target what enables them to compromise and attack the highest number of victims possible. So, for example, in recent campaigns, we’ve seen the software supply chain compromised to the extent that, whereas I would want to be able to trust that when I receive a software update from a company that I’m a customer of, that update is providing me positive things.
Lewis: Help us understand the impact of those types of attacks.
Ugoretz: So the way I think about it is: Imagine you’re living in an apartment building, and a criminal could steal the key to your apartment and break in, and for you, that would be devastating and impactful. But what if they stole the super’s key, the master key? And by that one action, they were actually able to open the doors to every apartment in that building and steal whatever they wanted to. I mean, that’s really the difference between compromising one victim or compromising someone who then leads you to multiple other opportunities. That’s increasingly what we see, especially by nation-state actors, but those tactics then are then picked up by cyber criminals, as well. So all of these actors are watching each other and seeing what’s successful, and then they’re picking up on those practices basically to try to get the biggest return for their investment of time and resources.
Lewis: We also saw in that conversation with Microsoft you often meet with potential and current business and organization partners to advocate for collaborating with the FBI. Why is engaging with companies on a regular basis important to you and important to the FBI?
Ugoretz: We often use the term “private sector” as this catch all and, you know, obviously the private sector and private industry—it’s a heck of a lot more complex than that. So when I think about it in the cyber world, there are just kind of two main buckets, I think.
One is companies like you mentioned, who are key domestic service providers. They’re the providers of the software that many of us use, the infrastructure that much of the internet and our networks ride on, and even, too, I would include in that category some of the commercial cybersecurity companies who really are often that first call from companies when they’re looking to secure their networks or respond to an incident. And because they’re nongovernment and because they’re directly supporting customers with their hardware and software and their services, they have visibility that the U.S. government doesn’t have.
And so they’re incredibly important partners for the FBI. Because it’s only by bringing together what we see through our collection, as I mentioned as, you know, a law enforcement and an intelligence agency. But if you can marry that up with what these providers are seeing, obviously protecting their customers confidentiality, respecting, you know, those relationships with their customers, but bringing together a picture of the malicious activity they can see transiting their services and their networks, that’s really our best hope for trying to get a fuller picture of what our adversaries are trying to do here on U.S. networks. And the more that we can be sitting side by side, working together, sharing information, the faster that we can act on it.
Lewis: What’s the biggest misconceptions that you see, though? I think we’re really just trying to find out the misconceptions from folks who aren’t really willing to work with us because of some preconceived thoughts.
Ugoretz: I think there’s a couple I would point out. One is that I think that there’s a fear that a company that has suffered a cyber intrusion is going to be revictimized by working with the FBI.
You know, when you have suffered a cyber intrusion, we consider that like we would the victim of any sort of crime. We are not there to come in and try to investigate what you did personally that led to your becoming a victim of a computer intrusion. We’re there to find out who did this, how they did it. And we know they’re still out there. So we need your help to get information that’s gonna enable us to find those people and stop them before they act again. So I think there’s a misconception that you know, we’re gonna come in the equivalent of cyber raid jackets and carry out boxes full of info and look through a company’s files at things that have nothing to do with the incident we’re investigating. And that’s just not the case.
What we are looking for is really digital evidence, forensic evidence that’s going to enable us to answer those questions: Who did this? How did they do it? How do we share that information to keep others from falling prey to the same activity? And then how do we hold them accountable?
I think what companies are really frustrated with is that nation-states, other countries, are attacking them, and that is not a fair fight. So, the reason the FBI needs to be part of the response is that we need to hold those people accountable, and we’re going to do that not just through our actions, but by sharing the information that we have with our partners in U.S. Cyber Command, with the Treasury who can enact sanctions, with the State Department who can pursue diplomatic actions, with our foreign partners so that together, we can hold these actors responsible and trying to prevent that next compromise.
Lewis: Ransomware attacks seem to be one of the biggest threats impacting organizations right now, and we’ve been seeing quite a bit of it in the news. During a virtual event with the National Governor’s Association, you spoke more about how folks should include contacting the FBI when they are responding to incidents like this.
Let’s listen to what you had to say.
Ugoretz [National Governor's Association clip]: So, we know the threat is real. We also know that when it’s your state or your county or your organization getting hit, when it’s your emergency services that have been taken offline, when it’s your constituents who can’t pay their utility bill because the site is being held for ransom, we understand that your number one focus is restoration and recovery. It's: “How do I get back online and get services restored?” But if that’s priority number one, what I want you to walk away with today is an understanding of why working with federal law enforcement, and ideally the FBI, is priority 1A.
Lewis: I really like that.
You mentioned that when organizations are hit with ransomware attacks, their number one priority is restoration and recovery—like what we just heard—but working with federal agencies, like the FBI, should be priority 1A. What do you mean by that?
Ugoretz: So, I think this leads to another misperception, which is that companies have to make a choice between getting back online and allowing the FBI to come in and investigate.
And what I say instead is that mitigation and investigation can occur simultaneously. No matter who you call in as a company to help you restore your networks—that could be the National Guard, that could be a private, you know, company that’s experienced in doing this, it could be the Cybersecurity and Infrastructure Security Agency, could be an in-house team. Whoever that is, we are very experienced at working side-by-side with those teams, not getting in their way but actually supporting their efforts with the information we have. But also, kind of nearly simultaneously, being able to collect the forensic evidence we need and to move quickly to help protect others and identify opportunities to respond.
Lewis: Based off that—and you touched upon this earlier—what tools does the FBI have to help organizations solve and combat cyber threats?
Ugoretz: You know, I think sometimes people think of the FBI purely as a law enforcement agency that is coming in after the fact to investigate something that’s already happened, and so then they don’t see the immediate value. But one of the tools we bring, one of the capabilities we bring, is that for an issue like ransomware, even though it only may have popped up on the public’s radar relatively recently, we’ve been investigating these types of criminals and these types of groups for a long time.
There’s more than 100 different ransomware groups and variants that are being used right now. We have investigations on all of them. And what that means is that we bring expertise to the table. So, I mentioned earlier that when you’ve suffered an intrusion, as a company, you don’t always know right away who did it or what their intent is. When we show up on scene, we can pretty quickly identify who’s behind it based on the traces that we see, which is gonna help you know how to respond.
If we can tell you, “This is a group who usually enters your organization this way, and they spend so many days doing reconnaissance and accessing all your files and mapping them. And then, at this point, they move onto the next phase, and this is how they typically will actually steal your data and how they move it,” that can help you know how to shape your response and what to do to protect your networks and not have the incident become more severe than it otherwise might be. So, that expertise based on our collection, but also our role in the intelligence community, is something we bring that I don’t always think people realize.
Lewis: I think this next part is a really good segue into talking about the FBI Cyber Strategy. FBI Director Christopher Wray announced the Bureau’s new strategy for countering cyber threats at the National Cybersecurity Summit back in September 2020.
I want to play a clip from his remarks, and then, after that, I’d like to talk more about that.
Director Wray [National Cybersecurity Summit clip]: We’ve been fighting the cyber threat for years now, and it’s all too often been a game of whack-a-mole. We investigate one major hack, only to uncover another one. We disrupt one nation-state adversary targeting our infrastructure and our intellectual property, and another one lights up the map. Some days, it seems like a never ending battle.
So we wanted to see if we could look at this fight in a new way, with fresh eyes, including taking a closer look at what the FBI can bring to this fight that no one else can. Our strategy, in a nutshell, is to impose risk and consequences on cyber adversaries.
Lewis: What does that mean? Break down the focus of the strategy for us.
Ugoretz: Risk and consequences means we have to make it harder for hackers to succeed. When we looked at developing an FBI Cyber Strategy—knowing that there are a lot of agencies in this space, as well as a lot of very capable, you know, private cybersecurity companies, we really focused on, “What can the FBI bring to this that no one else can?” And when we looked at the landscape, we saw that, for too long, hackers felt like that they could steal our intellectual property, maintain presence on our networks, conduct ransomware attacks, and hold our networks at risk without incurring risk themselves. That’s what we wanna change.
The FBI has this unique insight, kinda straddling the seams that we think adversaries are trying to exploit. We’re a domestic agency that also looks overseas. We’re a law enforcement agency that also has national security authorities. We’re a government agency that also works with the private sector and can be on anyone’s doorstep to support a victim within as hour or so, that’s a very powerful, unique set of capabilities.
So, when we looked at that and then we looked at the nature of the threat, we said, “We can’t just use those capabilities for ourselves to pursue indictments or arrests, which are important, but where the power really comes from is taking all of those capabilities and sharing them.” So, sharing the information we can uniquely collect with the private sector so they can put that into their intrusion-detection systems and find and block the anomalous activity. Sharing it with Cyber Command so that, if they see an opportunity, they can do something against an actor overseas. Sharing the information with Treasury so that they can build a sanctions package against some of these actors. And ideally, doing all that together.
So, it doesn’t mean that we’re not still going to indict or arrest people, or use our own information to disrupt infrastructure, or, on the positive side, to maybe seize cryptocurrency that a ransomware actor has stolen. But what it means is that we’re going to work with partners in joint, sequenced operations to take all of those building blocks and do them—take those actions in a way that’s gonna have a larger impact.
Lewis: Speaking on that, how has the strategy worked so far? Having implemented the strategy, do you have maybe one or two success stories to share with us?
Ugoretz: Yeah, it’s been pretty exciting to see over the past year. I mean, I guess on the downside, our adversaries have given us ample opportunity to put the strategy into practice, but I think what’s neat is that we’re using that range of authorities and leveraging that range of partners in ways that we never have before.
So one other success story I think that comes to mind—I know ransomware is something that we are all currently focused on—was a joint operation that we undertook with foreign partners earlier this year against a variant of ransomware called Netwalker. Ransomware actors were using this ransomware to target companies, municipalities, hospitals, law enforcement, emergency services, schools—you name it. Whatever victim they could compromise, hold their data for ransom, and then basically earn a buck.
So, what we did was work with our international partners after an investigation to arrest and charge one of the people responsible for this activity in Canada. We seized about $450,000 in cryptocurrency. We were able to take down the website that these actors were using to manage the delivery of the ransomware and extort their victims, and then our foreign partners kinda really had a windfall, seizing about $27 million in proceeds from one of the ransomware. So this is multiple countries, taking coordinated action to take out the ransomware actors, their infrastructure, and their money. And what we have found is that when we can do all of that simultaneously, we don’t hear from these groups again. And that’s exactly what we’ve seen with Netwalker.
Lewis: How can businesses and organizations prepare for the future when it comes to emerging cyber threats?
Ugoretz: I think the first thing to do is to make sure that, you know, companies have the right relationships with the U.S. government. I know that companies often want one person to call, but the reality is it takes a team to respond to these incidents. So, we always encourage companies to make sure the FBI is part of their incident response plans. One of the benefits of our broad domestic presence is that it is pretty easy to build a relationship with your local FBI field office and the cyber squad there. You don’t want to be meeting someone for the first time when you’re responding to a major incident and you’re in that fog of war, so the best first step is establishing that relationship in advance.
The second piece is reporting when you suffer a computer intrusion. The only way we will be successful in making a dent against this cyber activity is if we know what’s happening. We can glean that evidence that I’ve talked about that’s so critical to help us understand not only what happened, but how to stop it going forward. And we just can’t do that if companies don’t report to us.
So, the reporting is important, but then lastly, working with us after you’ve reported. It’s great to know something has happened, but we really can’t help to the fullest extent unless we can kind of, you know, work with you, gain insight into how the activity occurred on your networks. And as I mentioned before, we have very good relationships with a lot of the companies that typically respond to these incidents, that are retained by victims to help them remediate incidents, allowing us to work with them, even if we’re not on-site collecting the information. If we can work with the company a victim has hired to mitigate the compromise, benefit from the insights they have, that will still enable us to look for opportunities to take some action back against the people who are responsible.
Lewis: Coming back to the success of the FBI and the successes that we’ve had—especially the examples that you’ve mentioned with the strategy—where are we going next? What’s next for us?
Ugoretz: So, I think where we’re going next is, hopefully, having a better picture of that universe of incident reporting. We’re very encouraged that Congress is focused on this issue. There are a number of bills that have been proposed looking at mandatory incident reporting. We’re pretty excited for that because that’s really gonna change the landscape for us, in terms of understanding the universe of threat activity and providing us more opportunities to help victims, but also, to respond.
What’s important for us in that is not so much who owns that reporting—who builds the database where the reporting will be held—but that the FBI, because of our responsibilities to investigate computer intrusions, but also, our mission of threat response, that we have contemporaneous and unfiltered access to that information so that there is no delay in our ability to act, to help victims, and to hold adversaries accountable. So that will be a game-changer for us, so that is something that I’m really hopeful we see come to fruition in the coming year.
Lewis: Do you have any final thoughts? Anything you want to add that we should have been talking about here?
Ugoretz: I think the thing I would leave all your listeners with is that, unfortunately, through the pandemic that we’ve all been suffering through over the last year and a half, we’ve seen that, you know, cybersecurity is not just an issue for government or even just for Fortune 500 companies. It affects all of us.
We’ve seen K-12 schools affected. We’ve seen hospitals hit by ransomware. We’ve seen state and local municipalities be hit by distributed denial of service attacks where their emergency services have gone down.
Unfortunately, these criminals and nation-states that we’re dealing with, they have no limits in terms of the types of victims and companies—small and large, mom-and-pop shops, you name it—that they’ll go after if they think it will help them. Whether, you know, it’s criminals trying to earn money or nation-states trying to steal intellectual property to support their own governments and economies.
It affects all of us, and so, it requires action by all of us, so If I can just reinforce that if you do think you see suspicious cyber activity, there are ways that you can report that and work with the FBI. If you’re a company or even a private citizen who sees suspicious activity, you can go to ic3.gov—that’s the Internet Crime Complaint Center. It’s a very easily accessible web portal where you can report that suspicious activity.
For companies, you can also contact your local FBI field office. There’s a contact list available on fbi.gov. If you don’t already have that relationship, they would love to hear from you. Get to know your local cyber squad.
And it’s really only together—by looking at this activity, trying to understand what’s happening, and finding new ways to combat it—that we’re gonna be able to increase cybersecurity for not only the government, but for our families.
Lewis: Tonya Ugoretz, thank you for your time and your insights. As you said, these are sophisticated actors and complex attacks. The solution requires engagement from all of us.
As DAD Ugoretz mentioned, there is much more at fbi.gov/cyber, including cybersecurity tips for every person who uses a connected device, more details on our investigations and successes, and resources for reporting. We also have a cyber partnerships page with details for companies on how to create an incident response plan and start a relationship with the FBI.
This has been another production of Inside the FBI. You can follow us on your favorite podcast player, including Spotify, Apple podcasts, and Google podcasts. You can also subscribe to email alerts about new episodes at fbi.gov/podcasts. I’m Steve Lewis from the FBI Office of Public Affairs. Thanks for tuning in.