To combat cybercrime, US law enforcement increasingly prioritizes disruption
SAN FRANCISCO — When a coalition of international law enforcement agencies earlier this year took down a portion of the infrastructure supporting the Hive ransomware syndicate, top officials at the U.S. Department of Justice knew that no arrests were going to be made.
“In days gone by, that might have been heresy,” U.S. Deputy Attorney General Lisa Monaco said at an appearance Monday at the RSA security conference. Instead, government investigators lurked in the Hive networks for months, disrupting attacks along the way and providing decryption keys to targets that had already been victimized.
In total, the operation prevented an estimated $130 million in ransomware payments from flowing to what Monaco described as a “top-five” ransomware network. “Doing more of that is what we’re all about,” she said.
Monaco’s comments on Monday are the latest example of what senior U.S. law enforcement officials are increasingly describing as a “pivot” in how they are approaching cybercrime enforcement. Rather than carrying out traditional investigations aimed at building cases, arresting suspects, convicting them and sending them to jail, U.S. law enforcement is increasingly focused on disrupting online crime.
Monaco, who spoke in conversation with Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency, cited two cases as illustrating the shift. The first, in April 2021, saw the FBI proactively disable web shells related to Chinese-linked efforts to exploit vulnerable Microsoft Exchange servers. The second, in April 2022, came when the FBI dismantled the Russian military intelligence-controlled Cyclops Blink botnet.
While the DOJ is still carrying out its traditional investigations and trying to put suspects behind bars — just last month the FBI arrested the 20-year-old accused of operating BreachForums from his parent’s house an hour outside of New York City — Monaco said the agency determined it needed to pivot. Prosecutors and investigators are now directed to have a “a bias toward action to disrupt and prevent, to minimize that harm if it’s ongoing,” Monaco said. The goal, she said, is “to take that action to prevent that next victim.”
Speaking earlier on Monday, Elvis Chan, who oversees the cyber branch of the FBI’s San Francisco field office, said that the shift in how investigations are run has taken the old model and “flipped that on its head.”
“We are trying to disrupt when it will make an actual impact as opposed to waiting until we’ve tied it all up in a bow for the U.S. Attorney’s Office,” Chan said. “Our investigations take a while to run. What can happen quicker are seizures or disruptions.”
John Fokker, the head of threat intelligence for Trellix, told CyberScoop on Monday that government and private company partnerships to combat complex cybercrime operations are improving and yielding major results.
Earlier this month, the Dutch National Police turned to Trellix and another firm for help analyzing malware associated with the Genesis Market, a notorious forum that allowed buyers to access compromised browser sessions, Fokker said. The investigation ballooned and ultimately agencies in 17 countries, including 45 FBI field offices and U.S. Department of Justice, took the site down and arrested 119 people around the world.
Along with the arrests and takeover of the site, Fokker said, the collaboration allowed Trellix to share specific malware indicators with the wider cybersecurity community, helping improve security more broadly.
“Things are going in the right direction,” he said.