The US Department of Justice (DOJ) said last month’s effort to bring down the Genesis Market represents a departure from its traditional cyber enforcement actions. “Operation Cookie Monster” was not about nabbing masterminds but about making it harder for JV hackers to level up in online fraud. Cookie Monster is often associated with children, or in this case – Script Kiddies.
Lisa Monaco (Deputy Attorney General Lisa Monaco): We focus on disruptions and not always just looking for the prosecution. The Genesis disruption is a really good example of that. We changed our orientation to say we need to focus on taking action that can prevent the next victim. And to do that, we've paired our prosecutors with cyber agents. Those prosecutors normally are trying to build that case painstakingly, to bring that prosecution — now we're saying [to them], Well, that's great. But that isn't always the tool we're gonna use. We're going to use whatever tool we can to disrupt and prevent. What you saw here is us going after the enablers, the facilitators, the engine that allows so many people to enter the online criminal marketplace in what became, before it was disrupted, a criminal bazaar.
CH: We used to think that multifactor authentication was the gold standard for security. It's still important. I'm not saying it's unimportant, but the Genesis Market is an example in which MFA isn't necessarily the gold standard.
LM: Well, the interesting thing about the Genesis marketplace disruption was you had a marketplace where you had millions of credentials that were on offer for sale in a very user-friendly way. If you're a fraudster looking for easy access to somebody's network to commit fraud or conduct a ransomware attack, you could go into their very user-friendly search engine. By the way, [this was] on the clear web, right? This isn’t the darknet.
CH: I wanted to ask you about that. Wasn't that a risky move on their part? Shouldn't they have stayed underground?
LM: Well, we’re pretty happy they didn't. It made our job a little bit easier. But it was a friendly search engine. You could say, I'm Dina, and I'm looking for financial accounts, and I'm gonna go search in this location. You could call that up, put it in your cart, and pay the bottom line. So, you have access-as-a-service. You’ve got ransomware-as-a-service. And so we're seeing that evolution of the facilitators and the entry points. Genesis lowered the barrier to entry for the kind of fraudster looking for easy access.
CH: It's a JV thing. I mean, all of a sudden, JV hackers who aren't good at getting into networks can purchase that access.
LM: And they don't have to spend time, effort, or expertise developing that access themselves. Somebody else has done that legwork. And then, importantly, what Genesis also did was they had those fingerprints, right? That ability allows the fraudster to impersonate the victim. That makes it much easier for fraudsters or ransomware actors to conduct their activities at scale. But, again, it's about going after the whole ecosystem. So that's the cryptocurrency exchanges that are laundering the money. You saw us take disruptive action against ChipMixer. It's marketplaces like Hydra, which operate on the darknet, like Genesis Market and BreachForums. All of this contributes to fueling the online criminal space, and the ransomware activity we've seen can have devastating effects.
CH: Have administrators been arrested? I sensed that it was lower-level people — still criminals, but more like the customers in the market, as opposed to admins.
LM: A lot of customers. A lot of users. And we've gained a lot of knowledge in what is an ongoing operation.
CH: Right. The wording of the FBI message that they left on the Genesis marketplace was, you know, We'd like to talk to you. Have people responded?
LM: Part of the point is to let folks know they should be looking over their shoulder. And to your point earlier, you can't assume that your credentials are safe. And the criminals using them shouldn't assume they're safe.
CH: Does this feel like what you tried to do during the terrorism era as well? Because it feels very familiar to me.
LM: It should feel familiar because it's taking that playbook and saying, focus on prevention. And importantly, let's use any and every tool we can. Sometimes it will be extraditing, putting handcuffs on someone, and seeing them prosecuted in a US courtroom. But sometimes, it's going to be financial sanctions. Sometimes it will be an intel operation you'll never hear or see. Sometimes it’s swiping those Decryptor keys and then giving them out to the victims, which we did in the Hive operation a few months ago.
[We made] no arrests there, but you saw $130 million of prevented ransomware payments because we could swipe those decryptor keys and give them to the victims before their systems got locked up. So, what we're trying to do now is use whatever tool we can to take disruptive action and, importantly, put victims at the center of this whole approach.
CH: And is that because the DOJ and FBI are smarter about this than they were a year ago? This feels slightly different from what was going on a year ago.
LM: Well, I hope we're smarter because we have to evolve. In a previous role, I was President Obama's homeland security and counterterrorism adviser. At that time, nation-states — China, Russia, Iran, and North Korea — were doing an aggressive activity on the cyber threat landscape. Now they're teaming up [and] blending with criminal groups who often find safe haven in rogue nation-states. I'm talking here about Russia. So, I told my team we needed to change our orientation. We need to get on our front foot and take those steps that can help prevent the next victim, put those victims at the center of our strategy, and tell the private sector we need them to come forward and work with us so that they can prevent the next victim.
CH: How do you do that?
LM: You saw us send that message when we used a dusty old legal authority called a forfeiture warrant. We used that tool to follow the money through the blockchain, seize back the ransom payment that Colonial Pipeline made, and return it to the victim. So, we're using old tools in new ways.
You talk about your roots being in terrorism, and mine are in working to counter terrorist threats. And there's a lot we can [bring] over from that. But the difference is the lion's share of the information that we need to get after this threat — as a national security community, as a law enforcement community — is not information that we as a government possess. It is in 85% of the privately owned networks around this country that operate our most critical networks.
CH: So the pandemic happened, and I remember talking to you; I think the last time just the two of us talked, and I was saying this pandemic completely surprised me. And you said to me, "What are you talking about? I've been saying this for years."
LM: I wrote an article — this was [in] the fall of 2018 — entitled, The Next Pandemic Will Be Arriving Shortly. I didn't write the headline, but it's a good headline.
CH: Do you think we're in the same position of cybersecurity, that everybody's waving their hands saying, Hey, you need to worry about this. And people haven't quite brought on board how it's already arrived?
LM: I think that was true. I think people are starting to take notice when you have something like Colonial Pipeline or when you have this drumbeat of attacks on hospitals. I think the ransomware piece has gotten people's attention because they feel it could impact their lives if they or their family members or loved ones are in the hospital and those systems get locked up. But we're not where we need to be by any stretch of the imagination.
[NOTE: Less than a week after this interview, the Royal ransomware gang — believed to be an offshoot of the Conti group — locked up government computer systems in Dallas. As of 7 May, the city’s courts, firefighters, and police officers are still reeling from the attack.]
We're getting better. You see ransomware payments going down in the last year. And we're getting more cooperation from victims who are coming forward. It was only because Colonial did what was frankly a very brave thing for them — to come forward and work with us quickly.
CH: In tackling this problem, have you taken lessons away from what we've seen in Ukraine?
LM: Absolutely. One of the things that we did as a national security community 14 months ago in the lead-up to Putin's unprovoked and brutal invasion of Ukraine was we changed our orientation there. We said we're going to declassify a lot of intelligence to show the international community what's happening [and] bring the international community together to put in place sweeping sanctions — and enforce them.
We’ve got to do the same thing when pooling our information resources against the cyber threat. Go back to the Genesis marketplace disruption: You saw across 20 different law enforcement agencies internationally — in dozens of countries — more than 130 arrests take place. Searches, arrests, seizures of domains, disrupting that infrastructure. [It’s a] synchronized dance amongst law enforcement intelligence and national security partners. So, we are not going to be able to get after this problem if we don't have that cooperation.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
Comments