Source: Federal Bureau of Investigation FBI Crime News (b)
How We’re Fighting Back
The FBI’s ability to both collect and act on intelligence is crucial to our fight against the China threat. On the cyber front, this includes sharing lessons learned with the private sector and outreach to potential victims, using our technical prowess to halt cyber intrusions and safeguard victims, and taking additional “law enforcement actions” to disrupt and deter cyber incidents.
The FBI fights back against China through Bureau-led “joint, sequenced operations” alongside our partners. “As part of those operations, we’re often sharing targeting and other information with partners like U.S. Cyber Command, foreign law enforcement agencies, the CIA, and others, and then acting as one,” he said.
Wray used the FBI’s responses to the aforementioned cyber compromises to illustrate what these collaborative operations can look like in practice.
In the case of the Microsoft Exchange hack, he said, the FBI “leaned on our private sector partnerships, identified the vulnerable machines, and learned the hackers had implanted webshells—malicious code that created a back door and gave them continued remote access to the victims’ networks.”
From there, he said, we co-authored and distributed a joint cybersecurity advisory with our partners at the Cybersecurity and Infrastructure Security Agency to arm “network defenders” with “the technical information they needed to disrupt the threat and eliminate those backdoors.”
And when some victims had trouble removing the dangerous code on their own, the FBI worked with Microsoft to execute “a first-of-its-kind surgical, court-authorized operation, copying and removing the harmful code from hundreds of vulnerable computers ,” he explained. This, in turn, removed the hackers’ access to victims’ networks.
And in the case of Volt Typhoon, the FBI leveraged partnerships to share threat intelligence and to combat the actors responsible for the hack. After the Bureau learned that the malware was targeting U.S. critical infrastructure, we co-authored similar advisories that characterized the threat, called out the perpetuators, and provided victims with guidance for protecting themselves.
Then, we collaborated with private sector partners “to identify the threat vector and conduct a court-authorized operation—in coordination with others—to not only remove Volt Typhoon’s malware from the routers it had infected throughout the U.S., but also to sever their connection to that network of routers and prevent their reinfection.”