The FBI's Richard Jacobs says that the impact of US sanctions is driving theft “to fund coffers”.
The impact of economic sanctions on rogue countries is helping to drive a dramatic rise in their sponsorship of sophisticated cyber attacks, with the goal of stealing funds to replenish national coffers, according to a senior agent in the US Federal Bureau of Investigation’s cyber security division.
The hackers are getting far better – just recently we broke the news of them exploiting equipment from Palo Alto Networks and Fortinet.
In addition, we informed you of a coordinated ransomware attack in the U.S. that some might have likened to a precursor to a cyber 9/11.
Banks also say they fear that a rise in the severity of hacks resulting in successful thefts of north of $100 million per attack is also driving nation states to dramatically increase their sponsorship of cyber theft, in the hope of increasing returns.
Several key trends have contributed to the dramatic rise in cyber attacks, according to Richard Jacobs, assistant special agent in charge, counterintelligence cyber division at the FBI – theft for immediate financial gain borne of necessity principal among them.
“There are many countries – or a few, anyway – that are very strapped financially as a result of sanctions. And they are literally engaging in massive cyber crime similar to any financially motivated criminal: for money, and that is to fund their coffers. We’re dealing with a lot of very sophisticated actors conducting cyber crime on behalf of government entities for that purpose,” said Jacobs, who was giving a special address at Risk USA on November 6.
Describing the FBI as a partner of the private sector, he described the bureau’s mission as to “identify, pursue and defeat” cyber criminals intent on stealing, disrupting or exerting “malign influence”, with the ultimate goal of disrupting US economic pre-eminence.
Although most attacks still emanated from four countries, the network of threats to US firms tracked by the bureau was broadening, Jacobs added.
“We talk about the big four a lot – Russia, China, North Korea and Iran – but we are seeing a lot of other threats from up-and-coming countries, emerging countries that you don’t read about as much – places in South America, the Middle East and South-east Asia.”
Despite still being regularly cited as a significant operational risk, external theft and fraud generally lags behind banks’ top fears of a cyber attack leading to data theft or a disabling loss of operations.
But the sophistication of attacks was growing dramatically in tandem with the number of threat actors, warned Jacobs. He pointed to the recent example of a business email compromise attack, in which fraudulent payment instructions were made to look as if they were being issued by an executive within a firm.
“We saw one case come in six weeks ago for $95 million – and the company sent the money out,” said Jacobs, to audible intakes of breath among the audience. “We can all laugh at that, but the reality is it usually happens in three or in four stages. If you don’t have training and policies in place, this is happening. We were able to freeze about $70 million, but the company will likely take a loss of about $15 million."
According to a recent analysis published by the bureau, some $26 billion has been stolen in this manner in the last six years – although that amount was certainly “significantly underreported”, he added: “Most victims never call us.”
But they should, said Jacobs: the FBI and its network of partner law enforcement agencies across the globe can usually act quickly to halt wire transfers and freeze funds – if they are given enough notice. Firms suffering an attack should first of all submit details to the bureau’s Internet Crime Complaint Center, or IC3. That activates a ‘kill chain’, with the bureau co-ordinating with the US Treasury and contacts overseas to try and get the assets frozen.
“The key point there for business continuity execs is, you have about a 48-hour window to report if – to be blunt – you’re to have any possibility of getting your money back. It’s highly unlikely afterwards,” he said.
Another trend the FBI has observed is a rise in the pervasiveness and sophistication of ransomware attacks in the last several years. These had evolved from being something the bureau could “easily defeat” to being all-pervasive – the WannaCry attacks being a prime example.
“How did we get here?” asked Jacobs. “Because many corporate victims are paying the ransom. We’re asked on a regular basis what our position is on paying ransoms: we don’t condone it. At the end for the day, it’s going to be a business decision: if you’re not prepared and can’t operate with those systems, you may not have a choice. The point being, by paying the ransom, you’re funding the very thing we’re trying to prevent, and making it a lot harder, and a lot more common among the criminals. It’s a very lucrative business.”
In 2015 we told you Iran was bringing the cyberwar to Westchester and Fairfield countries. At the time, they attacked a Dam in Rye, New York and New York City banks. Since then, the plague of ransomware has grown – causing the FBI to issue a specific alert on the threat.
The challenge of dealing with cybersecurity is growing.
The FBI has designated certain bitcoin accounts as belonging to individuals in sanctioned countries. For example, Ali Khorashadizadeh and Mohammad Ghorbaniyan who the U.S. government states have facilitated the exchange of ransomware payments into Iranian Rial. The addresses attributed to these individuals are 1AjZPMsnmpdK2Rv9KQNfMurTXinscVro9V and 149w62rY42aZBox8fGcmqNsXUzSStKeq8C. Paying ransoms to these accounts could cause your organization to be on the hook for massive fines.
This is in addition to the risk you take paying money to terrorist organizations. We were the first to ask the FBI in 2016 (as far as we know) – what happens if an individual pays a ransom to ISIS? We have never received an answer – although we have asked numerous individuals at the bureau. Our goal was to alert people before they pay – to let them know if there could be criminal liability in doing so.
It seems there is a grey area here as government officials acknowledge sometimes these ransoms need to be paid. But on the other hand, there is no guarantee money traced back to a person or individual after a terror plot won’t be the cause of arrests or other actions. It is a grey area as we said but we urge caution when deciding to pay.
It is far better to prepare ahead of time and not get caught in a situation where you are forced to pay a criminal or terrorist to keep your organization running.
How do you stay secure or at least drastically reduce the risk? Just follow these three steps. Good luck!
1) Read cybersecurity essentials – a simple list which will help most organizations become far more secure.
2) Go to a phishing simulation vendor now and sign up for one of their offerings. Phishing Box, KnowBe4 and Phish360; are all great. This is needed to train workers by testing them without their knowledge by sending real-looking emails to their inboxes. If they click, they are immediately trained on what not to do.
3) We also recommend you get a free evaluation of your cybersecurity risk from an MSP/MSSP immediately – they can also help you build in the needed compliance to reduce the risk of being fined.