Deputy AG Lisa Monaco is speaking now at the Munich Cybersecurity Conference.
“We're adapting old tools to use in new ways," she says, "while also designing novel techniques to use in our major cyber investigations.”
Monaco: “The FBI is forming a specialized team dedicated to cryptocurrency, the Virtual Asset Exploitation Unit."
The team brings together cryptocurrency experts to "provide equipment, blockchain analysis, virtual asset seizure, and training to the rest of the FBI."
DOJ's National Cryptocurrency Enforcement Team now has a dozen prosecutors, Monaco says. And former AUSA Eun Young Choi, a senior counsel to Monaco, will be the team's first director. Choi oversaw the JPMorgan hack case.
Monaco says prosecutors handling "significant cyber investigations" now have to consult with DOJ's international and cybercrime experts "to identify international actions that might be able to help stop a threat."
DOJ is also creating a "cyber operations international liaison" position to help "up the tempo of international operations against top-tier cyber actors," Monaco says. This person will work from Europe "to ensure more connectivity between our law enforcement groups.”
DOJ is launching an "International Virtual Currency Initiative" that will facilitate more "joint international law enforcement operations" and "more eyes from multiple law enforcement agencies around the world to track money through the blockchain," Monaco says.
The Biden administration will also use the DOJ's international initiative to encourage other countries to improve their cryptocurrency regulations to crack down on rogue exchanges that facilitate ransomware payments.
From now on, Monaco says, "prosecutors, agents and analysts" will have to constantly assess "whether to use disruptive actions against cyber threats, even if they might otherwise tip the cyber criminals off and jeopardize the potential for charges and arrests."
Drawing a parallel between terrorism and cybercrime cases, Monaco says that a top priority must be making victims whole. Thus, "we will assess whether there are steps we can take to prevent or reduce the risk to victims" even if they jeopardize prosecutions.
This change could be a response to criticism of the FBI for keeping the REvil ransomware decryptor secret in order to keep investigating the group. washingtonpost.com/national-secur… Sharing the decryptor with Kaseya sooner might have mitigated the spread of that co's supply chain attack.
Asked what DOJ learned from its SolarWinds-related breach, Monaco says “We've got to be taking on exactly the same focus that we ask others to do and make it a C-suite–level issue.”
She says DOJ developed a cyber incident response playbook and will be testing and revising it.
On Ukraine tensions, Monaco says she's "absolutely concerned" about spillover in cyberspace to U.S. targets. She notes that it's happened before, with NotPetya.
She adds that "companies of any size and of all sizes would be foolish not to be preparing right now."
• • •
Missing some Tweet in this thread? You can try to
force a refresh
White House briefing starting now. Anne Neuberger, deputy national security adviser for cyber, is one of the speakers.
Neuberger: “While there are currently no specific or credible cyber threats to the homeland, the U.S. government has been preparing for potential geopolitical contingencies since before Thanksgiving.”
Essentially confirming recent WaPo story, Neuberger says USG "believes that Russian cyber actors likely have targeted the Ukrainian government, including military and critical infrastructure networks, to collect intelligence & preposition to conduct disruptive cyber activities."
During panel at Munich Cybersecurity Conference, FBI Cyber Division's Tonya Ugoretz says "international standardization" of AML rules for cryptocurrency "would greatly help" stop ransomware. Many countries don't have consistent rules, so even well-meaning exchanges can't help.
Ugoretz: "Sometimes foreign exchanges want to be cooperative...but because they don't have that existing framework that provides consistency in the types of information that they're collecting about their customers, they may not even have the information on hand to provide..."
On ransomware, DHS Under Secretary for Policy Rob Silvers says “we are taking this problem on from all angles, and it's among our very highest cybersecurity priorities.” He notes stopransomware.gov, various alerts and guidance docs, and partnerships with other agencies.
Deputy National Security Adviser for Cyber Anne Neuberger is traveling to Europe today for a week of meetings with U.S. partners on cyber issues, including the defense of Ukraine, senior administration officials told reporters.
Neuberger will start in Brussels w/ meetings w/ EU counterparts & NATO officials on cyber resilience, a sr admin official said, "including deterring, disrupting, and responding to further Russian aggression against Ukraine, neighboring states, and in our respective countries."
After Brussels, Neuberger will travel to Warsaw for meetings with Polish officials and reps from Baltic govts.
She'll also meet with reps from the "Bucharest Nine" group of eastern NATO allies, and she'll meet virtually with French and German officials.
Attacks targeted Ukraine, Lithuania, Latvia, Poland, and Germany, as well as Belarusian journalists and dissidents.
In research presented at @CYBERWARCON, Mandiant said it's attributing these attacks to Belarus based on technical evidence and the fact that the targets are "most consistent with Belarusian interests."
Some Belarusians targeted before disputed 2020 election were later arrested.
Mandiant said it had “sensitively sourced technical evidence” that the operation was based in Minsk, as well as “separate technical evidence” specifically linking the Belarusian military to the campaign.
New: FBI Cyber Division chief Bryan Vorndran told House Oversight in written statement for the record that Biden admin is “troubled” that cyber incident reporting mandate doesn’t set up simultaneous reporting to CISA *and* FBI.
Going beyond what he said at the still-ongoing hearing, Vorndran's statement says the current legislation “fails to recognize the critical expertise and role” of DOJ/FBI.
Both CISA and the FBI “should immediately receive all information mandated to be reported,” Vorndran wrote.
Needless to say, this could throw a wrench into the plan to pass the painstakingly crafted incident reporting mandate that is in the House NDAA and is expected to be folded into the Senate NDAA soon.
I've asked the legislation's sponsors if they'll rework the provisions.
New: The hackers behind a watering-hole campaign against targets in the Middle East may be using software from the Israeli spyware firm Candiru, recently targeted by U.S. export restrictions, according to @ESET: subscriber.politicopro.com/article/2021/1…
In research being presented today at @CYBERWARCON, ESET experts say an IP address linked to Candiru in a recent @citizenlab report has ties to two of the malicious domain names in the watering-hole attacks.
These watering-hole attacks spoofed websites of Yemen’s parliament & interior ministry, Iran’s foreign ministry, Syria’s electricity ministry, @MiddleEastEye, and Hezbollah-linked TV channels.
Fake sites delivered malware that exploited web browser vulnerabilities.