Federal Bureau of Investigation

SSA John Caruthers Cyber Criminal Section

SSA Kenneth Schmutz Cyber National Security Section

April 11, 2012 UNCLASSIFIED

FBI Mission

Cyber Threats

FBI Response

UNCLASSIFIED

1. Protect the United States from Terrorist Attack

2. Protect the United States against foreign

intelligence operations and espionage

3. Protect the United States against cyber based

attacks and high technology crimes

UNCLASSIFIED

• Reporting indicates shift to ICS • Growing presence of terrorist organizations on the

Internet • “Cyber Jihad”

• Internet being used not to just recruit or radicalize, but to incite

• Growing use of social networking sites to collaborate and promote violence

UNCLASSIFIED

• Espionage

• Today our adversaries can attain access to any

network

• Global access

• Who are they?

• Nation-State Actors

• Mercenaries for Hire

• Rogue Hackers

• Trans-national Criminal Syndicates

UNCLASSIFIED

• What are they after?

• Technology

• Intelligence (Policy maker decisions)

• Intellectual Property

• Military Weapons

• Military Strategy

• They have everything to gain

• we have a great deal to lose

UNCLASSIFIED

Insider with access

• Directed by foreign power • Paid money to do a task

Disgruntled employee

• Terminated • Policy change • Disagreement with management

UNCLASSIFIED

UNCLASSIFIED

Criminal National Security

Goal • prosecution • intelligence gathering

• sharing of intel with

trusted USIC partners

• protection of critical

infrastructure

Evidence • “discoverable” by the

DEFENDANT

• typically CLASSIFIED at

SECRET level or above

• NOT released to public

Publicity • court documents will

eventually be UNSEALED

• FBI will NOT proactively

divulge information to the

media

• cases DO NOT go to court

• ID of asset owner will

NEVER be released by FBI

UNCLASSIFIED

Why? • to protect the United States

What? • pertinent information related to intrusion vectors, vulnerabilities,

SOURCE-provided intelligence, etc.

• FBI DOES NOT share Top Secret information when:

1. The information is “single-sourced” and would compromise an asset

2. Release of the information would jeopardize the National Security of the

United States

How? • intelligence reports, bulletins, notes

• face-to-face in CLASSIFIED briefings

With Whom? • member of your company with a CLEARANCE

• USIC

Criminal Threats to Internet Users

• Cyber Extortion

• Individuals threaten to use “Social Networking” power

• Extortion-based DDoS attacks

• Scareware/Fraudulent Antivirus Software

• Phishing

• Botnets

• Enable other criminal activity, Spam, distribution of additional Malware (Keyloggers, DNSChanger etc.)

One type of Cyber Extortion

a. These things, unless you honor the below claim, WILL HAPPEN on March 8, 2010.

b. As you have denied my claim I can only respond in this way. You no longer have a choice in the matter, unless of course you want me to continue with this outlined plan. I have nothing to lose, you have everything to lose.

c. My demand is now for $198,303.88. This amount is NOT negotiable, you had your chance to make me an offer, now I call the shots.

d. I have 6 MILLION e-mails going out to couples with children age 25-40, this e-mail campaign is ordered and paid for. 2 million go out on the 8th and every two days 2 million more for three weeks rotating the list. Of course it is spam, I hired a spam service, I could care less, The damge [sic] will be done.

e. I am a huge social networker, and I am highly experienced. 200,000 people will be directly contacted by me through social networks, slamming your integrity and directing them to this website within days.

f. I think you get the idea, I am going to drag your company name and reputation, through the muddiest waters imaginable. This will cost you millions in lost revenues, trust and credibility not to mention the advertising you will be buying to counter mine. Sad thing is it’s almost free for me!

g. The process is in motion and will be released on March 8th, 2010. If you delay and the site goes live, The price will then be $3,000,000.00.

DDoS Extortions

• Recent trend targeting online product

retailers

• Company receives an extortion threat via

email, online chat or their 1-800 telephone

number

• Demand to “pay $ within five minutes or your

website will be shut down…”

• Many go unreported

• Victims appear to be targets of opportunity

Attempt to cause disruption to networks and service and loss of

data

• “Felony Annoyance”

Actions are non-violent and not aimed at individuals, but rather a

company or government entity

Recent reporting indicates the targeting of ICS by Anonymous

Retaliation

UNCLASSIFIED

Scareware – also a form of Cyber Extortion

Criminal Threats to Internet Users

• Cyber Extortion

• Individuals threaten to use “Social Networking” power

• Extortion-based DDoS attacks

• Scareware/Fraudulent Antivirus Software

• Phishing

• Botnets

• Enable other criminal activity, Spam, distribution of additional Malware (Keyloggers, DNSChanger etc.)

Example of Phishing Emails Sent to Customers of U.S.-based Bank

Criminal Threats to Internet Users

• Cyber Extortion

• Recent trend in Health Care Services Industry

• Threatening to use “Social Networking” power

• Scareware/Fraudulent Antivirus Software

• Phishing

• Botnets

• Enable other criminal activity, Spam, distribution

of additional Malware (Keyloggers, DNSChanger

etc.)

Criminal Threats to Internet Users

• ACH Transaction Fraud

• Anyone with authority to pay, transfer funds, manage,

control, or effect banking activity can be a victim

• New attack vectors such as Malvertising

• JabberZeus variant to compromise Two-Factor

Authentication

• Confederation of Cyber Criminal Organizations

• The ‘Web within the Web’

• Exchange of Tools for Criminal Activity

• Distributed expertise among group members

Threats to Corporate Entities

• Companies with financial databases are

the targets of criminal hacker groups

• Why? That’s where the money is!

• and…better work hours, large potential

for return vs. risk, less chance of getting

caught and/or shot than, say, being a

drug dealer

• Criminals’ perception that they can hide

behind complex international laws

• 15,730 attempted transactions worth $10.2M

• 14,544 successful transactions worth $9.7M

• $9.4M (97%) was withdrawn on Nov 8 2008

• 2,136 ATM terminals were accessed in over 28

countries

Scope of the Scheme

Financial Services Intrusion

The FBI Cyber Division

• 56 Field Offices with Cyber Squads

• 75 FBI Legal Attaché Offices around the world

• Cyber Trained Agents embedded with foreign police forces

• Cyber Action Team

• Threat Focus Cells

• These groups consist of agents, officers, and analysts from different agencies

• i.e. ICS/SCADA TFC – FBI, DHS, and OGA partnering together

#21

FBI Resources

UNCLASSIFIED

• Training provided to domestic and international law enforcement

community

• National Cyber Investigative Joint Task Force

• Establishing cooperative working relationships with regulatory

groups and agencies

• We can provide briefings to your employees regarding economic

espionage, counterintelligence, APT, etc.

• InfraGard

#22

FBI Resources cont.

UNCLASSIFIED

UNCLASSIFIED