A blessing in disguise: Colonial Pipeline Bitcoin ransomware case accelerates U.S. cybersecurity development

For the past few years, FBI agents have discussed how to reverse the hacking epidemic by remotely accessing compromised computer networks and catching the attackers.

The FBI got its chance after Microsoft's Exchange email servers were hacked earlier this year. An FBI agent filed an application in federal court in Houston on April 9 seeking authorization to remotely access hundreds of victims of the hack in order to search for digital traces of the attackers.

While some civil liberties advocates worry that the right could be abused in the future, the FBI's action at least marks the beginning of a more aggressive, government-level cybersecurity effort. "The FBI has made a proactive decision, and our work model has not changed. We just have more tools to assist," said Elvis Chan, assistant special agent in charge of cyber investigations at the FBI's San Francisco field office, in an interview.

The FBI has also recently conducted joint operations with the National Security Agency to disrupt Russian cyber espionage operations, and most recently successfully recovered Bitcoin payments to hackers following the Colonial Pipeline Co. ransomware attack.

The innovations come eight months after the election, as the U.S. government finds itself exposed to glaring security holes in key sectors of its economy following a series of devastating hacks, including the Colonial Pipeline breach and a ransomware attack on meat processing giant JBS SA. They also reflect a growing recognition that previous efforts to thwart cyberattacks, such as criminal prosecutions and legal sanctions, have done little to slow them down.

Anne Neuberger, deputy national security adviser for cyber and emerging technologies, told Bloomberg that the effort is not limited to the FBI but is a "whole-of-government" priority. For example, Neuberger's former employer, the National Security Agency, recently opened a collaboration center to promote information sharing with the private sector.

The government’s efforts to fast-track cybersecurity operations stem from the 2018 FBI and Justice Department bust of a malicious hacking operation called VPNFilter. The VPNFilter case was one of the first major operations to use legal tools to identify and disrupt Russian malicious networks, according to FBI Special Agent Chad Hunt, who helps run the Atlanta Cybersecurity Team.

As the pandemic spread, working from home led to a steady increase in ransomware attacks. "If there was a silver lining last year, it was that cybercrime was almost non-stop due to the pandemic, and we had to be more proactive and creative in how we deal with it," said Elvis Chan.

In September, FBI Director Christopher Wray announced a new cyber strategy to move away from what he described as the old game of "whack-a-mole." The FBI's new goal, he said, is to "make it harder and more painful for hackers and criminals to do what they're doing."

But some civil liberties experts say such bolder tactics could lead to abuse. Kurt Opsahl, deputy executive director and general counsel of the Electronic Frontier Foundation, said executing warrants to remotely access computer networks raises questions about how network administrators are notified and how such tools could be abused. In the Microsoft Exchange case, FBI agents told the court they planned to send emails to the addresses each victim provided when they last registered a domain name with a network registrar, but would do so within 30 days of access.

Jennifer Stisa Granick, surveillance and cybersecurity counsel at the American Civil Liberties Union, said the bolder tactics raise concerns about the limits of the government’s power to disrupt private property. “The history of new surveillance technologies is that law enforcement starts using them with a compelling case and then ends up using them with a more problematic case, and once patterns and comfort zones are created, the power expands further,” she said.

Following the successful anti-hacking operation in the Microsoft Exchange case, the FBI conducted another campaign in May to recover 63.7 bitcoins of the 75 bitcoins (worth $4.4 million at the time) that Colonial Pipeline paid to hackers on May 8. While federal officials say this is not the first time they have recovered cryptocurrency from criminals, it is one of the first known cases involving ransomware.

After Colonial Pipeline paid the hackers, its ransom was split between two digital cryptocurrency wallets. Over the next 19 days, it was shuffled and diverted more than a dozen times, according to court documents, a tactic often used by ransomware operators to hide their tracks when trying to launder their digital loot.

According to court documents, an FBI agent followed all the cryptocurrency trails until finally landing on a crypto wallet containing 63.7 bitcoins on May 27. During that time, the FBI in San Francisco obtained the encryption password, also known as a private key, to access the funds in that particular wallet. The FBI's Chan declined to explain how the agent got the private key. According to court documents, a federal judge issued the agent a warrant to seize the funds within hours of the FBI's application.

Cybersecurity experts say ransomware has long been viewed as merely malware that hackers might use to make a quick buck but was not considered a national security threat. In addition, victims of ransomware attacks are often slow to report breaches, making it difficult for the FBI and the U.S. government to track them down, according to a former U.S. intelligence official.

Milan Patel, a former FBI cyber agent who is now head of global managed security services at cybersecurity firm BlueVoyant, said bureaucratic bottlenecks are now unlikely to prevent federal agents from coming up with aggressive measures to defend the nation’s cybersecurity as hackers target gas pipelines, food production and water supplies.

“The reality is that the FBI is under tremendous pressure to find ways to thwart these attacks using existing laws and regulations,” he said.