Cybercrime , Events , Fraud Management & Cybercrime

US Deputy AG: Aiding Victims Takes Precedence Over Arrests

Lisa Monaco Says Justice Department Values Stopping Cybercrime Over Court Victories
US Deputy AG: Aiding Victims Takes Precedence Over Arrests
Deputy Attorney General Lisa O. Monaco speaking at Chatham House on Feb. 16, 2023 (Image: Chatham House)

SAN FRANCISCO - Preventing and disrupting cybercrime now takes priority over courtroom victories, said the United States' second-highest-ranking prosecutor.

See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors

Deputy Attorney General Lisa Monaco said the Department of Justice has in recent years put victims at the center of its cybercrime response. Actions taken under this playbook include recovering ransom payments made by Colonial Pipeline and accessing infrastructure used by the Russian military to delete malware that would have allowed a botnet to be activated, Monaco said.

"You've got to have a bias toward action to disrupt and prevent, to minimize what the adversary is doing, and take that action to prevent the next victim," Monaco said during a keynote address at RSA Conference 2023. "And doing so will not always yield a prosecution."

Nation-state actors have stepped up their game by joining forces with local criminal groups, a development that prompted Monaco and the Justice Department to conduct a comprehensive review of how to maximize the legal tools at their disposal (see: ISMG Editors: Opening Day Overview of RSA Conference 2023).

"We've used very old and familiar tools like a forfeiture warrant to go out and follow that money through the blockchain, seize it back, and give it back to the victim," Monaco said.

Using the Law to Stop Threat Actors in Their Tracks

Monaco said Justice wants to work closely with the private sector and give it as much information as possible about threats. When companies don't take as much remedial action as federal officials would like, Monaco said prosecutors may step in with court proceedings.

In last year's Cyclops Blink operation, Monaco said, Russia's military intelligence took over a zombie group of computers in the United States. In consultation with international partners, she said, the department used a legal process to access the infrastructure, delete malware and close the backdoors to the compromised devices before Russia's military could activate the botnet.

"Partnership has to be more than just passive outreach to entities. We got to be willing to really put our tools on the table to help them see what we're seeing and then work together to take that action," Monaco said.

Monaco said the Justice Department's involvement in the Hive ransomware takedown would have been considered "heresy" under the previous way of fighting cybercrime, since no arrests were made (see: FBI Seizes Hive Ransomware Servers in Multinational Takedown).

Instead, Monaco said, Justice officials used their legal authority to conduct a "21st-century cyber stakeout," gaining access to Hive's network and patiently lying in wait. Federal officials were able to swipe the crypto keys in Hive's possession and give them to the victims. As a result, she said, more than $130 million worth of ransomware payments weren't made.

"Doing more and more of that is what we're all about," Monaco said. "We can't get after this correctly if we're not working together."


About the Author

Michael Novinson

Michael Novinson

Managing Editor, Business, ISMG

Novinson is responsible for covering the vendor and technology landscape. Prior to joining ISMG, he spent four and a half years covering all the major cybersecurity vendors at CRN, with a focus on their programs and offerings for IT service providers. He was recognized for his breaking news coverage of the August 2019 coordinated ransomware attack against local governments in Texas as well as for his continued reporting around the SolarWinds hack in late 2020 and early 2021.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.