Dear Ramey: On Prosecuting Cybercriminals

2/2/2021

Answering burning questions from victims of cyber events

DEAR RAMEY:

I’ve read a lot about the recent events in cybersecurity involving supply chain breaches, ransomware attacks, and theft of sensitive information from both large and small organizations. It seems like the identities of the individuals behind these attacks aren’t known. Is that true? The security teams investigating are using nicknames or aliases like APT28 or Wizard Spider. Are law enforcement agencies actively investigating these groups and will they be brought to justice? – CONCERNED CEO

DEAR CONCERNED CEO:

I can assure you that law enforcement agencies around the world are actively investigating cybercrime.

In the United States, the Secret Service and Federal Bureau of Investigation (FBI) both have large task forces assigned to various types of cybercrime, including nation-state sponsored espionage, corporate intellectual property theft, ransomware, political activism (aka hacktivism), general intrusion, and terrorism. They work closely with local law enforcement as well as equivalent agencies in allied countries. Quite often, the closer they get to identifying suspects, the more closely they work with their foreign counterparts.

While cyber-attacks can be swift, humiliating, and overall, unpleasant, the path to justice is exponentially slower and just as painful for other cybercrime victims. Most of these cybercrime groups are located across seas in countries that either do not have extradition agreements with the U.S. or have governments that protect them from extradition.

In the past, the U.S. government has been able to identify and indict certain cybercrime groups. The FBI has a “Wanted” list on its website and, for many of these groups, has posted bounties for information leading to a successful conviction. On December 5, 2019, the U.S. Department of the Treasury indicted Evil Corp, the Russia-based cybercriminal group behind the development and release of the Dridex malware. In December 2018, the Department of Justice (DOJ) unsealed indictments involving two Chinese hackers who were associated with the Ministry of State and tracked by the cybersecurity community as APT10. For more information on these indictments, see the Treasury’s website and the DOJ’s website.

Those cases are just two examples; the U.S. government has indicted countless others and even brought some to justice, including Marcus Hutchins. He was identified as a malware developer and linked to several cyber-attacks because of the malicious use of his malware on American businesses. The FBI was able to identify him as a citizen living in the United Kingdom. They tracked his actions, built a case, and when Hutchins traveled to the U.S., they apprehended him on American soil. Later, he was successfully tried in the American courts and pled guilty. Due to Hutchins’ actions, which saved the world from the WannaCry virus, the judge sentenced him to time served and one year of supervised release. You can find more information about this story on wired.com.

Unfortunately, given cybercriminals’ close ties to some foreign governments and lack of extradition agreements, apprehension of these individuals is extremely difficult. Usually, law enforcement agencies must wait until the governments can negotiate an agreement on apprehension and extradition. Without an extradition agreement in place, they can monitor the individual for travel outside of the home country to a “U.S.-friendly” country, where they can work with local law enforcement to apprehend the individual for extradition.