Justice News

Assistant Attorney General for National Security John C. Demers Delivers Remarks at FedScoop’s 5th Annual FireEye Government Forum on Cyber Threat Intelligence
Washington, DC
United States
Thursday, May 31, 2018

Good afternoon, and thank you for inviting me here to share a few words on the importance of collaboration in confronting the national security cyber threat. 

Protecting the nation from national security threats is the mission of the National Security Division.  Although NSD was created in response to the September 11th terrorist attacks, its mission goes well beyond terrorism.  In the past years it has come increasingly to include a focus on cyber as part of the threat posed by certain foreign nations.  And as we do with respect to terrorism, NSD drives collaboration among prosecutors, law enforcement officials, intelligence attorneys and the Intelligence Community to ensure that we approach the national security cyber threat using every tool and resource available to the federal government.

Some of you in this room come from the private sector — companies both large and small.  Companies that consult and provide advice, and companies that manufacture products.  Others come from federal, state and local governments — or from other countries.  Your work may be diverse, but you all appreciate one thing.  You know that there are countries in this world that want what we have.  They want our sensitive information, our technology, our intellectual property.  And they want to destroy any competitive advantage we enjoy.  Around the world there are people who wake up every morning thinking about how they’re going to destroy it.  And they go to bed at night, much too often, thinking about a job well done.   One thing they’re not spending much time thinking about is our laws and international cyber norms. 

You don’t have to be a defense contractor to be worried about this.  Recently, we prosecuted cases involving the thefts of grains of rice and kernels of corn.  No one is immune.  If you’re in business, if you’re in government, if you’re in medicine or academic research, you have something of value to someone else.  And to get it, foreign countries will use all means, including computer intrusions. 

You are not going to stop these countries on your own.  No private company or institution has the resources of a determined nation state.  Nor is any one part of the federal government going to stop these adversaries on its own.  We’ll only succeed in defending the nation’s firepower and the fruits of its brain power if we’re partnered together. 

In recent years, NSD has furthered the government’s efforts to deter and disrupt malicious national security cyber threats by charging hackers acting on behalf of China, Russia, Iran and Islamic State of Iraq and al-Sham (ISIS).  But not every cyber disruption needs to be a prosecution.  In fact, just last week, the Department announced it obtained a court order to disrupt a global botnet known as the “VPNfilter” that had infected hundreds of thousands of home and office routers controlled by the Sofacy Group, a well-known malicious cyber-hacking organization.  The botnet provided the Sofacy Group ability to undertake all manner of malicious cyber activity, from unlawful surveillance to theft of valuable information to disruptive attacks.  The Department could not have begun to neutralize this threat alone.  We worked closely with the private sector, including private security researchers, and other government partners, such as the Department of Homeland Security.  If we continue to work together, we will do much, much more.

Let me provide two other illustrations of the good that can happen when the private sector and the government work together.

Let’s take the case of Yahoo.  Yahoo was the victim of a breach in 2013, only to discover three years later that it had been subject to a second, massive breach in 2014.  When this information came to light, Yahoo notified the government and provided valuable assistance to the FBI, fully cooperating at every stage of the investigation.

As a result of this effective collaboration, Yahoo and the FBI determined that hackers, working both for financial gain and on behalf of Russian intelligence officers, had stolen information from at least 500 million Yahoo accounts, and used that stolen information to obtain access to the contents of accounts hosted by Yahoo, Google and other providers.  Russian journalists, U.S. and Russian government officials, and private-sector employees of financial, transportation and other companies had all been targeted. 

Thanks to the close cooperation of Yahoo, Google and others, DOJ prosecutors and the FBI were able to identify and expose the hackers without further compromising the privacy of the account holders.  Three of the defendants were Russian nationals residing in Russia — two Federal Security Service or “FSB” agents and a known Russian hacker, an FBI “Most Wanted Cyber Criminal,” Alexsey Belan. 

The fourth defendant was a 22-year-old hacker named Karim Baratov, who resided in Canada.  Following the U.S. indictment, Canada captured and arrested Baratov.  He was brought to the U.S. and pleaded guilty to eight criminal counts, including conspiracy to commit computer fraud and abuse and aggravated identity theft.  Earlier this week, he was sentenced to five years in jail.

The second case demonstrates that cooperating with the government, and benefiting from its knowledge and tools, can help a company that has been hacked, see things for what they really are. 

A few years ago, a Midwestern consumer goods company was the victim of what appeared to be a “run of the mill” intrusion.  An intruder had obtained unauthorized access to their customer database and had obtained personally identifiable information for their customers.  The company’s IT personnel worked diligently to eject the hacker from their network, but he kept coming back.  Eventually, the hacker threatened to expose the company’s customer information unless he was paid a ransom.

Around that time, the company connected with the FBI. 

The FBI determined that Ardit Ferizi, a Kosovo citizen studying computer science in Malaysia, was one of the hackers who had gained unauthorized access to the victim company’s PII.  

Although the hacker had a financial motive in demanding a ransom from the company, the customer PII Ferizi stole was not destined for the black market; that data was of interest because, among the tens of thousands of customer names and email accounts he stole, there were more than a thousand email addresses that ended in “.gov” or “.mil.”

Ultimately, Ferizi used that information to produce a list of PII for approximately 1,300 U.S. government civilian employees and U.S. military personnel.

He provided this information to a Syrian-based ISIS member named Junaid Hussain.

A few months earlier, Hussain, acting in the name of the Islamic State Hacking Division, had posted a “kill list” that purported to include the names and addresses of 100 members of the U.S. military.  Ferizi wanted to help him create and disseminate a second kill list.

And in fact, soon after he received the information from Ferizi, Hussain used Twitter to publish the PII of all 1,300 U.S. government and military customers of the company.  In his tweet, he threatened “the Crusaders” who were conducting a “bombing campaign against the Muslims.”

The Department of Justice charged Ferizi with violations of the Computer Fraud and Abuse Act, and with conspiring to provide material support to ISIS.  We were successful in obtaining his extradition from Malaysia to the United States, and he ultimately pleadded guilty. 

In September 2016, Ferizi was sentenced to 20 years in prison.  He was also ordered to pay $50,000 in restitution to the company.

Even though the prosecution of Ferizi was public, the name of the company was never revealed.   

We are often asked why we would bring a case against foreign nationals located outside the U.S.  Well for one, as the Yahoo and Ferizi cases prove, we may well get one or more of them.  The U.S. government has extradition agreements with more than 100 countries, so it is not enough for these defendants to forego a visit to Disney World.  For the rest of their lives they will be unable to travel to more than half the countries in the world without fear of arrest and extradition to the U.S. 

Second, the investigation and charges can assist other parts of the Government in bringing their authorities to bear.  For instance, Treasury’s Office of Foreign Assets Control can designate the charged individuals or entities under an Executive Order that authorizes blocking the property of persons engaging in significant malicious cyber-enabled activities — ensuring that the perpetrators will be financially isolated from the world.  When we brought charges against the founders and employees of the Iranian Mabna Institute that hacked more than 300 American and foreign universities, and government agencies and institutions around the world, Treasury also designated the Institute and ten Iranian individuals. 

Third, charges raise awareness, both generally and specifically, to this threat.  In some cases there may be additional victims that don’t know they’ve been hacked.  To help the private sector identify malicious activity and better protect itself, the FBI and DHS will often release technical details to the public. FBI did that just last week, when it released a Public Service Announcement about VPNFilter, advising you to reboot your router and including signatures of the botnet’s malware, so network defenders can identify its presence in their network.

And finally, we pursue these cases to strip these hackers of anonymity and call them out.  This prevents nation state actors from hiding behind ritualized denials and feigned ignorance.  The recent indictment of Mabna Institute members and the prior indictment of the Chinese People’s Liberation Army are cases in point.

So that’s what’s in it for the country.  What’s in it for you?  What are the benefits of working with law enforcement — before, during and after a computer intrusion or attack? 

  • We can help you understand what happened when your organization has a cyber-incident. 
  • We can share context and information about related incidents or malware.
  • We can ensure proper investigation and preservation of evidence for eventual. prosecution.
  • We can assist you in dealing with regulators.

At the end of the day, the Government simply has many more tools at its disposal to deal with the problem of national security cyber intrusions.  Tools that, working together, we can use to respond to intrusions and deter future ones.  Although we will always consider criminal charges, pursuing prosecution may not be the best response in all cases.  Accordingly, NSD attorneys work with their interagency partners to determine whether our investigative information may be used to support sanctions, trade pressure, technical alerts, diplomatic options or other responses instead of, or in addition to, prosecution.  All of these tools can impose real costs on malicious activity, depriving hackers and their sponsors of the benefit of their crimes and deterring future misbehavior.

Let me close on this note.  Everyone in this audience understands that we are in this together, and we have an obligation to help one another.  The organization that reports a cyber intrusion doesn’t just help itself, it also helps other targeted companies that may not even know they’ve been victims of a hack, and it helps the country.  It helps other organizations by raising their awareness and sparking a check on their part for similar compromises.  It also enables the government to work to disrupt and deter intrusions of those other organizations. And it helps the country by allowing the Government to piece together and respond to the intentions and actions of antagonistic nations to better defend our nation’s economic and military security.

It is the National Security Division’s job to disrupt and deter national security cyber threats.  We will continue to work with other agencies to use all elements of national power to meet this ever-changing and growing challenge.  And to adequately protect our shared national cyber security against persistent attack, we will need your help as well.

I look forward to working with you.

Updated May 31, 2018