In 2019, when Trevor Hilligoss and other members of the FBI’s Cyber Task Force team would dismantle a cybercriminal operation, they would seize the domain, redirect the site, add a new splash-page with the name of the federal operation, take down back-end infrastructure, and do a few sanctions and indictments.
The disruption usually stopped there, Hilligoss said. These days, he and the cybersecurity and former FBI pros who spoke with IT Brew see law enforcement agencies stringing together wins with some extra swagger and alongside international cooperation from units like the UK’s National Crime Agency (NCA).
“What we’re seeing now is kind of a leveling up, where all those same things are done: We still have the splash page, we still have the data being seized, all of that. But then we’re seeing agencies like NCA in the UK that are going in there and kind of trolling the adversary,” Hilligoss, current vice president of SpyCloud Labs at cybercrime-analytics firm SpyCloud, told IT Brew.
Some Ws. The US Department of Justice podium has been getting plenty of use in early 2024, as its leaders announce cyber-defender victories—all with some level of international cooperation:
- The DOJ and NCA, on February 20, 2024, announced its seizure of the LockBit ransomware group’s infrastructure—and a few months later revealed the alleged identity of its admin.
- On April 18, the DOJ announced an international takedown of four “LabHost” domains supporting a spoofing service.
- The FBI’s Operation Endgame, beginning on May 28, “disrupted more than 100 servers to defeat multiple malware variants,” the FBI shared.
- On May 29, the DOJ announced a dismantling of a 911 botnet.
The LockBit disrupters mocked the style of the group’s original site—replacing victim displays with news regarding the operation’s progress. Operation Endgame operators noted successes, TV-style: “This is Season 1 of Operation Endgame. Stay tuned. It sure will be exciting. Maybe not for everyone though,” the site reads.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
In Nov. 2023, the ALPHV/BlackCat ransomware group threatened to file an SEC “failure-to-report” complaint against its own victim—audacious behavior that James Turgal, former FBI pro and now VP of global cyber advisory, risk, and board relations at the cyber advisory firm Optiv, sees federal agencies echoing.
“What I think you’re seeing is law enforcement matching that swagger, [as if to say] ‘You threat actors cannot act this way and have it go unnoticed. We are here,’” Turgal told IT Brew.
The NCA, upon announcement of the LockBit takedown, plastered a giant image of the group’s alleged admin, and revealed affiliates —a psychological, reputation-damaging approach, according to Hilligoss, to impact indicted cybercriminals feeling safe in countries that won’t extradite them.
“We can put their name out there and their face…and we can link that with all of their customers and say, ‘Not only do we know who this guy is, he had horrible OpSec, right? But he also wasn’t taking care of your information,” Hilligoss said.
While agencies have racked up swagger-y wins, Mandiant recently announced a rebound in ransomware activity. LockBit, in fact, led ransomware victim volume for May 2024, according to GuidePoint Security’s latest report, citing that the LockBit takedown “may have encouraged the group to proceed with emptying a backlog of victims,” the contributors wrote.
While the impact of provocative law enforcement tactics are TBD, there’s an effort of “DDD” at play, according to eSentire Director of Threat Intelligence Ryan Westman: degrading, disrupting, and discrediting.
“They’re making an effort to actually discredit these criminals, in order to try and sow doubt in the underground community,” Westman said.