Jun 7, 2021
DOJ Officials Colonial Pipeline Cyberattack Press Conference Transcript June 7
Justice Department officials held a press conference on June 7, 2021 to provide updates on the Colonial Pipeline cyber attack. They announced that they recovered most of the cryptocurrency ransom paid to hackers, valued in millions of dollars. Read the transcript of the news briefing here.
Transcribe Your Own Content
Try Rev and save time transcribing, captioning, and subtitling.
Speaker 1: (00:11)
All right, guys. Thanks for coming today for Marc Raimondi’s two-minute warning. We’re going to get started in just a minute. The flow of the show will be Deputy Attorney General Lisa Monaco will kick us off, a couple minutes’ remarks, followed by FBI Deputy Director Paul Abbate, followed by the Acting US Attorney for the Northern District of California, Stephanie Hinds, and also onstage will be the Assistant Attorney Generals for National Security and the Criminal Division, John Demers and Nicholas McQuaid. We’ll follow the remarks with a couple Q and A, and then we will wrap it up. All right. Soundchecks. Everything working out? Can everybody hear us? All right. Be back in two minutes. Thank you. (silence).
Lisa Monaco: (02:21)
Good afternoon. Thank you all for being here. Today the Department of Justice is announcing a significant development in the ransomware attack on the Colonial Pipeline. I’m joined today by FBI Deputy Director Paul Abbate and Acting US Attorney for the Northern District of California, Stephanie Hinds, to discuss the work of the department’s Ransomware and Digital Extortion Taskforce in combating the epidemic of ransomware attacks by criminal groups. Also with us are Assistant Attorney General for National Security John Demers and Acting Assistant Attorney General for the Criminal Division, Nick McQuaid.
Lisa Monaco: (03:04)
Ransomware attacks have increased in both scope and sophistication in the last year, targeting our critical infrastructure, businesses of all types, whole cities, and even law enforcement. Ransomware and digital extortion pose a national security and an economic security threat to the United States. The Department of Justice working with our partners is committed to using all the tools at our disposal to disrupt these networks and the abuse of the online infrastructure that allows this threat to persist. The sophisticated use of technology to hold businesses and even whole cities hostage for profit is decidedly a 21st century challenge, but the old adage “Follow the money” still applies. That’s exactly what we do.
Lisa Monaco: (04:06)
After Colonial Pipeline’s quick notification to law enforcement and pursuant to a seizure warrant issued by the United States District Court for the Northern District of California earlier today, the Department of Justice has found and recaptured the majority of the ransom Colonial paid to the DarkSide network in the wake of last month’s ransomware attack. Ransomware attacks are always unacceptable, but when they target critical infrastructure, we will spare no effort in our response. DarkSide is a ransomware as a service network. That means developers who sell or lease ransomware to use in attacks in return for a fee or a share in the proceeds. DarkSide and its affiliates have been digitally stalking US companies for the better part of last year and indiscriminately attacking victims that include key players in our nation’s critical infrastructure. Today, we turned the tables on DarkSide.
Lisa Monaco: (05:23)
By going after the entire ecosystem that fuels ransomware and digital extortion attacks, including criminal proceeds in the form of digital currency, we will continue to use all of our tools and all of our resources to increase the cost and the consequences of ransomware attacks and other cyber-enabled attacks. The seizure announced today was conducted as part of the department’s recently launched Ransomware and Digital Extortion Taskforce, which was established to investigate, disrupt, and prosecute ransomware and digital extortion activity. This is the taskforce’s first operation of this kind. This work is important because every day, the digital threats that we face are more diverse, more sophisticated, and more dangerous. In this heightened threat landscape, we all have a role to play in keeping our nation safe. No organization is immune.
Lisa Monaco: (06:28)
So today, I want to emphasize to leaders of corporations and communities alike the threat of severe ransomware attacks pose a clear and present danger to your organization, to your company, to your customers, to your shareholders, and to your long-term success. So pay attention now. Invest resources now. Failure to do so could be the difference between being secure now or a victim later. But also know that we are all in this together. The US government will continue to do more to increase our nation’s resilience while increasing the costs to our digital adversaries and those that enable or harbor them. We cannot do so without you. The Department of Justice will continue to evolve as the threat evolves.
Lisa Monaco: (07:31)
That is why one of the first acts I took after returning to the department was to launch a strategic cyber review. That is why federal prosecutors now report ransomware incidents in the same way that they report critical threats to our national security, and that is why we will continue to work with our public and private partners, both here and globally, to bring our collective authorities together to confront emerging threats. There is no higher priority for the Department of Justice than using all available tools to protect our nation. That includes from ransomware and other digital threats. Thank you, and now I’ll turn the podium over to Deputy Director Paul Abbate.
Paul Abbate: (08:19)
Thank you, DAG Monaco. Good afternoon, everyone. Today, the FBI successfully sees criminal proceeds from a Bitcoin wallet that DarkSide ransomware actors used to collect a cyber ransom payment from a victim. Since last year, we’ve been pursuing an investigation into DarkSide, a Russia-based cyber crime group. The DarkSide ransomware variant is one of more than 100 ransomware variants that the FBI is currently investigating. DarkSide developers market their ransomware to criminal affiliates who then conduct attacks and share a percentage of the proceeds with the developers, a scheme known as ransomware as a service.
Paul Abbate: (09:02)
In this case, the FBI has identified more than 90 victims across multiple US critical infrastructure sectors. Those include manufacturing, legal, insurance, healthcare, and energy. Based on our investigation into DarkSide and incredible work with other US government partners, we identified a virtual currency wallet that the DarkSide actors used to collect a payment from a victim. Using law enforcement authorities, victim funds were seized from that wallet, preventing DarkSide actors from using them.
Paul Abbate: (09:37)
This is just the latest disruption that the FBI and DOJ have taken to impose risk and consequences on cyber adversaries. Since announcing our new cyber strategy last year, we have dismantled the infrastructure of the Emotet criminal bot net through an unprecedented coalition of US and international law enforcement and private industry partners. Additionally, we have joined other government partners to expose a cyber tool developed by the Russian GRU. We have also used legal authorities to remove malicious backdoors installed on the networks of Microsoft Exchange Server customers across the United States. Just last week, DOJ announced the seizure of two command and control domains used by the perpetrators of a wide spear-phishing campaign. This focus on joint action and collaboration is exemplified by the National Cyber Investigative Joint Taskforce, which brings together intelligence community, law enforcement, and cybersecurity agencies for a whole of government approach against these cyber threats.
Paul Abbate: (10:47)
Our partners in the intelligence community and across government are central to these efforts. Leveraging each of our authorities and capabilities enables us to conduct coordinated operations to respond to and deter malicious activity from groups like DarkSide. There’s a lot of exceptional behind the scenes teamwork that goes into both identifying effective ways to target adversaries and predicating actions that we may take against them. I want to give major thanks to the incredibly hardworking special agents, intelligence analysts, and professional staff of the FBI’s Atlanta and San Francisco field offices and the FBI’s cyber division, along with government-wide partners who assisted in this investigation and seizure. These cases require a significant level of determination and technical expertise. Without a doubt, every individual involved displayed that through the achievements reflected here today.
Paul Abbate: (11:50)
We continue to be committed to using the information intelligence we develop through our investigations to take early meaningful steps to protect the public and be preventative. We will continue to work relentlessly and seek innovative ways to use our unique authorities, world-class capabilities, and enduring partnerships for maximum impact against our adversaries. Today, we deprived a cyber criminal enterprise of the object of their activity, their financial proceeds and funding. For financially motivated cyber criminals, especially those presumably located overseas, cutting off access to revenue is one of the most impactful consequences we can impose. When the FBI combines our law enforcement and intelligence authorities with those of our partners in government and the cooperative relationship with private industry and when we have victims willing to share information to further our collective efforts against cyber adversaries, we can have immediate, permanent effect on ransomware actors.
Paul Abbate: (12:58)
That is why it is so critical for victims to report intrusions to us as soon as possible and then work with us to provide evidence and intelligence for our investigations, leading to recovery, attribution, and ultimately prevention. Victim reporting not only can give us information we need to have immediate real-world impact on the actors, it can also help prevent future intrusions into other victim networks and prevent further harm from occurring. With continued cooperation and support from victims, private industry, and our US and international partners, we will bring to bear the full weight and strength of our combined efforts and resources against those actors who think nothing of threatening public safety and our national security for profit. Thank you, and I’d now like to invite to the podium the Acting US Attorney for the Northern District of California, Stephanie Hinds.
Stephanie Hinds: (14:01)
I want to thank Deputy Attorney General Monaco for inviting me to add my remarks. Last week, Deputy Attorney General Monaco spoke about the onslaught of ransomware attacks being carried out and suggested we all should focus organized resources on meeting this challenge. As the Acting United States Attorney for California’s Northern Judicial District, I am directing my office to continue to marshal the resources necessary not only to apprehend and bring to justice ransomware extortionists, but also to deprive them of the profits that incentivize their crimes.
Stephanie Hinds: (14:46)
Today, we announced the seizure of millions of dollars in Bitcoin paid by an innocent victim in ransom in a bid to regain control of computer systems. The extortionist will never see this money. New financial technologies that attempt to anonymize payments will not provide a curtain from behind which criminals will be permitted to pick the pockets of hardworking Americans. This case demonstrates our resolve to develop methods to prevent evildoers from converting new methods of payment into tools of extortion for undeserved profits.
Stephanie Hinds: (15:35)
The Northern District of California is home to Silicon Valley, an area that year after year fuels remarkable innovation and expansive economic growth in the technology sector. As the nation increases its reliance on technologies developed within and exported from Northern California, so, too, do we increase our reliance on law enforcement to develop, maintain, and employ the expertise necessary to keep our technology safe. Criminal actors employ aggressive, complex tactics to attack our infrastructure and our daily lives and increasingly can do so from anywhere on the planet. Our efforts to disrupt and deter these threats must be creative and advanced. I want to thank our partners at the FBI for their professional deployment of expertise and for their skill in coordinating with the prosecutors in my office and with our colleagues in the criminal division components to allow us to reach this result. I’d like to turn the podium back over to Deputy Attorney General Monaco.
Speaker 1: (16:56)
Thanks, Stephanie. Okay. I think we’re ready for a few questions.
Ms. Monaco, how much of the money did you take out of this Bitcoin account that you found? Did you clean it out, basically, and is this the first time the government has ever done this?
Lisa Monaco: (17:11)
So it’s not the first time that the government has ever seized cryptocurrency in connection with ransomware attacks. This is the first such seizure that the Ransomware and Digital Extortion Taskforce has undertaken. With regard to your first part of your question, Pete, I’ll let the court documents speak for themselves. They lay out the probable cause that was presented to the Northern District, to the judge in the Northern District of California with regard to the tracing of the criminal proceeds to the DarkSide actors.
Speaker 1: (17:46)
Hi. I was wondering, does this mean, based on this example, for other companies when this happens to them, does this imply that they should also pay if it’s through cryptocurrency because of the blockchain technology and the way that the FBI was able to track the money and seize it? I mean, is that a tactic that companies should consider?
Lisa Monaco: (18:08)
The message we are sending today is that if you come forward and work with law enforcement, we may be able to take the type of action that we took today to deprive the criminal actors of what they’re going after here, which is the proceeds of their criminal scheme. We cannot guarantee and we may not be able to do this in every instance. So the point here is this was a very significant undertaking. This was an attack against some of our most critical national infrastructure in the form of the Colonial Pipeline. This represents the swift whole of government response represented in the work of this taskforce and our determination to go after the entire ransomware criminal ecosystem used by these types of criminal networks and their affiliates, which are targeting and going after, including in disruptive ways, our critical infrastructure.
Speaker 1: (19:04)
Alex from ABC.
Thanks. So I guess when you boil down the figures, though, they’re still technically walking away with roughly $2 million in cryptocurrency payments here. So I wonder what you say to that argument, that the deterrent factor really isn’t here in this case, because this group is based out of Russia and because of that isn’t really likely to face criminal consequences for these actions.
Lisa Monaco: (19:25)
Well, I’m not going to get ahead of the investigative efforts and the full consequences associated with this ongoing investigation, but this represents the seizure and deprivation from criminal actors of exactly what they’re going after, which is criminal proceeds of their scheme. It was swiftly done based on and thanks to the quick notification by Colonial Pipeline, their work with the US government, and the message here today is we will bring all of our tools to bear to go after these criminal networks, including the ecosystem and the illicit and the abuse, frankly, of the online infrastructure that they use, including digital currency, to perpetrate these schemes.
Speaker 1: (20:20)
All right. Thank you very much. If you have any additional questions, please send those to me, and we’ll get them answered for you. Have a great day.
Lisa Monaco: (20:20)
Thanks very much.
Speaker 1: (20:22)