FBI says bounty payments for hackers are paying off

A State Department bounty program that the FBI’s cyber division joined in 2020 is beginning to pay off, CyberScoop reported.

At the Billington Cybersecurity Summit in Washington, DC earlier this month, FBI Assistant Director for Cyber Bryan Vorndran told attendees, “Recently, the US government has also started to leverage something that was traditionally used in counterterrorism: Rewards for Justice. It’s essentially incentivizing individuals who have intimate knowledge of a criminal conspiracy, whether nation state or not, to report to the US government…That has actually borne fruit at this point.”

When asked for comment by CyberScoop, the FBI declined, and the State Department pointed to a blanket policy, stating that it refuses to comment on whether any given payout occurred.

The Washington Post similarly reported it was unable to gather any details about the program’s alleged success. However, Center for Strategic and International Studies cybersecurity expert and former State official James Lewis told the paper:

“The way to judge it isn't how many people we catch. It's how much we get the message out there…As part of a larger US effort to finally begin to impose consequences, it’s a good thing.”

In May 2022, the State Department began offering up to $10 million for information that could lead to the arrest of any of the leaders of the Conti ransomware group (formerly behind Ryuk), which it said was responsible for over 1,000 attacks that had successfully earned collective ransoms of over $150 million, according to FBI estimates. It also offered $5 million for information leading to the arrest of any Conti ransomware participants. At the same time it announced the Rewards for Justice bounty, the State Department shared a photo of a key suspect referred to as “Target.”

During the conference, Vorndran and Justice Department Deputy Assistant Attorney General Adam Hickey also addressed a more controversial topic than bug bounties: offensive cyber attacks against assets controlled by allegedly state-backed Chinese and Russian hackers.

According to the Record, Vorndran explained that in the cases of Hafnium, a Microsoft Exchange server exploit, and Cyclops Blink, a router/firewall-targeting malware powering botnets, the FBI notified many victims to tell them they were infected. Yet the agency felt justified in using Rule 41 Search and Seizure warrants to clear the foreign malware from privately owned computers.

“At that point, it’s really important that we remove the attack surface from Hafnium in China, and from Cyclops Blink, from Russia’s GRU, simultaneously,” Vorndran told Billington attendees. “But understand, when we take that action, our work does not touch anything on the victim’s computer server infrastructure besides that malware.”—TM

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @thetomzone on Twitter. Want to go encrypted? Ask Tom for his Signal.