DOJ report warns of escalating cybercrime, 'blended' threats

The Department of Justice is stepping up its efforts to prevent foreign nations from attacking U.S. networks and supporting cybercrime groups within their borders.

So said Lisa Monaco, deputy attorney general and one of the heads of the U.S. government's efforts to crack down on both nation-state advanced persistent threat (APT) groups and cybercriminal gangs.

Speaking at the International Conference on Cyber Security (ICCS) 2022 in New York on Monday, Monaco discussed efforts to engage private technology and cybersecurity companies in its efforts to address a myriad of evolving threats. Her appearance coincided with the release of the DOJ's Comprehensive Cyber Review report, which analyzed how the department is combating cybercrime.

"Our focus has been on increasing our capacity to disrupt and to respond to malicious cyber activity. And the report we release today reflects what we have learned over the last year, including the need to prioritize prevention, to ensure we are doing all we can to help victims, and above all else -- to use all the tools at our disposal, working with partners here and around the globe, across the government and across the private sector," Monaco said during her speech at the ICCS.

"This approach has yielded real results. In the last year, those results -- reflected in actions and disruptions -- many of which began with critical reporting from and cooperation with companies who have been victims of cyber attacks."

One example of that disruption, Monaco said, was the recent seizure of approximately $500,000 in cryptocurrency from a North Korean ransomware group known as Maui. According to the DOJ, Maui threat actors attacked a medical center in Kansas last year. The medical center paid the ransom demand and reported the incident to the FBI, which tracked the payment through a series of cryptocurrency laundering services in China.

As a result, Monaco said, authorities were able to recover the medical center's payment as well as funds paid by other victims. The seizure is the latest ransom recovery made by authorities over the last year since the $2.3 million recovered from Colonial Pipeline Co.'s ransom payment.

The DOJ report noted the challenges posed by evolving cybercriminal tactics as well was what the department described as "blended" threats that don't neatly fit into either traditional cybercrime or national security categories.

"Criminal actors and nation states are forming alliances of convenience, alliances of opportunity, and sometimes alliances by design," the report said. "Today, some nation states allow this criminal activity to persist without consequence -- if not expressly condoning activity within its borders -- by acting as a safe harbor for these cybercriminals and turning a blind eye."

The report outlined a number of steps the department has taken, including the creation of the National Cryptocurrency Enforcement Team to better investigate and track illicit payments, and the introduction of the Civil Cyber-Fraud Initiative, which uses the False Claims Act to sue contractors and vendors that receive government funding for failing to meet the department's cybersecurity standards.

But the report also sets the stage for private companies to pick up some of the slack and act as a buffer between both the local and federal governments. The cyber review concluded that more can be done to bridge the gap in cybercrime enforcement at the various levels between the various levels of government that link nation-states.

"One recommendation is to require all prosecutors handling significant cyber investigations with transnational links to consult with attorneys in the Department's Criminal Division (CRM) and National Security Division (NSD) who have experience and training in working with the relevant partners to ensure a multi-front response to an ongoing threat," the report read. "Another recommendation is to continue to assign Department personnel to other Departments that have different authorities and tools."

The DOJ said that more efficient government efforts and increased cooperation with the private sector will be particularly important for combating foreign influence operations that spread misinformation about everything from elections to Olympic athletes.

"Ultimately, one of the most effective ways to counter malign foreign influence operations is to shine a light on the activity and raise awareness of the threat," the report said. "Such efforts are an important prong of a whole of-society effort involving collaboration among government at all levels, social media providers and others in the private sector, political candidates and organizations, and an active and informed citizenry."

In the end, Monaco said, the DOJ can only do so much without cooperation from companies, whether it's the victims of cyber attacks or the infosec vendors tasked with defending them.

"The bottom line is this: We are all in this together. It is bad for companies and bad for America if we don't work together on these issues," she said. "But we need our partners in the private sector for more than reporting and visibility into cyber attacks. We also need your know-how and your talent to prepare for the threats of tomorrow."