On April 28, 2016, an IT tech staffer for the Democratic National Committee named Yared Tamene made a sickening discovery: A notorious Russian hacker group known as Fancy Bear had penetrated a DNC server "at the heart of the network," as he would later tell the US Senate's Select Committee on Intelligence. By this point the intruders already had the ability, he said, to delete, alter, or steal data from the network at will. And somehow this breach had come as a terrible surprise—despite an FBI agent's warning to Tamene of potential Russian hacking over a series of phone calls that had begun fully nine months earlier.
The FBI agent's warnings had "never used alarming language," Tamene would tell the Senate committee, and never reached higher than the DNC's IT director, who dismissed them after a cursory search of the network for signs of foul play. That miscommunication would result in the success of the Kremlin-sponsored hack-and-leak operation that would ultimately contribute to the election of Donald Trump.
Four years later, the FBI and the community of incident response security professionals who often work with the bureau's agents says the FBI has significantly changed how it communicates with hacking victims—the better to avoid another DNC-style debacle. In interviews with WIRED, FBI officials never explicitly admitted to a failure in the case of the DNC's botched notification. But they and their private sector counterparts nonetheless described a bureau that has revamped its practices to warn hacking targets faster, and at a higher level of the targeted organization—especially in cases that might involve the upcoming election or the scourge of ransomware costing companies millions of dollars across the globe.
In December of last year, for instance, the FBI announced a new formal policy of immediately notifying state government officials when the bureau identifies a threat to election infrastructure they control. But the improvements go beyond warnings to state officials, says Mike Herrington, the section chief of the FBI's cyber division. "I see a key change in practice and emphasis, getting our special agents in charge keyed up to gain the full cooperation of potential victims," says Herrington, who says he's personally notified dozens of victims of hacking incidents over his career.
Those "special agents in charge" are higher-ranking than the typical field agents who have notified victims in the past, notes Steven Kelly, the FBI's chief of cyber policy. Kelly says that those special agents have also been instructed to aim their warnings further up the victim's org chart. "We want them to be reaching out to the C-suite level, to senior executives," says Kelly. "To make sure they're aware of what's going on and that they're putting the right amount of calories into addressing the issues so that these things don't get ignored or buried."
Unlike practically every other crime the FBI deals with, the bureau is often in the strange position of being the first to tell a person or organization that they're victims of a cyberattack. Often the warnings are based on evidence pulled from ongoing hacking campaigns—sometimes from intelligence agencies or even foreign governments—such as a common command-and-control server across different intrusions. "It is often a very significant event in that person's career or life to have the FBI calling them and saying we believe you may be the victim of a crime," Herrington says.
Over the last decade, though, the FBI's role as messenger has shifted, as organizations become more adept at discovering their own intrusions. For the past several years, roughly half of hacker intrusions were discovered by the victims themselves, according to the M-Trends report on data breach responses published by incident response firm Mandiant. That's a drastic change from 2011, when 94 percent of breaches were first detected by an outside organization, usually law enforcement.
Even so, the growth in the sheer number of hacking incidents means the FBI is notifying far more victims than in the past, says Jake Williams, a former NSA hacker and founder of the security consultancy Rendition Infosec, which often acts as an incident response firm for hacking victims. Williams says that in the last few years, he's seen a doubling or tripling of the number of calls that his firm gets from hacking victims who were first notified by the FBI. The notifications still often provide just the bare minimum of information about the breach—such as the FBI's observation that a computer on the victim's network connected to a known malicious server—and victims are expected to call in their own incident response consultants to kick the hackers out, with little assistance from the FBI itself.
But Williams also says he's found that the bureau now notifies victims sooner after its agents detect a breach; in years past, the FBI would sometimes warn victims only that they had been the victim of an intrusion, often well after the fact. "We're getting more information on the front side," says Williams. "Before it was commonly, 'we can't tell you exactly when and we don't know if it's still going on, but you should know.'"
By some accounts, at least, the scandalous failure of communication that allowed Russian hackers run wild in the DNC's networks is far less likely to occur today. One DNC official told WIRED that the organization has had regular meetings with FBI agents since 2016; if another incident occurs, the two organizations would already have relationships between senior officials on both sides. "Basically we've solved this problem and have really good, clear channels of communication," the DNC official wrote in an email.
Dmitri Alperovitch, the former CTO of Crowdstrike, which handled the incident response for the DNC's 2016 breach and many other incidents of state-sponsored hacking, agrees that the FBI's practices have changed—specifically that it's taking more care to reach senior executives or officials who will take its warnings seriously. Alperovitch points out that the FBI actually warned the DNC within days of the Russian hackers' first breaching its network. The problem, he says, was that the agents working the case had settled for a warning to a low-level staffer. "They should have reached out to higher ups," Alperovitch wrote in a message to WIRED. "I do see them going higher up the chain these days, so yeah, I think it’s better."
Held for Ransom
Elections aside, the epidemic of ransomware hitting US companies has also forced the FBI to improve and accelerate its warnings to hacking victims. For some of those cases, says special agent Tyson Fowler, the FBI has developed a so-called "emergency lead notification" process that bypasses the bureau's usual internal consultations and immediately notifies a cybersecurity-focused agent in a field office who can warn a victim, hopefully before the hackers deliver their ransomware payload. "We're leaning forward in terms of notifying victims as soon as possible and skipping all those steps," says Fowler.
In one case in February, for instance, Fowler says he learned of a ransomware-focused intrusion into a Georgia-based multinational company's network and, by the end of the day, had reached the CEO of the company to warn about the impending attack. The company took part of its network offline, disrupting the hackers' access to their malware, Fowler says. "You have what could have been an extinction level event for the company, and we were able to avoid the financial impact and the privacy impact just by the quick response," says Kevvie Fowler, an incident responder with Deloitte whom the company brought in to help remediate the breach.
None of that renewed urgency in victim notification guarantees that hackers won't outrun defenders anyway. They may, in fact, be learning to operate faster inside of victim networks as the pace of response quickens. But at least in cases where the FBI gets wind of an ongoing intrusion, the period of free rein they enjoy before being hunted by network responders may no longer last for months, as in the DNC hack, but in days or hours.