Hive was once one of the world’s most prolific criminal syndicates, known for shutting down the networks of American schools, businesses and healthcare facilities, then demanding ransoms to restore access. But FBI field agents in Florida managed to unravel the group using little more than a keyboard, first hacking into Hive’s network in July 2022 and then undermining its extortion efforts by helping organizations targeting unlock their systems on their own.
The FBI estimates it saved victims around the world about $130 million through the sting, a feat that demonstrates the effectiveness of the approach, said Adam Hickey, deputy assistant attorney general in the homeland security division. of the Department of Justice at the time of Hive’s withdrawal. “You’d have to be a gorilla to think that putting people in jail is the only way to counter the cyber threat,” said Hickey, now a partner at the law firm Mayer Brown.
But the approach also has its limits. POLITICO’s interviews with FBI officials behind the effort and independent cybersecurity experts provide new details about how the FBI pulled the trigger and why it could often only weaken — and not completely extinguish — the ‘operation Hive.
The effort to infiltrate the gang was long and laborious. And while the FBI’s digital sabotage yielded temporary gains, the criminals, still at large, can now regroup and start over, knowing full well that American law enforcement is after them.
“Unless you’re removing the lead and literally shutting them down, it’s very unlikely that you’ll be able to stop ransomware groups from re-emerging in a meaningful way,” said Kurtis Minder, CEO of the cybersecurity firm GroupSense, which has acted. as a ransomware negotiator on behalf of various victims.
The FBI is “doing the best it can with what it has,” Minder said. Still, “it’s pretty simple for these people to spin again.”
Hive first appeared on the FBI’s radar in July 2021. As high-profile ransomware groups were launching a wave of crippling attacks against US pipelines and meat processors, the then-unknown gang Hive shut down the network of an undisclosed organization in Florida.
Because it was Hive’s first known attack in the United States, FBI procedure dictated that the Tampa field office closest to the victim would assume responsibility for all future Hive cases.
Justin Crenshaw, a supervisory special agent in the Tampa office, said he and his team “knew nothing” about the group at the time, but quickly dug in.
Over the next 18 months, Hive launched more than 1,500 attacks worldwide and collected approximately $100 million in cryptocurrency from its victims, according to US law enforcement estimates. The group expanded so quickly, in part, by turning brutality into a powerful growth engine, targeting organizations such as hospitals and health care providers that other cybercriminals had declared off limits.
As Hive launched one attack after another, Tampa agents interviewed every victim who came to the office, a process that slowly yielded valuable information about the gang.
They learned, for example, how Hive wasn’t exactly one group but several, closer to a branded franchise like McDonald’s than a mob of gentlemen. The group ran what cybercrime experts call a ransomware-as-a-service model, in which Hive’s core members rent encryption software to a vast network of other criminals, or “affiliates,” who specialize in penetrating networks and deploy the ransomware payload.
Twelve months after the first case landed on his Tampa desk, Crenshaw finally had a breakthrough.
He found a way to break into the group’s remote administration panel, a digital nerve center where gang members guard the keys that allow them to encode – and then “save” – data from every hospital, school and small business that was within his reach. understanding
Crenshaw and Bryan Smith, section chief of the FBI’s cybercriminal operations section, did not specify how they accomplished the feat. Smith would only say that it came about through “really basic investigative activity that doesn’t make great television, but makes great cases.”
However, the coup presented the FBI with a remarkable opportunity: the power to identify Hive’s victims as soon as the group attacked them, and then pass them the same decryption keys they needed to restore your networks.
Over the next six months, FBI Tampa provided keys to more than 300 new victims worldwide.
Crenshaw’s team became so good at providing technical assistance to victims that it eventually gave itself a sly nickname, Crenshaw said: “Hive helpdesk.”
But the FBI’s success in infiltrating Hive never translated into wholesale demolition of the group.
According to data compiled by researcher Allan Liska and shared exclusively with POLITICO, the group maintained a steady pace of attacks even when the FBI was holed up inside.
On a dark web site where Hive posted the names and sensitive information of victims who refused to pay, it listed seven victims in August, eight in September, seven in October, nine in November and 14 in December, figures that were consistent with the previous ones. infiltration accounts.
And even if victims get a decryption key, it can take several weeks and a lot of cash to restore their networks, said Liska, a ransomware tracker at cybersecurity firm Recorded Future.
“Recovery is expensive, especially if you don’t want to get hit again,” he argued.
One of the reasons Hive appears to have remained so active is that it learned it could put additional pressure on victims by threatening to leak their sensitive files over the network, a threat the FBI could not do much about to stop until much later.
Even today, Hive members likely remain active under a new name, GroupSense’s Minder argued.
Last month, the US Department of Justice unveiled an indictment against a Russian national accused of working as an affiliate of Hive. That individual, Mikhail Matveev, not only remains at large, but has also worked for two other ransomware groups, a sign of how easy it is for hackers to float between gangs and re-emerge if one collapses.
It’s a trade-off the bureau believes is worth it, especially given the risk that arrests may never come. Hive is believed to be operating safely from Russia, like many other ransomware gangs today.
Rob Joyce, director of the NSA’s cybersecurity directorate, said the strategy is to undermine trust in the criminal ecosystem.
Operations like the Hive takedown “have a lot of criminals looking left and right, not sure who they can trust or what they can believe,” Joyce said. “This general friction slows them down and inhibits their ability to operate at scale and reach.”
Over time, the approach can also yield surprising victories, as Operation Hive demonstrated not once but twice.
Sometime in early January of this year, the Tampa field office made its second major discovery, one that would change the Hive case for good.
Based on more thorough investigative work, the FBI learned that Hive had rented the primary servers it used to stage its attacks from a data center in Los Angeles. Just two weeks later, he got hold of the hardware. Shortly after, he announced his retirement.
Smith said the FBI moved so quickly because it finally saw an opportunity to stop Hive in its tracks. Until then, he said, the operation was “always running behind schedule.”
Still, Smith and Crenshaw said the case didn’t end at the podium, as Hive members are still there. And the two servers may even help the FBI unmask the network of affiliates who worked with Hive during those 18 months, meaning the takedown could lead to more arrests in the long run, not fewer.
“For us,” Crenshaw said, “this is just the first round.”
English 
Español de Venezuela