Former FBI employees told how their colleagues stopped the activities of a dangerous syndicate.
The international cybercrime syndicate Hive ceased to exist in January after the FBI seized the group's IT infrastructure.
According to the US Department of Justice (DoJ), FBI agents infiltrated the gang in July 2022 and provided the victims with more than 300 decryptor keys, saving them from having to pay $130 million in ransom. This means that in the past 6 months the authorities have been aware of most of the victims of Hive, and the syndicate is likely to have experienced a sharp drop in ransom proceeds. However, cybercriminals had no idea that they had insiders.
How did the FBI agents infiltrate Hive?
How exactly the operation was carried out is classified information, but former FBI special agent Darren Mott, who specializes in cybercrime, believes that the FBI had an undercover agent, or, more likely, the Bureau recruited someone inside Hive. One clear sign of an insider is an insecure decryptor.
Former FBI adviser Chris Pearson said the operation could also combine the two approaches. For example, the authorities could recruit an insider to invite "their" person to join the team.
A different approach could have been used to take over Hive: FBI hackers infiltrated Hive's systems without internal help. Once inside, the feds began to monitor the activities of cybercriminals on the network. "In fact, they hack into the environment, sit and watch and accumulate information about the operation - just like cybercriminals do when they attack a company," Pearson said.
Why didn't the Hive syndicate notice they were at gunpoint?
The FBI provided more than 300 decryption keys to Hive victims, however, the hackers still did not notice so many failed attacks. This may be due to the fact that Hive operates on a RaaS (Ransomware-as-a-Service) model - the syndicate had so many affiliates that it did not follow the victims.
The FBI could also learn which entry points Hive was using, share the information with targeted victims, and allow them to beef up defenses during the initial stages of the attack. Cybercriminals might not suspect anything at all if the victims who chose to cooperate with law enforcement did not publicly declare that they were attacked.
It's also possible that Hive was simply ignoring the ratio of hacks to paid ransoms, Pearson said. This may be due to problems with the software, lack of data collection, or lack of file decryption.
Why did the FBI wait 6 months?
Randy Pargman, a former member of the FBI Cyber Task Force, believes that the longer the authorities stay inside, the more likely they are to destroy the systems of criminals. If they immediately shut down the Hive server, the attackers would simply restore another server and continue their activities. Instead, law enforcement monitored the server and secretly provided victims with decryption keys.
Law enforcement may have discreetly informed all the victims they could get their hands on, but some companies chose to pay the ransom anyway to keep their files from being released by the hackers. All the efforts of the FBI have led to the fact that the Hive syndicate is no longer active, but the hackers may soon split up and join other groups, as the members of Conti did after the breakup of the group.