Click Here podcast, episode 108, FBI
Illustration by Megan J. Goff

FBI Director Wray talks takedown operations, nation-state hackers, and growing threats in cyberspace

One early Sunday morning in Munich a couple of weeks ago, the Click Here podcast had a rare one-on-one interview with FBI Director Christopher Wray to talk about the growing threat in cyberspace and, more specifically, recent takedown operations against nation-state hackers from both Russia and China.

Wray was in Germany for two high-profile gatherings — the Munich Cyber Security Conference and the Munich Security Conference — which bring together a Who’s Who of world leaders and bold-faced names.

The FBI director used the occasion to sound the alarm about the uptick in nation-state hacking operations. In a brazen move, hackers from a China-backed group called Volt Typhoon had pre-positioned malware in key U.S. networks from water to electricity to aviation in anticipation of some future conflict. And Russian cyber operatives linked to the GRU had used common routers, which homes and small businesses use for WiFi, to launch phishing attacks and espionage operations in 50 countries around the world.

In the interview, Wray said the cadence and tempo of these kinds of operations were unprecedented. The interview has been edited for length and clarity.

CLICK HERE: You used to be a white-collar crime guy and then a terrorism guy. Are events forcing you to be a cyber guy now?

CHRISTOPHER WRAY: I consider myself somebody who's having to deal with a whole range of threats and cyber is one that I find myself talking about and focus on an awful lot these days.

CH: During the Munich Security Conference, you had announced the takedown of a GRU operation targeting routers around the world … how did the operation start?

CW: I'm not sure I could get into exactly what the basis of our investigation was. We have active investigations working with partners into a whole range of cyber units within the different Russian intelligence services, as well as other adversaries intelligence services.

Operation Dying Ember was targeting a particular botnet targeting essentially small office and home office routers. [Russian intelligence hackers from] the GRU were piggybacking off another botnet and using it to gain access to things that we wouldn't want them to gain access to. So we conducted a court-authorized technical operation that essentially killed off their ability to have that access.

CH: You talked about these routers being a GRU cyber espionage platform — what do you mean by that?

CW: We are concerned anytime we see foreign intelligence services trying to gain access to information. We don't wait to find out what it is they want to do with that information. We're trying to get left of boom, which is an expression I’d use in the terrorism part of my portfolio and background. But here in the cyber context, we're trying to get left of boom in a different sense. We don't want to wait to find out what the GRU wants to use its access for.

Also in that sense, Operation Dying Ember is a little bit of what we did in [Operation] Cyclops Blink in the early months of the war in Ukraine. [We stepped in before the attack was launched] not wanting to wait to find out what the Russian’s intentions were.

That's a key part of battling the cyber threat, especially with nation-states. The key is to detect access and prevent access from being used in a way that would harm national security, personal security or some other interest.

CH: When we look at the Russian GRU operation and Volt Typhoon pre-positioning malware in critical infrastructure do you see similarities … and is a change in strategy emerging on how to battle these threats?

CW: I would say there are some things that we are seeing that are more of an increase in the scale and breadth of things that we've been seeing for a little while, and then some things that may be new tactics.

In both Volt Typhoon and Dying Ember — both with the Chinese and with the Russians — we're seeing nation-states trying to preposition, preserve and get persistent access.

Volt Typhoon getting into critical infrastructure is an example. So, while that is not a new thing for intelligence services and adversaries like the Chinese and Russian governments, we're now seeing it on a scale and intensity that we have not previously seen.

CH: You mentioned your terrorism background. Are you tearing a page from the terrorism playbook. If you think back to the time of the battle against the Islamic State, the FBI came to eventually proactively step in, to grab would-be recruits before they boarded planes to Syria … is a version of that what is happening here?

CW: Obviously, there are important differences between terrorism and cyber, not the least of which is the horrific loss of life and bloodshed that is involved in terrorism. And I never want to lose sight of the human cost that's involved there. But there are similarities in terms of how we're trying to approach the threat.

One of them is the focus on prevention and disruption of the adversary.

And that is trying to get to a point where we can interdict the threat before it becomes much more serious. The other similarity is that lessons we learned over the years in terrorism involve the importance of intelligence sharing and partnership. I like to say cyber is the ultimate team sport.

CH: What’s your biggest takeaway from surveilling threat actors like the GRU and Volt Typhoon?

CW: There were a number of lessons; one being the importance of trying to get the word out about the dangers of persistent access, which those of us who were cyber professionals of sorts have all known to be the case. But I think it's a previously underestimated or underappreciated risk in broader society. So there's value in that.

It's not just black-belt-level activity that we have to combat. We have to make sure that we're getting the basics right collectively as a country and as an international community. I think it underscores the importance of even getting the little stuff right. The weaknesses that the Chinese were able to exploit were fairly simple weaknesses to exploit.

It just underscored the strategy that the FBI has been engaged in over the last couple of years of using joint sequenced operations with our partners, not just things like arrests. So those are still very much a part of our strategy, but also these technical operations, court-authorized technical operations, which disrupt, degrade, dismantle, essentially criminal infrastructure on the part of hostile intelligence services. And I think both Volt Typhoon and Dying Ember reinforce in my mind that we're on the right track.

I think we're on a great path with the strategy that we're pursuing, and I think you can expect to see more and more operations by us with our partners like that.

Read More: Complete coverage from the 2024 Munich Cyber Security and Security Conferences

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Dina Temple-Raston

Dina Temple-Raston

is the Host and Managing Editor of the Click Here podcast as well as a senior correspondent at Recorded Future News. She previously served on NPR’s Investigations team focusing on breaking news stories and national security, technology, and social justice and hosted and created the award-winning Audible Podcast “What Were You Thinking.”