Exclusive: Deputy AG Monaco on ‘Operation Cookie Monster’ and why it represents a change

The Department of Justice says last month’s effort to bring down the Genesis Market represents a departure from its traditional cyber enforcement actions. “Operation Cookie Monster” wasn’t about nabbing masterminds; it was about making it harder for JV hackers to level-up in the world of online fraud.

Click Here met with Deputy Attorney General Lisa Monaco last month on the fringes of the RSA conference to talk about the roster of recent cybercriminal takedowns and how their success has required a shift in mindset — one that borrows, among other things, from Monaco’s past work as homeland security and counterterrorism adviser to President Obama. The interview has been edited for length and clarity.

Click Here: Let’s start with Genesis and “Operation Cookie Monster.” Was there a broader strategy at play with this operation?

Lisa Monaco: We are really focused on doing disruptions and not always just looking for the prosecution. The Genesis disruption is a really good example of that. We changed our orientation to say we need to focus on taking action that can prevent the next victim. And to do that, we've paired our prosecutors with cyber agents. Those prosecutors normally are trying to build that case painstakingly, to bring that prosecution — now we're saying [to them], Well, that's great. But that isn't always the tool we're gonna use. We're going to use whatever tool we can to disrupt and prevent. What you saw here is us going after the enablers, the facilitators, the engine that allows so many people to enter into the online criminal marketplace in what became, before it was disrupted, basically a criminal bazaar.

CH: We used to think that multifactor authentication was the gold standard for security. It's still important. I'm not saying it's not important, but it seems to me that the Genesis Market is an example that we've seen in which MFA isn't necessarily the gold standard.

LM: Well, the interesting thing about the Genesis marketplace disruption was you had a marketplace where you had millions of credentials that were on offer for sale in a very user-friendly way. If you're a fraudster going to look for easy access to somebody's network to commit fraud or conduct a ransomware attack, you could go into their very user-friendly search engine. By the way, [this was] on the clear web, right? This isn’t the darknet.

CH: I wanted to ask you about that. Wasn't that a risky move on their part? Shouldn't they have stayed underground?

LM: Well, we’re pretty happy they didn't. It made our job a little bit easier. But it was a friendly search engine. You could say, I'm Dina and I'm looking for financial accounts, and I'm gonna go search in this location. You could call that up, put it in your cart, and pay the bottom line. So you have access-as-a-service. You’ve got ransomware-as-a-service. And so we're seeing that evolution of the facilitators and the entry points. Genesis lowered the barrier to entry for the kind of fraudster looking for easy access.

CH: It's a JV thing, right? I mean, all of a sudden JV hackers who aren't good at getting into networks can purchase that access.

LM: And they don't have to spend time or effort or expertise developing that access themselves. Somebody else has done that legwork. And then, importantly, what Genesis also did was they had those fingerprints, right? That ability to allow the fraudster to impersonate the victim. That makes it a lot easier for fraudsters or ransomware actors to conduct their activities at scale. But, again, it's about going after the whole ecosystem. So that's the cryptocurrency exchanges who are laundering the money. You saw us take disruptive action against ChipMixer. It's marketplaces like Hydra, which operate on the darknet; like Genesis Market; like BreachForums. All of this contributes to fueling the online criminal space, and the ransomware activity that we've seen can have devastating effects.

CH: Have administrators been arrested? My sense was that it was lower-level people — still criminals, but more like the customers in the market, as opposed to admins.

LM: A lot of customers. A lot of users. And a lot of knowledge that we've gained in what is an ongoing operation.

CH: Right. The wording of the FBI message that they left on the Genesis marketplace was, you know, We'd like to talk to you. Have people responded?

LM: Well, part of the point is to let folks know they should be looking over their shoulder. And to your point earlier, you can't assume that your credentials are out there safe. And the criminals who are using them shouldn't assume that they're safe.

CH: Does this feel like what you tried to do during the terrorism era as well? Because it feels very familiar to me.

LM: So it should feel familiar because it's very much taking that playbook and saying, focus on prevention. And importantly, let's use any and every tool we can. Sometimes it will be extraditing and putting handcuffs on someone and seeing them prosecuted in a U.S. courtroom. But sometimes it's going to be financial sanctions. Sometimes it's going to be an intel operation that you'll never hear or see. Sometimes it’s swiping those Decryptor keys and then giving them out to the victims, which is what we did in the Hive operation a few months ago.

[We made] no arrests there, but what you saw was $130 million worth of prevented ransomware payments because we were able to swipe those decryptor keys and give them out to the victims before their systems got locked up. So what we're trying to do now is use whatever tool we can to take disruptive action and, importantly, put victims at the center of this whole approach.

CH: And is that because the DOJ and FBI are smarter about this than they were a year ago? This just feels a little bit different than what was going on a year ago.

LM: Well, I hope we're smarter because we have to evolve. In a previous role, I was President Obama's homeland security and counterterrorism adviser. At that time, nation-states — China, Russia, Iran, North Korea — were doing all sorts of aggressive activity on the cyberthreat landscape. Now they're teaming up [and] blending with criminal groups who often are finding safe haven in rogue nation-states. I'm talking here about Russia. So I said to my team, we need to change our orientation. We need to get on our front foot and take those steps that can help prevent the next victim, put those victims at the center of our strategy, tell the private sector we need them to come forward and work with us so that they can prevent the next victim.

CH: How do you do that?

LM: Well, you saw us really send that message when we used a very dusty old legal authority called a forfeiture warrant. We used that tool to follow the money through the blockchain and seize back the ransomware payment that Colonial Pipeline made and return it to the victim. So we're using old tools in new ways.

You talk about your roots being in terrorism, and mine are in working to counter terrorist threats. And there's a lot we can [bring] over from that. But the difference is, the lion's share of the information that we need to get after this threat — as a national security community, as a law enforcement community — is not information that we as a government possess. It is in the 85% of the privately owned networks around this country that operate the most critical networks that we have.

CH: So the pandemic happened, and I remember talking to you, I think the last time just the two of us talked, and I was saying this pandemic just completely surprised me. And you said to me, "What are you talking about? I've been saying this for years."

LM: I wrote an article — this was [in] the fall of 2018 — that was entitled, The Next Pandemic Will Be Arriving Shortly. I didn't write the headline, but it's a good headline.

CH: Do you think we're in the same sort of position of cybersecurity, that everybody's waving their hands saying, Hey, you really need to worry about this. And people haven't quite brought on board how it's already arrived?

LM: I think that was true. I think people are starting to take notice when you have something like Colonial Pipeline or when you have this drum beat of attacks on hospitals. I think the ransomware piece has really gotten people's attention because they feel like it could actually impact their own lives if they or their family members or their loved ones are in the hospital and those systems get locked up. But we're not where we need to be by any stretch of the imagination.

[NOTE: Less than a week after our interview, the Royal ransomware gang — believed to be an offshoot of the Conti group — locked up government computer systems in Dallas. As of this writing, the city’s courts, firefighters and police officers are still reeling from the attack.]

We're getting better. You see ransomware payments going down in the last year. And we're getting more cooperation from victims who are coming forward. It was only because Colonial did what was frankly a very brave thing for them to do — to come forward and work with us very quickly.

CH: In trying to tackle this problem, have you taken lessons away from what we've seen in Ukraine?

LM: Absolutely. One of the things that we did as a national security community 14 months ago in the lead up to Putin's unprovoked and brutal invasion of Ukraine was we changed our orientation there. We said, we're going to declassify a lot of intelligence to show the international community what's happening [and] bring the international community together to put in place sweeping sanctions — and enforce them.

We’ve got to do the same thing when it comes to pooling our information resources against the cyber threat. Go back to the Genesis marketplace disruption: You saw across 20 different law enforcement agencies internationally — in dozens of countries — more than 130 arrests take place. Searches, arrests, seizures of domains, disrupting that infrastructure. [It’s a] synchronized dance amongst law enforcement intelligence and national security partners. So we are not going to be able to get after this problem if we don't have that cooperation.