Former FBI Operative Who Helped Catch America’s First Cyber-Spy Shares Advice With CUs

A reposted Article from CU Today

BOISE, Idaho – A former FBI operative who helped capture the man considered to be the most damaging spy in U.S. history and who was featured in a movie shared his story as well as advice for guarding personal and CU information in cyberspace in remarks to a credit unions.

Eric O’Neill, who is now a national security attorney and author, told the Northwest Credit Union Association’s MAXX Conference that every credit union—and each person as an individual—must take some very simple but powerful steps to increase their security.

O’Neill’s exploits and those of others who helped to finally identify and arrest were featured in the 2007 film Breach, which told the story of efforts to find a spy in the FBI, Robert Hanssen.

O’Neill was a young FBI employee assigned to work undercover as a clerk to Hanssen,  a senior agent he is told is suspected of being a sexual deviant. As part of a plan to capture the spy, Hanssen was recalled from a detail post at the State Department  to FBI headquarters, ostensibly to head up a new division.

O’Neill played a crucial role in helping to identify Hanssen as a spy working for the Soviet Union/Russia, but by the time Hanssen was arrested in 2001 considerable damage to U.S. intelligence and spy networks had already been done.

O’Neill has written a book on his experience called “Gray Day: My Undercover Mission to Expose America’s First Cyber Spy.”

A Final Drop

Hanssen was arrested after making his final “drop” of information to the Russians in a park near his home.

“It was supposed to be his final drop to the Russians after 22 years of espionage,” O’Neill told the meeting. “He would have retired from FBI with full pension in April of 2001 (he was arrested in February). He was the Soviet Union’s and then Russia’s top spy, sitting right in center of FBI. His job was to catch spies. At one point his job was to catch himself. He gave up some of the most damaging information ever given to a foreign power. Nuclear information. Undercover operations. The names of our spies in the USSR. Between 1984 and 1985, the United States lost every single Russian asset.”

The Secret Tunnel

Among the information Hanssen passed to the Russians was that the U.S. had successfully dug a tunnel beneath the Soviet embassy in Washington. While the U.S. congratulated itself on being able to hear everything being discussed, it was all intentionally bad information.

“There is a reason he was able to do what he did for so long,” said O’Neill. “He wasn’t just the most damaging spy in U.S. history, he was our first cyber-spy. He was the first spy to drop data on floppy disks.”

Floppy disks, of course, give way to thumb drives and then data storage in the cloud and an entire new world of cyber-espionage, including hacking threats against credit unions and their members.

“The bad guys don’t have to even leave their office from whatever country they come,” said O’Neill. “Cyber criminals are in the act, and instead of recruiting a spy they are recruiting you. They’ve stolen credentials and now are you. The number-one way they do it is through email. It’s old spy methods. You get a person’s trust, you fool them.”

O’Neill said there are “no hackers, only spies,” and they are taking advantage of a modern society’s Achille’s heel.

What the Pandemic Has Done

“For a year we’ve been hiding in our homes. But if go back a year-plus, we were all in our offices, collaborating. The next day we were all home. And IT and security lost their minds. There was no control,” O’Neill said. “People working from home and Starbucks on their smartphones. It was chaos, and the bad guys knew it. There were more cyberattacks in 2020 and 2021 than any time in history.”

O’Neill said the FBI’s Internet Crime Complaint Center reported 800,000 cyberattacks in 2020 in the U.S. at a cost of $4 billion. And that represents only the reported data, he reminded.

“Two-billion-dollars of that was business email compromise. In financial institutions, that’s a serious thing,” said O’Neill. “Think of the data you are protecting. It’s a massive database any spy or criminal would want to steal. The financial sector is one of the prime attack sectors in cybercrime. Half the time they are not even going through sophisticated spearphishing attacks. They are just buying names and passwords on the dark web.”

The Real Threat

The primary threat to credit unions is ransomware, with crooks targeting financial institutions and health care firms that consumers widely depend on.

“It’s not just, ‘Pay the ransom and we’ll give you the encryption key.’ Attackers have gotten wise,” he said. “They start a countdown clock. Every hour you don’t pay, they release big files of your customer data.”

The good news, said O’Neill, is that credit unions are “pretty decent” when it comes to cybersecurity.

The bad news is that most member data is already available.

“It turns out that about 86% of credit unions have been found to have at least some members, employees whose information is on the dark web,” O’Neill said.

‘Terrible’ Passwords

And the problems is only made worse by self-inflicted wounds.

“Passwords are terrible. The problem with the password is you may have the best password in history, but you use it for everything” O’Neill said. “You use it for work, for your app for buying ice cream. And 50% of those companies have been breached and your user name and password has been stolen. A thousand user names and passwords are about $5. They don’t even have to send the spearphishing email.”

The business is so large, according to O’Neill, that the dark web has become the “third-largest economy on Earth.”

Anyone in the room, he said, could go to the dark web and buy a ransomware and get started. “The starting salary is $100,000 and it’s tax free—because you’re a criminal,” O’Neill laughed.

Trust No One

O’Neill pointed to the phrase used by a White House Executive order: “zero trust.”

“Every person, every machine that tries to access your data, must be authenticated. You’ve heard of ‘Trust but verify.’ This is ‘Don’t trust and verify everything’.”

O’Neill reminded credit unions to pay attention to access management.

“You have to know what your employees can access, so if one is compromised, they don’t get everything. You have to segment your network,” he advised.

Paying Ransom

Asked by an audience member whether a credit union should pay ransom if it is struck by ransomware, O’Neill responded, “The official FBI position is never.  But it depends. Are you able to restore from backup or defeat the ransomware attack? Or are you completely compromised and your members are going to start running and you have to get out from under it? Sometimes you have to pay the ransom.

“And if you haven’t already figured out a plan now, you will have to pay the ransom. No one is going to help you,” he continued. “The FBI isn’t going to be there trying to hunt them. You need to have the plan now if you’re locked, especially if they start extorting you, releasing your private data in the world. Sometimes you have to pay.

“They know if you pay you are probably going to be a repeat customer. Most of the time they will give you the encryption key.”

Posted in NWCUA in the News.