SamSam outbreak led to FBI restructuring, top official says

The notorious SamSam ransomware — which extracted over $6 million in payments from more than 200 victim organizations — forced the FBI to adjust its model for handling cyberattack investigations, a senior bureau official said Thursday.

Nearly all 56 of the FBI’s field offices responded to SamSam incidents — an inefficient way of keeping up with the malware, said Tonya Ugoretz, deputy assistant director of the FBI’s Cyber Division.

And so, in an example of how the FBI is trying to adapt to an era of unceasing cyberthreats to U.S. businesses, the bureau changed its investigative structure.

“We developed a model whereby when there is a certain type of malicious strain or certain type of threat actor, we have one office that’s in charge, we have other offices running supporting investigations that are feeding up into that,” Ugoretz said at the Cybersecurity Leadership Forum presented by Forcepoint and produced by CyberScoop and FedScoop.

Additionally, FBI headquarters pieces all of that intelligence together and shares it with other agencies, she said.

The scale of the SamSam threat called for a big response. The ransomware hobbled municipal services in Atlanta and also struck the city government of Newark, New Jersey, as well as the Port of San Diego. Elsewhere the computer networks of hospitals were encrypted and held hostage as recently as 2018. All of that made catching the perpetrators important, and Ugoretz shed light on how that was done.

“Through technical forensics, intelligence gained, [and] information shared by victims, we were able to identify two humans living in Iran who were responsible for those 200 victims that [had] nearly $40 million in damages,” she told an audience of public and private-sector cybersecurity executives in Arlington, Virginia.

Last November, Prosecutors unsealed indictments against the two men, Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri.

Determining whether or not they were working on behalf of the Iranian government also was critical, Ugoretz said. Nation-state-backed cyber-activity often ebbs and flows with changes in geopolitics, and the SamSam investigation overlapped with the implementation of a deal agreed by Iran, the U.S. and other world powers regarding Iran’s nuclear program.

The alleged perpetrators were not exfiltrating valuable data from the victim companies and seemed singularly focused on getting money from victims – hints that they weren’t state-sponsored, according to Ugoretz. Investigators ultimately concluded that the two men behind SamSam were working on their own and not at the behest of the Iranian government.

Some in the cybersecurity industry are skeptical of the value of indicting foreign hackers who are unlikely to see the inside of a U.S. courtroom.

But Ugoretz argued that one benefit of doing so is it shows the FBI’s partners the level of certainty the U.S. government has that a group or person is behind a computer intrusion.

“You can’t have accountability if you don’t know who is behind activity,” she said, adding: “Nothing says attribution like an indictment.”