Podcast
Inside the FBI’s Push to Disrupt Hackers Before They Strike with Brett Leatherman
Season 3 Episode 25 •Show Notes
In this episode of Cyber Focus, Frank Cilluffo sits down with Brett Leatherman, Assistant Director for Cyber at the FBI, for a wide-ranging conversation about how the Bureau is using law enforcement authorities, intelligence, partnerships, and court-authorized technical operations to disrupt adversaries, help victims, and defend U.S. critical infrastructure.
Leatherman explains why the FBI expects to conduct more operations like Operation Masquerade, which evicted Russian GRU actors from compromised routers, and why privately owned routers, edge devices, and small networks can become valuable infrastructure for foreign intelligence services and criminal groups. He also discusses the rise of agentic AI in ransomware, China-linked threats to operational technology and critical infrastructure, Operation Winter SHIELD, supply-chain risk, and why early victim reporting can help the FBI move upstream against cyber adversaries.
Main Topics Covered
- FBI cyber threat response and disruption operations
- Operation Masquerade and court-authorized cyber actions
- Ransomware, agentic AI, and emerging threats
- China-linked threats to critical infrastructure
- Public-private partnerships and victim reporting
- Operation Winter SHIELD and cyber defense best practices
Key Quotes
“Deterrence for us is not just about arrests, indictments, convictions, although that still matters a lot to what we do. It’s also about removing capacity and capability from the actors where they’re not touchable. Their infrastructure is touchable, their money is touchable, their tools are touchable.” — Brett Leatherman
“The idea of security through obscurity is dangerous.” — Brett Leatherman
“The FBI will never ask you to maintain breach while we are conducting evidence collection.” — Brett Leatherman
“Ransomware actors are starting to leverage agentic AI, along with the nation states, to really move across the cyber kill chain at speeds we haven’t seen before, and at speeds defenders might not be ready for.” — Brett Leatherman
“We can’t defend against machine speed at human speed.” — Brett Leatherman
Relevant Links and Resources
- FBI Cyber Division
- Internet Crime Complaint Center (IC3)
- Operation Masquerade
- Operation Winter SHIELD
Guest Bio
Brett Leatherman is the Assistant Director for Cyber at the FBI, where he oversees the Bureau’s cyber efforts, including incident response, threat response, and cyber disruption operations. A 23-year FBI agent, Leatherman has worked or managed programs across counterterrorism, counterintelligence, cyber, and criminal investigations. He previously served in senior roles in the FBI’s Cyber Division and in Dallas, and has also served as an FBI pilot and negotiator.
Transcript
Brett Leatherman [00:00:01]: Ransomware actors are starting to leverage agentic AI along with the nation states to really move across the cyber kill chain at speeds we haven’t seen before. And at speeds defenders might not be ready for.
Frank Cilluffo [00:00:16]: Welcome to Cyber Focus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I’m your host, Frank Cilluffo, and this week you’re in for a real treat. I sit down with Brett Leatherman. Brett is the Assistant Director for Cyber at FBI. Oversees the cyber efforts of the Bureau in terms of incident response, in terms of threat response and the like. He previously served in senior roles in the Cyber division in Dallas, but also was a pilot and a negotiator, which shows you, you gotta have all sorts of skills. And he’s bringing them all together to lead FBI’s cyber effort. Brett, thank you so much for joining us today.
Brett Leatherman [00:00:57]: Frank, thanks for having me.
Frank Cilluffo [00:00:58]: So I thought we’d start with looking at FBI’s mission. So a lot of our viewers are familiar with the national security community, not always as well versed on law enforcement. And given Presidential Policy Directive 41, FBI is the lead for cyber response. And I thought maybe we could paint a little picture on how you’re organized and what, what keeps you excited every day.
Brett Leatherman [00:01:25]: Yeah, well, every day is exciting in the cyber discipline lately. I’m a 23 year agent with the FBI. I’ve worked or managed work in all our programs, counterterrorism, counterintelligence, cyber, criminal investigations. Yeah, and it’s surprising today what the cyber threat operational picture looks like compared to historically some of those other threats. Presidential Policy Directive 41 does designate the FBI as the lead threat response agency for cyber incidents. So our teams are responsible for threat pursuit, so identification, attribution, and pursuing the threat actors in support of deterrence activity.
Brett Leatherman [00:02:03]: Equally important to that though, is our mission to prioritize engagement with victims. And so victim engagement is incredibly important. What we learn through our law enforcement, in our intelligence community authorities, we have to share quickly with victim organizations. So when you ask me what the priorities or the FBI’s mission is in the cyberspace, is to impose cost on malicious actors and to provide that substantial assistance to victims of cybercrime. That’s what keeps us going every day.
Frank Cilluffo [00:02:29]: Awesome. And we’re hearing, and I’ve been a broken record and others as well, that we do need to shift the calculus and impose cost, induce changes in behavior. What does that look like in the real world?
Brett Leatherman [00:02:43]: Yeah. So again, as a two decade agent of the FBI, our bread and butter is putting bad guys in jail. It is to identify, attribute, arrest, impose cost on actors by bringing them to justice, letting a court in a jury convict them, adjudicate a case, and put them in jail. That’s not always sustainable in the cyber discipline because so much of the activity comes from overseas in areas that don’t recognize US legal process. So cost imposition for us, deterrence for us is not just about arrests, indictments, convictions, although that still matters a lot to what we do. It’s also about removing capacity and capability from the actors where they’re not touchable. Their infrastructure is touchable, their money is touchable, their tools are touchable. So where we have the authorities and the capabilities to go after that, we need to do that because it brings real relief to victims. And we leverage both our law enforcement and our national security authorities to do that.
Frank Cilluffo [00:03:42]: And in so doing, interagency cooperation is essential. And so is working with our allies. Correct? I mean, ultimately there are a handful of countries that provide sanctuary for a large percentage of the criminals we’re dealing with here. Just help us unpack that a little bit.
Brett Leatherman [00:04:00]: Yeah. Partnerships are incredibly important. We know that cyber is border agnostic and so it can transit three countries in a matter of seconds. And we have to have relationships with those countries in ways that allow us to be agile and quick against the threat. So my teams in cyber, we’ve invested in our Cyber Assistant legal attache program, where we have 22 cyber ALATs sitting in embassies across the globe in locations where adversaries leverage infrastructure or where the partnerships are incredibly important so we can share very quickly with those partners in order to conduct operations to counter the threat. Also, industry partnerships are increasingly indispensable. Industry has unique visibility into the threat environment, the telemetry across their networks, what threat actors are doing. A lot of that, if it’s tipped to our teams can steer how we pursue threat actors, how we collect against them, and how we disrupt them.
Brett Leatherman [00:04:56]: And then of course, our US Intelligence community and law enforcement partners here, partnerships here domestically are, have never been stronger. And those partnerships are incredibly important to how we do that work.
Frank Cilluffo [00:05:06]: Awesome. And I do want to touch on the public private partnership in a little bit. But before jumping into that, I was pleasantly surprised and happy to see the news around Operation Masquerade. And before I, I don’t want to lead the witness here. You want to paint a picture on what it was and what GRU’s intentions were and why it matters?
Brett Leatherman [00:05:28]: Yeah, so Operation Masquerade was a court authorized operation that the FBI conducted to remove that capacity and capability of the Russian GRU, their military intelligence service, who had co opted routers globally, including here in the United States, to then pivot and conduct attacks against other entities to include critical infrastructure. And what they did in this case was they were able to get into end of life routers, change DNS settings that propagated to other devices in an office or in a household, basically routing all Internet traffic from that office or that household to GRU controlled infrastructure. So not only could those actors collect on the Internet traffic routing through that US House or that US office space, they could also leverage that IP space which is trusted here in the homeland, to pivot their attacks into, you know, critical infrastructure, government agencies, law enforcement agencies, hospitals, other organizations, incredibly impactful to us.
So once we identified this, our Boston field office was able to develop a capability that was able to, through a court authorized search and seizure warrant, allow us to execute against those victim routers, evict the GRU actors from those routers and then secure those routers from reinfection. Those operations are important because they not only do they remove the actors themselves, we also put out joint cybersecurity advisories to let the public know what’s happening to defend against those kind of things at the same time. So we put a JCSA out with a lot of our partners that provided both technical and contextual intelligence that they could use to defend their networks from this type of activity. What’s interesting is this is the fourth court authorized technical operation since 2018 that we have conducted against the Russian GRU, all targeting end of life routers and edge devices. So it just demonstrates that they are persistent in what they do, but our persistence-
Frank Cilluffo [00:07:29]: Is there too.
Brett Leatherman [00:07:30]: Is there as well. Yeah.
Frank Cilluffo [00:07:31]: Exactly. You know, and I think what gets lost here is this isn’t, and maybe it’s because I’m old, but it reminds me of FBI moving to more of an intelligence led operation. And in a post 9/11 environment, a lot of emphasis not only on arresting the perpetrator, that that obviously is always going to be tantamount, but in itself may be insufficient. And here you didn’t wait to arrest someone afterwards, you took proactive steps to remediate. Do you think we’ll see more of those in a court authorized kind of way?
Brett Leatherman [00:08:05]: I can guarantee you will see more of those because it has real impact for victims. And we call these joint sequenced operations where we conduct these jointly with partners, some named, some not named, we sequence our capabilities and authorities with them and we have more enduring or long lasting impact against the actors, bringing more enduring and long lasting relief to victims because we did it in a way like that. Now, we may never get a GRU actor in US jail for conducting that operation, but victims are feeling relief as a result of that, and the nation’s more secure because of it.
Frank Cilluffo [00:08:41]: Yeah, well said. And the foreign counterintelligence implications are massive. And in this case, it’s mom and pop shops. Right? It’s people’s home.
Brett Leatherman [00:08:49]: Yeah.
Frank Cilluffo [00:08:50]: No one thinks they would be a target, but here’s an example of how they can be. Right?
Brett Leatherman [00:08:54]: And we hear that a lot. Right? We hear a lot, why would the Russian GRU, their military intelligence service, target me? I’m a small mom and pop shop. It’s a residential router at home. And the idea of security through obscurity is dangerous. Right? If you have an IP address that sits here in the United States, regardless of what’s behind that IP address, there’s value either from an espionage purpose, but if not that, the ability to pivot into US infrastructure using that trust and IP space.
Frank Cilluffo [00:09:21]: Masquerade as the title says, right?
Brett Leatherman [00:09:22]: Masquerade is a key example of that.
Frank Cilluffo [00:09:24]: You never know who’s the puppet, who’s the master.
Brett Leatherman [00:09:26]: That’s right.
Frank Cilluffo [00:09:27]: And that is one of the, the big takeaways. And I, you know, walk us through what an investigation and a breach would look like, because sometimes, I mean, if you’re a CISO, you don’t want to, you can’t take your systems down, but at the same time, you need to be able to collect evidence. What does that tension look like? And, and, and why is it, your PSA here, why is it important that they do report, people report incidents even when they think they’re not relevant to the, to the broader national security mission, but can be?
Brett Leatherman [00:09:59]: That’s important to highlight. We’ve gotten really good over the last decade or so, and in particular the last five years or so at balancing our investigative needs with the need to conduct incident response and remediation for victims. We have 56 field offices located throughout the United States. That’s what’s unique about the FBI, is we have a Ford deployed workforce who sits in your backyard wherever you’re listening to this podcast from. And every one of those have at least one cyber team there, if not multiple cyber teams. We operate in what we call a cyber threat team model, where cyber, because again, it’s border agnostic, like the Russian GRU doesn’t just target entities in Boston, they target the United States. Right?
Brett Leatherman [00:10:39]: Boston is one of those field offices that is part of the GRU Cyber Threat team. And their job is to become experts in that threat to know the tactics, techniques and behaviors of those actors, how those actors TTPs are changing and pivoting and how we counter that. They work with several other field offices as part of that cyber threat team. We have the same thing for Iran actors out of Iran, same thing for actors out of China, same thing for actors out of DPRK and also in the criminal ecosystem as well, those ransomware actors. We have field offices who become experts in countering that cyber activity in meaningful ways, and because of that, when there is a breach and we’re conducting our investigations and we have those experts on these IOCs and TTPs, most victim organizations who are breached by the GRU has never, have never had experience in being breached by the GRU. But the FBI has over and over been exposed to what the GRU does. And we bring that expertise to incident response, containment, eradication activity that you can’t get anywhere else.
Brett Leatherman [00:11:43]: We want organizations to look for their incident response firms who come in and do remediation, but there’s intelligence that we have that we can provide that is invaluable. It is, it provides the victims the ability to hunt more meaningfully, quicker those actors in their environment in support of that containment and eradication. The FBI will never ask you to maintain breach, why we are conducting evidence collection. What we found is that investigation and remediation work hand in hand when you call us in right away. And every one of our joint sequenced operations like Operation Masquerade is informed by victims who come forward early and provide us that intelligence that we can use to move upstream against the actors.
Frank Cilluffo [00:12:25]: Awesome. That, that was very eloquent and dare I say, I certainly would have already reported, but I’ll do so quicker now. And, and, and, and, and truth is, is it, you never know. I, I mean the first big cyber incident that I remember was Cuckoo’s Egg. It was a rounding error of $0.05 or $0.15 or whatever it was. Next thing, next thing you know is an SVR or KGB maybe at the time operation. And you never know what that is unless you actually do the hunting. Right?
Brett Leatherman [00:12:57]: You would be surprised at how much little bits of intelligence when paired with what we already know about an actor might help us understand that the optional, the option to pursue deterrence activity upstream. Right? So any little thing matters when, when it comes to intelligence and kind of filling that intelligence picture.
Frank Cilluffo [00:13:18]: Well said. And when we look at the threat, obviously we all look at the primary threat actors, Russia, Iran, North Korea, probably the most existential, the People’s Republic of China. But increasingly you’re seeing ransomware gangs that five years ago those capabilities would have only been in the hands of two or three countries. Right? And with the advent of AI, that’s just happening faster, faster, faster, faster. How do we keep up with that?
Brett Leatherman [00:13:47]: Yeah, so we’ve seen this kind of curve, right? We saw this, this curve where we saw these really big ransomware ecosystems like Lock Bit, Conti and other groups that were really massive and had large followings. The FBI has conducted counter ransomware operations with our partners like the National Crime Agency in the UK. Operation Kronos dismantled, largely dismantled, the Lock Bit ecosystem. So we’ve seen those actors start to fragment into smaller groups, and we’ve seen a transition from just encryption and encryption and exfiltration to now just exfiltration and extortion events. And so we’ve, we continue to see these transitions happening. Now we’re getting really concerned that with agentic AI capabilities, ransomware actors are starting to leverage agentic AI along with the nation states to really move across the cyber kill chain at speeds we haven’t seen before, and at speeds defenders might not be ready for. And so it is a significant issue now. If you look at some of the major breaches over the last few years, Change Healthcare and some of the others, where the actors target the underlying ecosystem or the underlying component to larger ecosystems like healthcare sector, in order to extort larger ransom payments, that is going to be something that they can do quicker if we don’t start to deploy fundamental cybersecurity practices and AI in some cases to defend our systems, because we can’t defend against machine speed at human speed at this point.
Frank Cilluffo [00:15:15]: Exactly. And the bar is getting lower to entry. Right? And if you think about vulnerability, disclosure, if I’m not mistaken, you sort of have the, the CVE, the KEV list, and we’ve got what, 1500 on that for years. That, that, that, Mythos may blow that out of the water overnight.
Brett Leatherman [00:15:37]: Yeah.
Frank Cilluffo [00:15:38]: What, what, what can we be, what else can we be doing or should we be doing? And, and part of that gets to that public private partnership. I, I think sometimes it’s industry that holds the cards here. Right?
Brett Leatherman [00:15:50]: You’re right.
Frank Cilluffo [00:15:51]: So, we gotta think about this a little differently.
Brett Leatherman [00:15:54]: We look at it two ways, right? There’s, we look at deterrence, two ways, deterrence through offense, which we are doing a lot of, and under President Trump’s Cyber Strategy for America, we are really aligned and we’re one of the action arms of the United States government, imposing cost under pillar one of the National Cyber Strategy, and we are, you’ll hear in the coming weeks, we are escalating our efforts to deter through offense. But there’s also deterrence through defense. And it’s removing digital real estate that the actors are using way too easily every day to get into environments. If we don’t start to raise the fundamental resilience and cybersecurity standards across critical infrastructure and kind of that, that real estate that the actors are targeting, we can do as much as we want on the offensive side, but they still have too many opportunities on the defensive side. Right now, that’s where we have room to move the needle defensively. And that takes all of us.
Brett Leatherman [00:16:47]: It takes industry, government, military, policymakers, those folks who are, who are kind of thought leaders in this space, all coming up in identifying ways to build that collective resilience.
Frank Cilluffo [00:17:00]: By the way, I love the digital real estate. That’s a much cleaner term than attack surface, which we all use all the time, but that’s really what we’re talking about here. What about sort of shadow surface? There’s a handful of bad infrastructure. Is there more we should be doing there, you think?
Brett Leatherman [00:17:16]: Yeah. So we’re looking at it several ways. I mentioned kind of the operating, yeah, the operating model that we look at. We look at the actors, the infrastructure that they use, we look at their money, we look at their tool sets like their malware, and we try to attack each of those as part of our counter operations. The more of those we can hit in any one joint sequenced operation, often the more impactful there is. And so it might be the UK’s NCA hitting one piece of the infrastructure. Why we conduct another operation while treasury can, you know, levies rewards for justice or State Department sanctions or vice versa, I guess, State Department RFJ and Treasury sanctions. But when we do that together, we have that, that more lasting impact. But we’re also looking at the bulletproof hosters, the shadow server environments that, that are hosting the, the places that we can’t necessarily get to with legal process. And how do we leverage our technical capabilities? How do we even employ artificial intelligence in our cyber operations? Our joint sequenced operations to scale operations against the actors that are tough for, you know, a limited finite resource of FBI cyber operators to do. How do we leverage artificial and agentic AI to support that? We’re looking at that closer.
Frank Cilluffo [00:18:28]: And I’m happy we’re looking at that and leaning forward because you also need to know, right hand needs to know what the left hand is doing.
Brett Leatherman [00:18:34]: That’s exactly right.
Frank Cilluffo [00:18:35]: Inside, inside the broader environment, because it could actually unintentionally undermine an investigation or unravel something.
Brett Leatherman [00:18:45]: We have to be really thoughtful in how we deconflict and work across the partners, partners, whether it’s domestic or international. And that’s why, you know, not only do we work well within the USIC, but we prioritize the Cyber Nine, for example, which is eight countries plus Europol who are dedicated to countering cybercrime. And Cyber Nine is an important portion of that. The FBI, we are the co chair right now of the Cyber Nine, we will take on the chair role in the fall. And that is really recognizing that we have to work with partners to deconflict so that we’re not all leveraging the same resources to go after one actor when there’s plenty more out there to target.
Frank Cilluffo [00:19:24]: And I’m glad you actually brought up Europol because they’ve sort of cracked some of the code in terms of the public private partnership where Microsoft, they, every operation they do, firstly they have to do in support of the, the host nation, but they do so with industry. And whether it’s botnet takedown, whether it’s malware cleanup, it seems like they cracked a bit of the code there.
Brett Leatherman [00:19:49]: Yeah.
Frank Cilluffo [00:19:50]: And I know the Bureau’s helped big time.
Brett Leatherman [00:19:52]: We have. And I think what we’ve learned through Europol and the FBI is that when we pair in sequence our authorities with what private sector can do, it’s really meaningful. If you look at what we did in the fall of ’25, we took down Lumma Stealer, which a significant malware, LummaC2, which is a significant malware platform. We went after the command and control infrastructure. The FBI leveraged our authorities to remove the actor’s ability on that. And then Microsoft removed, you know, infrastructure across their environment where they could do terms of service violations or civil action against the actors. Recently Google conducted an operation against IPIDEA, a residential botnet. Like, we see those kind of operations is really consequential to the actors when organizations take that kind of action. Europol is, is really doing a great job at pulling private sector in. And I would say the, the 56 field offices here and our cyber teams are doing the same.
Frank Cilluffo [00:20:48]: Yeah. And you know, part of it is to make sure it’s just not a one and done operation. It’s, it’s making the adversaries look over their shoulder. Right? That’s part of the game here is that they need to know that there will be, firstly, the long arm of the law is long. It will, it will come at you when, when you least expect it. And secondly, it burns some of their own infrastructure, so it makes their life harder.
Brett Leatherman [00:21:12]: Yeah, I mentioned, you know, we, we still like to indict, extradite, and hold actors accountable. The long arm of the law still applies here. Xu Zewei was just extradited to the United States.
Frank Cilluffo [00:21:21]: Boom. I’m glad you brought it up.
Brett Leatherman [00:21:23]: And he is one of, one of the most consequential hackers who hacked on behalf of the Chinese Communist Party. He was one of the actors allegedly responsible for the Hafnium campaign in 2021. He’s allegedly one of the actors who was responsible for the theft of COVID vaccine research in 2020. And he sat out there for years and years. He traveled to Italy. We have really great partnerships with the Italian authorities. The Italian Postale over there is become great partners the last few years. It was through our work with them that we were able to arrest him and get him back in the United States. He’s one of the first in a decade Chinese Communist Party hackers who’s now here facing justice in the state of Texas for hacking against the United States. So, yes, we want, we want all actors to understand that. We don’t forget, we have a long memory and we’re going to hold you accountable.
Frank Cilluffo [00:22:15]: And it puts them on notice.
Brett Leatherman [00:22:16]: It does.
Frank Cilluffo [00:22:17]: So I, I mean, some of my friends are a little dismissive on some of that. I think it misses the point of identifying because it puts them on notice and it makes life harder. And yes, some of them like to travel to nice islands that we may have extradition treaties with. And, and it just makes it harder. It minimizes their maneuverability.
Brett Leatherman [00:22:39]: And we know that if you’re a young, up and coming kind of technologist who sits in Russia, China or elsewhere, you want, you, you better enjoy vacationing in Pyongyang or Beijing or Moscow, because if you go anywhere else, you now face the risk of arrest and extradition. And to your point on wanting them to look over their shoulders, we, we did that with Operation Kronos and LockBit. What we did was we were able to technically get into the LockBit infrastructure, take everything from it, and then we started to let them know that we were going through the databases, the back end, and that as we identified actors, we would, we would indict them, publicly out them, arrest them. And we’ve gotten at least half a dozen actors back here to the United States to face justice as well. And every one of those actors right now who thought LockBit was something that law enforcement could not get into, right now, they’re wondering if they are under sealed indictment in the United States and could be arrested.
Frank Cilluffo [00:23:36]: And will be.
Brett Leatherman [00:23:37]: And will be.
Frank Cilluffo [00:23:38]: You know, it drives wedges and, and just like the good guys, trust is the coin of the realm, bad guys too. Right?
Brett Leatherman [00:23:44]: That’s right.
Frank Cilluffo [00:23:45]: I mean if, if you lose confidence in your partners suddenly it can unravel.
Brett Leatherman [00:23:50]: And who knows who’s going to flip and talk to the good guys, you know, here in the US about it.
Frank Cilluffo [00:23:52]: And they often do.
Brett Leatherman [00:23:54]: And they often do that and they provide, you know, information that lets us pursue them as well.
Frank Cilluffo [00:23:58]: Let’s touch OT just a little bit. Industrial control systems, we’re starting to see a shift from not, and it’s not to suggest that IT systems are not important, they obviously are essential, but when we start seeing things shift from an IT to an OT environment, it gets much more to a public safety set of issues. What are you seeing there? And how would that trigger sort of in an investigation, in a field office, say that’s working cyber, would it suddenly be elevated? What does that look like?
Brett Leatherman [00:24:31]: It does because it has potential life safety implications. Similar to a ransomware attack on a hospital, you know, when you’re targeting devices that can turn, you know, you know, things that introduce chlorine or chemicals into drinking water, that could have significant downstream population impact, that’s huge. And so we take that seriously and, and we try to alert critical infrastructure when we see targeting. We’ve seen it from Iran, we’ve seen it from the Cyber Army of Russia Reborn, a Russian-based hacktivist group. We, in fact we were able to extradite this year an individual associated with CARR who was involved in the targeting of operational technology devices. The concern we have is some of those actors are less responsible, if you can call it that, when they conduct operations and that could have significant impacts if mistakes are made. Now the other set of actors we see targeting OT environments are the very sophisticated actors like the CCP. And if you look at Volt Typhoon, Flax Typhoon, Salt Typhoon, those are all campaigns targeted by the Chinese Communist Party at critical infrastructure.
Brett Leatherman [00:25:39]: Volt Typhoon in particular targeted critical infrastructure in such a way that it would have likely had an impact to US military operations in support of a Taiwan contingency. And so for us it’s incredibly important. We conducted an operation similar to Operation Masquerade that removed the actors capability from KV-botnet, yeah, proactively to, before anything was occurred, to remove that capacity and capability to conduct attacks against critical infrastructure in a way that would have that impact. So we prioritize anytime we see that. The problem is over the last 18 to 24 months we have seen a shift in actors targeting, specifically the CCP, of critical infrastructure. And so we’ve moved from this environment of just intellectual property theft to this environment where they’re targeting OT based environments.
Frank Cilluffo [00:26:29]: And, and to be very clear, Volt, there was no intelligence value of what they were doing other than pre position. We’ve always seen intelligence preparation of the battlefield, but this took it to the next kind of level. Salt Typhoon, anything where that investigation stands?
Brett Leatherman [00:26:46]: Yeah, still an ongoing and active investigation.
Frank Cilluffo [00:26:49]: I think it will be for a while.
Brett Leatherman [00:26:50]: Yeah, I classify it as probably the most consequential cyber espionage campaign that we faced so far because of the access that the actors had. And while it was an espionage campaign, the actors could have quickly pivoted into more of a destructive campaign as well.
Frank Cilluffo [00:27:04]: You bring all the typhoons together, each one’s a bad day, collectively, it’s the perfect storm. really bad day.
Brett Leatherman [00:27:09]: It’s a really bad day. Yeah, yeah. And when they’re operating on communication infrastructure, imagine if you’re able to take that infrastructure down and the impact to mass transit, the impact to the financial sector, the impact to government agencies. If you’re able to take that infrastructure down, which this activity would have been able to have destructive impact in those environments, that’s a, that’s kind of next level beyond espionage. It’s very serious.
Frank Cilluffo [00:27:35]: So you brought up Volt, Salt, and the Typhoon actors, you’re also securing 2027, and that’s a big effort of the FBI and perfect, because it hits all of the FBI’s primary mission areas. What should we be thinking there?
Brett Leatherman [00:27:51]: Yeah, think securing critical infrastructure. And that is a product of the fact that we know that the PLA has been mandated to be ready for potential Taiwan operations in 2027. Do we think that’ll happen? We have no idea when that might happen. It may happen years and years from now, but we know that as part of that-
Frank Cilluffo [00:28:10]: May happen tomorrow.
Brett Leatherman [00:28:11]: Could happen tomorrow. We know as part of that, that the desire they have would be to impact critical infrastructure here in the United States using cyber effects. We can’t allow that to happen. We’ve got to, we’ve got to defend critical infrastructure from the Volts, from the Salts, from the Flax Typhoons. And again, we can counter it all day long, but we’ve got to do a better job at defending it fundamentally. And that’s why we did Operation Winter SHIELD now just a few months ago, was to help folks understand what we’re seeing and how to defend critical infrastructure. There it is.
Frank Cilluffo [00:28:44]: Let’s talk Winter SHIELD.
Brett Leatherman [00:28:45]: That’s great.
Frank Cilluffo [00:28:46]: Perfect segue. What do we need to know there?
Brett Leatherman [00:28:48]: So Operation Winter SHIELD was a first of its kind campaign that the FBI ran over two months to help us distill our law enforcement visibility, our intelligence community visibility, the incident response at our field offices do from a law enforcement standpoint, 365 days a year into 10 controls every organization can employ today to make themselves more resilient. It doesn’t matter if you’re in the government, non profits, critical infrastructure, it doesn’t matter. If you employ these controls, you are more safe than you are. And so those 10 controls should not come as a surprise to many. The problem is in 99% of the breaches that we continue to see in our incident response, they’re implicated there. Yep, the same ones. It’s either 1, 2, 3 or other or more. So we can do a better job. And so for two months, I would encourage folks to go to FBI.gov/WinterSHIELD to see what those 10 controls are and to see through our investigative work what happens when these controls are violated by actors and the impact that it can have.
Frank Cilluffo [00:29:49]: You know, and I’m glad you brought up Winter SHIELD, and I’m also glad not all of this is rocket science. We all go after the shiny object and yes, Mythos and some of these things are game changers in very significant ways, but we’re not doing the fundamentals, right? I mean Auburn will be a top notch football team next year again, and at the end of the day, blocking and tackling matters. It’s not just the flash, it’s what goes on in the, in the trenches that wins or loses football games. And it’s shocking that it’s the same 10.
Brett Leatherman [00:30:27]: I wish I could say that in the last three or four months there was some novel zero day that I saw that had tremendous impact to an organization. And we’ve seen a lot in the last three to four months in the way of breaches. I can’t think of one, but I can think of in almost every one of those breaches, one of those 10 controls that were violated in order to get into the environment, escalate privilege, move laterally and have significant impact on the victims. And so I think it was in December, AWS released a blog that said we, they saw Russian based actors using artificial intelligence to conduct targeting of victims. And anytime that AI encountered difficulty with one of these fundamentals, it moved on. Agentically, it moved on and said it’s not worth it because there’s plenty out there that are not worrying about these 10 controls. We want them to move on, and so to have them move on, we start to employ things like a rapid and robust patch management system, phish resistant multi factor authentication, understanding what sits at the edge of our networks, removing end of life devices from our networks. Like, those controls can help us meaningfully move the needle on resilience.
Frank Cilluffo [00:31:33]: And I’m glad you brought up edge devices as well because I know the Bureau’s done a lot in that space. The other thing that I’m seeing a lot of is where you have, the breach of one can affect many, and from a downstream, you say it much more eloquently. Anything there?
Brett Leatherman [00:31:50]: Yeah, third party risk and, and supply chain risk is going to continue to be a problem. And so third party risk, when you look at those organizations that hold your data or have access to your networks, you can spend millions of dollars on cyber security, but if you have an organization who doesn’t that has access to your environment, that’s who the Russians, the Chinese, the Iranians or others are going to target, or the criminal ransomware actors, because the path of least resistance is where they want to-
Frank Cilluffo [00:32:15]: And you have so many people.
Brett Leatherman [00:32:16]: And you have so many. And so third party risk is significant. Supply chain is going to be increasingly an issue, especially in the software based supply chain realm, is you start to see these LLMs that can target code in really dramatic ways. We’ve seen Glasswing reporting on what that looks like. You’re going to have development servers that are targeted by actors and malicious code inserted and really starting to understand how we validate the integrity of the code. The patches that we’re putting on our systems is going to be incredibly important too.
Frank Cilluffo [00:32:48]: Yeah. We don’t build airplanes the same way. Right? I wouldn’t fly if we did the way we code. So, and I might note in addition to software and in addition to hardware, the firmware issue is really hard to get our arms around here from a supply chain intelligence perspective.
Brett Leatherman [00:33:06]: It is. That’s especially true when some of the firmware and device the, the core devices and chipsets that we’re buying are coming from threat countries. Right? And so how do we start to focus on not buying our core edge devices or technologies from threat-based countries, Russia, China or elsewhere so that we can buy, buy code firmware chipsets that we know are, are secure or more secure because they’re made in areas that we trust.
Frank Cilluffo [00:33:33]: Brett, we’re coming near the end of our time. But given your experiences, firstly, what do you fly?
Brett Leatherman [00:33:39]: Yeah.
Frank Cilluffo [00:33:39]: What did you fly?
Brett Leatherman [00:33:40]: So I fly a single engine aircraft for the FBI. So we have a variety, we have some of the largest civilian aircraft you know, in the US Government and I was a pilot for the FBI for years.
Frank Cilluffo [00:33:49]: Awesome, awesome. But given your role sort of as a pilot, as a hostage negotiator, which Chris Voss is a good friend and some of these other folks, he’s made it pretty cool and popular.
Brett Leatherman [00:34:00]: He’s done well.
Frank Cilluffo [00:34:01]: But how do you, what did you learn from your previous roles? And if you were sort of looking at, if you could choose every single person you wanted to choose to be part of your team, what traits are you looking for in, in a cyber, is it a good investigator? Is it good technology? Is it both? Is it someone who’s creative? Is it someone, what are the traits that you would see that you are bringing to that fight and you would like to see your team have?
Brett Leatherman [00:34:28]: It’s a good question. You know, in my experience, I have worked kidnapping investigations.
Frank Cilluffo [00:34:33]: You’ve done it all.
Brett Leatherman [00:34:34]: Like, you know, been the on scene counterterrorism commander for a major counterterrorism incident, hostage taking situation, pilot, who’ve gone through crises in, in the air. What I would say about how that translates today into how I approach leadership and what I look for in my leadership teams is a sense of urgency in how we act. Because often cyber is not that thing that we look at as urgent. Right? The problem is this.
Frank Cilluffo [00:35:00]: But it affects everything.
Brett Leatherman [00:35:01]: It affects everything and increasingly will affect everything. And economically it’s having tremendous impact.
Brett Leatherman [00:35:07]: And from a national security standpoint, the, the pacing threat right now economically and from a cyber standpoint is intellectual property theft to foreign countries who compete with us, you know, with the, with the innovation that we have here in the US, and that’s a national security threat long term. So my desire is that all my teams act with urgency in what we do, recognizing that sometimes victims don’t have a voice when it comes to cyber exploitation. We see something, we have to notify victims quickly. When a victim reaches out, we have to engage them quickly. And then when we see the actors, the cyber actors acting up in cyberspace and we have an opportunity to do something, we have to do it quickly because if we don’t, it puts national security at risk. And our job is to defend the homeland against these actors. We have to do it with urgency. And so when I, when I look at those leadership traits, it’s urgency, it’s innovation, it’s engagement, because we can’t do this alone, we have to do it with partners.
Brett Leatherman [00:36:06]: And it is being humble at what we do because sometimes we’re not the best athlete in this fight. And if it’s US Cyber Command, if it’s The National Crime Agency, if it’s the Dutch National Police. We will support them in every way we can and let them run point on it as well.
Frank Cilluffo [00:36:20]: Really well said. And I must note, I’m happy to hear the emphasis on victims. Right? Of course the Bureau always cared, but I think now it’s taken that to a whole nother level, and I think that should be recognized and appreciated for what it is. You know, what questions didn’t I ask that I should have? We covered a lot of territory. I do want to ask about, one question on technology. So, you know, I often say I’m worried about the day the Chinese stop stealing our secrets because they’ve already got everything they need.
Frank Cilluffo [00:36:56]: That’s a given. We should know that not just the Chinese, every, including allies probably because that’s part of the competitiveness environment. But post quantum, from an encryption standpoint is, does the Bureau have a role in all of that? We’ve had some folks in from Fort Meade and others to discuss this. But be curious if, if we can, if someone else can keep all their secrets and crack all ours, that’s a bad day, isn’t it?
Brett Leatherman [00:37:25]: So part of our job is the nation’s domestic intelligence service is protecting, helping to protect the innovation that’s happening here to include AI based innovation and quantum innovation. I was just meeting with some of our teams two weeks ago who are responsible for defending the quantum space and kind of what America is doing in this space at the classified and unclassified levels. And I’m really comfortable that we are investing a lot in that. And again, that is a key area where private public partnerships are essential to defending that technology.
Frank Cilluffo [00:37:59]: And some of these companies don’t even realize how important. I mean they’re just trying to compete. But that can change the world.
Brett Leatherman [00:38:07]: That’s right.
Frank Cilluffo [00:38:08]: And will change the world. Brett, what questions didn’t I ask that I should have?
Brett Leatherman [00:38:12]: Yeah, the only thing I would say is, you know, what is the listener’s role in all of this? Right? And it’s, it is you have unfortunately been drafted into the cyber fight and we need you to step up and act with urgency. The similar urgency that I talked about that our teams work with. What does that mean? That means engaging your local FBI field office, having that relationship before a breach happens. That includes, you know, talking to your external counsel so that before a breach happens, they understand what your intent is to share with law enforcement on day one and what the value proposition is to bring in the FBI in early and how you can contribute to the cyber fight by talking to us and sharing that visibility with us. So I think what I would say is every viewer should understand that cyber security is national security.
Brett Leatherman [00:38:59]: And just like the PRC leverages an all of society approach, because they use companies to conduct hacking operations against the west, we have to leverage all of society approach to defend the homeland as well.
Frank Cilluffo [00:39:10]: Brett, thank you so much for spending so much time with us today and more importantly, for fighting the good fight every day and leading the women and men to try to take a, put a dent in what it is we’re all dealing with and making a difference every day for Americans. So let me leave you with a token of our appreciation, figuratively and literally.
Brett Leatherman [00:39:31]: That’s great.
Frank Cilluffo [00:39:32]: Thank you.
Brett Leatherman [00:39:33]: Thank you.
Frank Cilluffo [00:39:34]: Awesome. Thank you for joining us for this episode of Cyber Focus. If you liked what you heard, please consider subscribing. Your ratings and reviews help us reach more listeners. Drop us a line if you have any ideas in terms of topics, themes or individuals you’d like for us to host. Until next time, stay safe, stay informed and stay curious.