FBI Infiltrates Hive
In a widespread operation that included Germany and The Netherlands law enforcement, the FBI in late July 2022, crawled into Hive’s computer networks, captured its decryption keys, and offered them to victims worldwide. All told, the FBI has provided over 300 decryption keys to Hive victims who were under attack. In addition, the FBI distributed over 1,000 additional decryption keys to previous Hive victims. Deputy U.S. Attorney General Lisa Monaco said government hackers broke into Hive's network and put the gang under surveillance, covertly stealing the decryption keys the group used to unlock victim organizations' frozen data. Victims were notified in advance so they could take steps to protect their systems before Hive demanded the payments."Using lawful means, we hacked the hackers," Monaco told reporters. "We turned the tables on Hive."FBI Director Christopher Wray delivered a statement on the matter:“The coordinated disruption of Hive’s computer networks, following months of decrypting victims around the world, shows what we can accomplish by combining a relentless search for useful technical information to share with victims with investigation aimed at developing operations that hit our adversaries hard. The FBI will continue to leverage our intelligence and law enforcement tools, global presence, and partnerships to counter cybercriminals who target American business and organizations."
Hive Methods Examined
According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Hive affiliates have gained initial access to victim networks through a number of methods. These include single factor logins via Remote Desktop Protocol (RDP), virtual private networks (VPNs), and other remote network connection protocols; exploiting FortiToken vulnerabilities; and sending phishing emails with malicious attachments.Austin Berglas, global head of professional services for BlueVoyant, a New York-based cybersecurity provider, said that although the seizure of Hive assets won’t “dismantle” the organization, “it will certainly disrupt operations for a period of time, forcing the group to establish new infrastructure if they intend on continuing criminal activity under the same Hive moniker.” Dismantlement, he said, comes only when law enforcement arrest the individuals responsible.To that point, in May 2022, the infamous Conti ransomware crew disbanded operations after one of its members leaked internal communications. However, some of the group’s members spun off into other gangs such as BlackBasta and BlackByte. Hive members are likely to do the same. Although there were no arrests announced on January 25, U.S. Attorney General Merrick Garland said the investigation was ongoing and one department official told reporters to "stay tuned,” Reuters reported.Garland said the FBI's operation helped a wide range of victims, including a Texas school district:"The bureau provided decryption keys to the school district, saving it from making a $5 million ransom payment and a Louisiana hospital avoided a $3 million payment."