Christopher Delzotto remembers the days not so long ago when many online financial scams could be spotted just by reading them. They were full of misspellings, poor grammar and awkward phrasing — all signs that they were created in other countries where a hacker's first language isn't English.
The rise of artificial intelligence has changed that, offering tools that help cybercriminals clean up their language and opening new doors for hackers to break into computer networks through emails that trick recipients into sharing personal information or by fabricating images or videos used to extort victims.
One thing AI hasn't changed, the assistant special agent in charge of the FBI's San Antonio division said, is the challenge the agency has in finding and arresting cybercriminals who largely operate outside the United States. Law enforcers can't just serve a subpoena in China, Russia or Africa, for example.
"Most of the actors are in countries where we can't do proactive investigations," Delzotto said. "The idea is not to put them in handcuffs but disrupt their activities."
The job keeps getting bigger, with the FBI in San Antonio taking on a rapidly increasing number of reported cyberattacks on schools, medical centers, private companies, government agencies and military contractors as international hackers infiltrate local computer networks and steal personal health and financial information.
While the FBI's standard response in specific cases is to neither confirm nor deny whether it's investigating, Delzotto said the agency has "absolutely" seen an increase in reported ransomware attacks and business email compromises, which it calls BEC scams.
"It's definitely on the rise, and as technology evolves, so do cybercriminals," he said.
In San Antonio
Inside the FBI's field office on the far Northwest Side, Delzotto recently discussed the increasing threats across its 17-county region, which stretches north to Austin and Waco, west to Del Rio and south to the border towns of Brownsville, Laredo and McAllen.
One of those threats, ransomware attacks, involves hackers breaking into computer networks and holding digital data under the threat of public release or sale until victims pay. Another, business email compromises, involves hackers posing in email or other electronic communications as trusted colleagues, for example, in attempts to reap payment from businesses and individuals and access their computers.
In San Antonio, a rising number of companies have been hit by such cyberattacks. Some said they reported the cases to the FBI. Among the most recent:
In July, nearly 1 million patient data records stolen from HCA Healthcare's San Antonio division, including the city's Methodist Healthcare hospitals, were posted on the deep web part of the internet that's unidentifiable to search engines in a breach that impacted an estimated 11 million patients in 20 states. It also affected data of patients at hospitals and clinics in the Austin area, the Rio Grande Valley, Corpus Christi and Houston, among others across Texas.
In June, Generations Federal Credit Union reported being hit by a online breach that affected 18,000 members. It involved consumers' names, addresses, Social Security numbers, driver's license numbers, passport, credit and debit card numbers, and medical and health information.
Later that month, insurance and financial services company USAA reported a data breach involving "unauthorized individuals" gaining access to the personal information of about 19,000 members, including 2,726 Texas residents.
In December, Rackspace Technology, one of the city's largest tech employers, blamed a ransomware attack for an outage that prevented thousands of customers from accessing email on its Microsoft Hosted Exchange platform. That incident led to a few federal lawsuits against the cloud computing company, which exited that business line.
Earlier last year, hackers deployed online breaches and ransomware attacks on San Antonio engineering firm Pape-Dawson Engineers; the Bexar Appraisal District, which assesses property values of homes and businesses; Baptist Medical Center; Disability Services of the Southwest, a local nonprofit that provides services to disabled people and the elderly; and Our Lady of the Lake University. The incidents have triggered several lawsuits.
Reporting lags
Last year, Texas ranked third in the U.S. by the number of victims reporting cybercrimes and fourth by total reported losses from those schemes, according to the FBI's Internet Crime Report. The agency received reports from 38,661 Texas victims who reported losing $763.1 million.
That included reports from 1,893 victims of business email compromises cases who lost about $260 million. That was up from 1,750 victims who lost $233.5 million in 2021. The agency also received reports from 237 victims of ransomware attacks who lost $1.7 million last year, down from 293 victims who lost $4 million the previous year.
The rapid growth of cybercrime in Texas was highlighted in a report last year from the state comptroller, which said that more than 38,000 victims reported an estimated $313.6 million in financial losses to cybercrime in 2020 — up 42% from 2019 and 307% from 2016.
Many cyberattacks still go unreported, however, so the actual number and total losses are unknown. But the FBI and state agencies are working to fix that.
LOCAL EFFORTS: San Antonio cybersecurity experts prep for Russian attacks
The Texas Department of Information Resources has required state agencies and institutions of higher education to report cyber incidents, said Brittney Booth Paylor, a department spokeswoman. But the agency receives reports about incidents at other entities only if they volunteer information or the department finds out about the attack through another source.
This month, the department launched a portal for local government entities to report cybersecurity incidents in compliance with Senate Bill 271. It went live Sept. 1 on the department's website.
The state law requires local government entities such as counties, cities, special districts and K-12 schools to report suspected online breaches or breaches of system security and ransomware to the department within 48 hours of the incident. Local governments that are required to report to an independent organization certified by the Public Utility Commission of Texas are exempt from the law.
"With both state and local government entities reporting cybersecurity incidents to the state, DIR will have a more complete picture of the cyber threats Texas is facing," state Cybersecurity Coordinator Tony Sauerhoff said in a statement. "Sharing threat intelligence gained from these reports with other entities will prevent additional cyberattacks aimed at Texas."
Texas law also requires businesses and organizations that experience a data breach of system security that affects 250 or more Texans to report that breach to the state attorney general's office no later than 30 days after the breach is discovered. But not all recently known cases in San Antonio have been reported there.
And under a new Securities and Exchange Commission rule, publicly traded companies such as Rackspace and HCA are required to disclose cyberattacks within four days, in addition to reporting financial impacts in quarterly disclosures.
Already, the actual losses are higher than the currently incomplete list of reports indicates because those losses don't include costs that companies can incur in the aftermath of an attack. In recent San Antonio-area cases, victim companies have spent millions of dollars restoring data and computer networks and dealing with legal claims by individuals concerned that their personal information had been put at risk.
Rackspace, for example, reported that it spent $10.8 million on expenses related to the December ransomware attack. The company said costs included work to "investigate and remediate, legal and other professional services, and supplemental staff resources that were deployed to provide support to customers," according to SEC filings. And it expected costs to continue.
There is no requirement for victims to report cyberattacks to the FBI. But Delzotto said the number of reports it receives through its Internet Crime Complaint Center — which it calls IC3 — walk-in complaints, email tips and other reporting methods is rising along with increases in cybercrimes.
He encouraged victims to come forward quickly because the FBI's tools could help minimize their losses. For example, it could use its Financial Fraud Kill Chain program to freeze money transfers, uncover other attacks or, in some cases, generate decryption keys to unlock computer networks without a ransom.
Paying attention
Beyond keeping track of cases and losses, state and federal agencies have been challenged by cyberattacks impacting national security.
In 2020, Russian hackers attacked Austin-based information technology company SolarWinds, gaining access to the Cybersecurity and Infrastructure Security Agency — the arm of the Homeland Security Department responsible for protecting federal computer systems. In May 2021, Russian-speaking hackers shut down the Colonial Pipeline, which carries gasoline and jet fuel between Houston and the southeastern U.S. and New York areas.
They hit closer to home, too. In July, U.S. officials said an apparent plan of a hacker group backed by the Chinese government to upend utilities and communication systems that power U.S. military bases poses a major threat to Joint Base San Antonio — and potentially to the region's water and electricity customers.
Many San Antonians began to understand the impacts of cybercrime after Judson Independent School District in 2020 paid a ransom of $547,045 to hackers to keep sensitive information from being posted online for public access.
At the FBI field office, Delzotto oversees agents with skills in computer science and digital analysis who take on cybercrime alongside partners in local law enforcement.
"Nowadays, there's a cyber component to everything," he said, referring to how cellphones, computer devices and cameras are increasingly being used in criminal cases including human trafficking and sexual exploitation cases.
The agency has been recruiting agents to meet the increasing workload, Delzotto said, but has a "finite number of resources." This year, FBI Director Christopher Wray included $63.4 million to improve cyber investigative capabilities in his $11.5 million budget request for 2024.
It includes adding 192 positions — 31 agents, eight intelligence analysts and 153 other staffers — "to enhance information-sharing abilities and increase cybertools and capacities." The request also includes adding four jobs and an additional $27.2 million "to help protect internal FBI networks."
It's an area of increasing attention for Wray, who in 2021 compared the increasing threat from international ransomware attacks to the Sept. 11 attacks on the U.S.
"There are a lot of parallels, there's a lot of importance and a lot of focus by us on disruption and prevention," he told the Wall Street Journal. "There's a shared responsibility, not just across government agencies but across the private sector and even the average American."
The rise of AI
The threats have increased with the use of artificial intelligence.
The FBI in June raised concerns about the use of so-called deepfakes being used to blackmail targets in sextortion cases, demanding money in exchange for not posting fake sexually explicit photos and videos. The agency issued a warning to people who post online and send messages over social media and dating apps.
DEEPFAKE ABE: Lincoln spoke Spanish? UTSA professors explore benefits, dangers of deepfakes, AI-generated content.
The Federal Trade Commission, which has opened an investigation into OpenAI, the startup that makes ChatGPT, raised concerns this year that hackers can also use AI-generated "deepfakes and voice clones to facilitate imposter scams, extortion and financial fraud."
"We assess AI will enable threat actors to develop increasingly powerful, sophisticated, customizable and scalable capabilities — and it won't take them long to do it," Wray said during an FBI conference in July. "That goes double for China, which as I mentioned earlier has spent years stealing both our innovation and massive troves of data that's perfect for training machine learning models."
In San Antonio, Delzotto said he has not yet seen local AI-generated scams reported to the Internet Crime Complaint Center. But such cases have been reported across the nation.
"There are a lot of concerns with how AI can enhance crimes," he said. "But we can also use AI to investigate."
Notching victories
The FBI has sought to educate local companies and groups about best practices and how to restore compromised data. It long has maintained its belief that victims should not pay ransom in ransomware attacks because coughing up money doesn't necessarily mean victims will get their data back.
But the agents also have celebrated victories when collaborating with the Justice Department to arrest hackers committing such cybercrimes outside the U.S.
Last October, Oliver Rich Jr., special agent in charge of the FBI's operations in San Antonio and Austin, described how more than 50 million unique credentials such as emails, bank accounts, credit card numbers and cryptocurrency addresses were stolen from millions of victims around the world, including people in San Antonio, Killeen and El Paso.
The FBI had partnered with law enforcement in Italy and the Netherlands to collect the stolen data and shut down an international cybercrime operation known as Raccoon Infostealer. That work helped Dutch authorities arrest and charge a then-26-year-old Ukranian national named Mark Sokolovsky.
A federal grand jury indictment alleged that hackers paid him $200 per month in cryptocurrency to use his "malware-as-a-service" to conduct email phishing schemes to break into victims' computer networks, steal their data and commit financial crimes or sell information online.
"This case highlights the FBI's unwavering commitment to work closely with our law enforcement and private sector partners around the world to hold cybercriminals accountable for their actions and protect the American people from cybercrime," Rich said in a statement. "This case also serves as a reminder to public and private sector organizations of the importance to report internet crime and cyberthreats to law enforcement as soon as possible. Working together is the only way we're going to stay ahead of rapidly changing cyberthreats."
© 2023 the San Antonio Express-News. Distributed by Tribune Content Agency, LLC.