“We have gotten more comfortable, as a government, taking that step,” Adam Hickey, a deputy assistant attorney general for national security, said in an interview at the RSA cybersecurity conference in San Francisco.
The latest example of this approach came in April, when U.S. authorities wiped malware off of hacked servers used to control a Russian intelligence agency’s botnet, preventing the botnet’s operators from sending instructions to the thousands of devices they had infected. A year earlier, the Justice Department used an even more expansive version of the same technique to send commands to hundreds of computers across the country that were running Microsoft’s Exchange email software, removing malware planted by Chinese government agents and other hackers.
In both cases, federal prosecutors obtained court orders allowing them to access the infected devices and execute code that erased the malware. In their applications for these orders, prosecutors noted that government warnings to affected users had failed to fix the problems, thus necessitating more direct intervention.
Unlike in years past, when botnet takedowns prompted extensive debates about the propriety of such direct intervention, the backlash to these recent operations was limited. One prominent digital privacy advocate, Alan Butler of the Electronic Privacy Information Center, said malware removals required close judicial scrutiny but acknowledged that there was often good reason for them.
Still, DOJ officials said they see surreptitiously taking control of American computers as a last resort.
“You can understand why we should be appropriately cautious before we touch any private computer system, much less the system of an innocent third party,” Hickey said.
Bryan Vorndran, who leads the FBI’s Cyber Division, said in an interview at RSA that the government’s approach is to “move from least intrusive to most intrusive.”
In the early days of action against botnets, beginning with a 2011 takedown of a network called Coreflood, senior government officials were reluctant to push the limits of their powers.
“With Coreflood, it was, ‘Okay, you can stop the malware, but we’re not going to delete it. That feels like that’s just too much, too fast,’” Hickey said.
In the decade since Coreflood, the government has disrupted many other botnets, but not through malware removals. Instead, authorities employed techniques such as seizing websites used to route hackers’ instructions and redirecting those instructions so they never arrive.
Typically, when the FBI wants to take down a botnet that hackers have assembled by infecting vulnerable routers or other products, the bureau begins by working with device manufacturers to issue warnings to customers. The number of remaining infected devices powering the botnet drops off very quickly after these warnings, Vorndran said, “but it doesn’t get anywhere close to zero.”
Next comes direct outreach to the remaining victims. In the case of the Russian government botnet, FBI agents notified hundreds of victims that they should patch their devices. To address the Exchange crisis, the FBI and Microsoft contacted thousands of vulnerable organizations. But even after that step, Vorndran said, “we’re left with something remaining, where there’s still a usable vector for attack.” The Russian government botnet — which included computers in states such as Texas, Massachusetts, Illinois, Ohio, Louisiana, Iowa and Georgia — still retained about 20 percent of its command-and-control servers after the FBI’s victim notifications.
“The question becomes, what do we do?” Vorndran said. “Should the adversary still have the opportunity to utilize these to conduct an attack, whether inside the United States or [elsewhere]? And our answer to that will always be ‘No,’ especially when we have the legal authorities and the capability to neutralize that botnet.”
This is when malware removal comes into play.
After identifying infected devices, the government asks a court for permission to send commands to those devices that will cause the malware to delete itself. Essentially, the FBI uses the malware as a point of entry to the infected computers — it doesn’t need to hack the computers itself, because it’s piggybacking on someone else’s hack. These operations rely on intelligence that the bureau gathers about the botnet in question, including, sometimes, the passwords necessary to control the malware. A court’s permission is necessary, at least for devices in the U.S., because accessing them constitutes a search under the Fourth Amendment.
DOJ officials cited several reasons for the recent embrace of this tactic.
One is new leadership. Deputy Attorney General Lisa Monaco has been a key proponent of this strategy, having seen the value of disruption operations during her time as White House homeland security and counterterrorism adviser.
“The political leadership currently has seen this has been done before [and] is very forward-leaning,” Hickey said.
Senior officials are also more willing to sign off on aggressive actions because they understand the technology better. “They can ask questions of the FBI to assure themselves, ‘What have you done to test this? How’s it going to work?’” Hickey said, “and so they’re comfortable moving forward with an [operation] like that.”
The public generally seems to be on board, too. “We have done things like this a number of times where I don’t feel like people are like, ‘Are you crazy?’” Hickey said. “There’s still an appropriate level of scrutiny of these operations, but I think we have established credibility and trust.”
Whereas in the past it was hard for prosecutors to justify intrusive actions to their superiors, Hickey said, it is now harder for them to justify not taking those actions and leaving a botnet intact. “We’ve gotten to this point where we’re like, okay, if we’ve tested [our code], if we’ve worked with the manufacturer, if we’ve done everything we can to ensure there will not be collateral damage, why would we just leave the malware there?”
These changes have not just been driven by an increased comfort with reaching into people’s computers. Companies whose products are being abused are now more likely to share what they know with the government, according to Hickey. “They don’t have the authority to get a search warrant,” he said, “but they know that we will do that.”
In addition, the FBI, as part of a broader shift toward disrupting hackers, has begun devoting more personnel and resources to the difficult work of developing the tools necessary for these operations.
“We still do believe in taking players off the field,” Vorndran said. “But at the end of the day, if there’s an adversary that has an attack vector available, we’re going to do everything we can to neutralize that.”
Malware removals are only likely to become more common as botnets continue to proliferate, the FBI’s expertise with this technique grows and DOJ leaders’ familiarity with the strategy increases.
There has been “an evolution of our thinking” about how to stop botnets, Hickey said, as prosecutors have developed greater “risk tolerance” for complicated operations and department leaders have recognized a growing “confidence by the public and Congress.”