DOJ’s Sandworm operation raises questions about how far feds can go to disarm botnets
The notion that citizens are protected from unreasonable search and seizure is a bedrock legal principle: A court must issue a search warrant before police can enter a private home and ransack it looking for evidence.
In what former prosecutors and legal experts call a landmark operation, the Department of Justice has now tested that principle to disrupt a Russian botnet that was spreading malware on a far-flung network of computers. Using so-called remote access techniques, law enforcement effectively broke into infected devices from afar to destroy what the U.S. government calls the “Cyclops Blink” botnet — and did so without the owners’ permission.
While the search warrant publicized by DOJ makes clear that this access did not allow the FBI to “search, view, or retrieve a victim device owner’s content or data,” legal experts say the case does raise questions about how far the government’s power should extend under a federal criminal procedure provision known as Rule 41.
The Kremlin-backed hackers responsible for the botnet — a group known to cybersecurity researchers as Sandworm — exploited a vulnerability in WatchGuard Technologies firewall devices to install malware on a network of compromised devices. By leveraging physical access to a subset of infected devices, the FBI said it was able to reverse engineer its way into accessing all of the botnet’s command and control devices.
The government’s use of a search warrant to gain such remote access to individual computers without notice to the owners relied on a 2016 amendment to Rule 41, a federal rule of criminal procedure. The culmination of a three-year deliberation process which included written comments and public testimony before the federal judiciary’s Advisory Committee on the Federal Rules of Criminal Procedure — a committee which includes judges, law professors, and attorneys in private practice — the 2016 amendment was ultimately adopted by the Supreme Court and approved by Congress.
While the amended rule has been used previously, legal experts say this case appears to be the most sweeping and high-profile application of the rule to date and is a notable example of federal prosecutors using it not just to investigate criminal activity but to disrupt it.
‘De facto cybersecurity regulators’
The 2016 change was designed to help the government more easily battle botnets and to support cybercrime investigations in situations like this one where the criminals’ locations are unknown, according to Scott Shackelford, a law professor and the director of the Ostrom Workshop Program on Cybersecurity and Internet Governance at Indiana University.
Shackelford said the revision to Rule 41 allows the FBI to access computers outside the jurisdiction of the court which issued the search warrant.
“This action highlights the precedent, and power, of courts becoming de facto cybersecurity regulators that can empower the Department of Justice to clean up large-scale deployments of malicious code,” Shackelford said via email.
Important and unresolved legal issues are embedded in this case, he said. For instance, he said, society will need to determine how to “balance private property rights against national security needs in cases like this.”
“Under this authority the FBI could hack into computers at will, and without the need for a specific search warrant,” Shackelford said. To date, there are no known examples of the the government using the amended Rule 41 to break into remote computers without a search warrant, but in this case the search warrant the government obtained was used in multiple jurisdictions outside of the one which issued the warrant.
Shackelford added that he is “concerned about the precedent that this sets, both in the U.S., but also globally as other law enforcement agencies around the world might well mirror — and even go further — than what the FBI has done to date.”
The Department of Justice and FBI did answer emails seeking comment by press time.
In a press release announcing the operation, Assistant Attorney General Matthew Olsen of the Justice Department’s National Security Division said the “court-authorized removal of malware deployed by the Russian GRU demonstrates the department’s commitment to disrupt nation-state hacking using all of the legal tools at our disposal.”
The Department of Justice’s actions to disrupt Cyclops Blink are also emblematic of the federal government’s increasing collaboration with the private sector to achieve dramatic results in a short period of time, according to Mark Bini, a lawyer at the firm Reed Smith who previously worked on cybercrime as a federal prosecutor.
“It is particularly interesting that this news comes out at the same time as Microsoft announcing, related to a separate incident, that it had taken control of and taken down seven internet domains linked to a Russian state sponsored hacking group,” Bini said via email. “All of this underscores how important the private sector will be with respect to the United States’ cyber defense, and suggests that we will see the Department of Justice working collaboratively with the private sector to turbo-charge its efforts to combat state-sponsored cyber-attacks.”
How much is too much?
There is some debate in legal circles around how far law enforcement can go when using remote access technology and how appropriate it is to leverage the tool to disrupt cybercrimes as opposed to investigate them, according to Christopher Painter, a former federal prosecutor who prosecuted several high-profile cybercrimes before becoming the top cyber diplomat at the State Department.
The case “reflects an overall change over the last 10 years at the Justice Department to not just focus on putting handcuffs on people, which is an important part of their job, but also to disrupt criminal activity,” Painter said.
The Justice Department announced a similar case last April, when the agency publicized what it said in a press release was a “court-authorized operation to copy and remove malicious web shells from hundreds of vulnerable computers in the United States.” Hackers in that case exploited zero-day vulnerabilities in Microsoft Exchange Server software to implant code that could enable remote administration and allow continued access. Microsoft alleged that a state-sponsored cyber-espionage group based in China — which it called Hafnium — was responsible.
In that operation, the Department of Justice said the FBI disrupted the attack “by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path).”
Shoba Pillay, a former federal cybercrimes prosecutor who is co-chair of the data privacy and cybersecurity practice at the law firm Jenner & Block, said the latest DOJ action is “unique because of the breadth and scope” of the operation. Other botnet takedowns were not as sweeping as this one, but Pillay said the Department of Justice has used them to disrupt Sandworm attacks in the recent past.
While some have raised privacy concerns about federal operations like this one, Pillay said that because the government obtained a court-authorized search warrant she sees that as a non-issue. The bigger question is whether the government should be permitted to trespass into private computers and delete things without notice to the owner. Pillay said that while she has heard of no “pushback or risks” from prior botnet takedowns, there are outstanding questions about how targeted such operations should be.
“Is it a bridge too far for the government to be going into private computers and deleting things?” Pillay asked. “Does the government feel comfortable that what they’re doing is controlled, and not otherwise impacting each individual system?”
Ultimately, Pillay said, she finds it helpful to use a framework she read in the New York University School of Law publication Just Security to think about the legal case for operations like this one, particularly in light of the Department of Justice’s charge to protect public safety.
The author of that article, April Falcon Doss, used an analogy to how the FBI would react if bombs were planted on private property across multiple states.
“[If] those bombs are armed and could go off at any time, the FBI is going to take swift action to find and neutralize those devices — especially if it’s difficult for property owners to detect them,” Doss wrote. “In exigent circumstances like these, law enforcement would be justified in entering directly onto the private property in order to neutralize the bombs and seize the evidence. The nature of this remote access malware is, from a cyber threat perspective, like an armed bomb.”
Corrected 4/11/22: to fix a misspelling of Scott Shackelford’s name.