www.cyberscoop.com
Open in
urlscan Pro
18.64.103.11
Public Scan
URL:
https://www.cyberscoop.com/dojs-sandworm-operation-raises-questions-about-how-far-the-feds-can-go-to-disarm-botnets/
Submission: On April 14 via api from IN — Scanned from DE
Submission: On April 14 via api from IN — Scanned from DE
Form analysis 3 forms found in the DOM
GET https://www.cyberscoop.com/
<form role="search" class="overlay-search-form" method="get" id="searchform" action="https://www.cyberscoop.com/">
<div><label class="screen-reader-text" for="s">Search for:</label>
<input type="text" value="" name="s" id="s" placeholder="Type to search" class="overlay-search-input">
</div>
</form>POST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/2153467/20762415-8082-48f0-b243-36443c93d852
<form novalidate="" accept-charset="UTF-8" action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/2153467/20762415-8082-48f0-b243-36443c93d852" enctype="multipart/form-data" id="hsForm_20762415-8082-48f0-b243-36443c93d852"
method="POST" class="hs-form stacked hs-custom-style hs-form-private hsForm_20762415-8082-48f0-b243-36443c93d852 hs-form-20762415-8082-48f0-b243-36443c93d852 hs-form-20762415-8082-48f0-b243-36443c93d852_f7cd8794-ae05-444a-95d1-dfb533d2b692"
data-form-id="20762415-8082-48f0-b243-36443c93d852" data-portal-id="2153467" target="target_iframe_20762415-8082-48f0-b243-36443c93d852" data-reactid=".hbspt-forms-0">
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field" data-reactid=".hbspt-forms-0.1:$0"><label id="label-email-20762415-8082-48f0-b243-36443c93d852" class="" placeholder="Enter your " for="email-20762415-8082-48f0-b243-36443c93d852"
data-reactid=".hbspt-forms-0.1:$0.0"><span data-reactid=".hbspt-forms-0.1:$0.0.0"></span></label>
<legend class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-0.1:$0.1"></legend>
<div class="input" data-reactid=".hbspt-forms-0.1:$0.$email"><input id="email-20762415-8082-48f0-b243-36443c93d852" class="hs-input" type="email" name="email" required="" placeholder="Email (required)*" value="" autocomplete="email"
data-reactid=".hbspt-forms-0.1:$0.$email.0" inputmode="email"></div>
</div>
<div class="hs_subscriber hs-subscriber hs-fieldtype-checkbox field hs-form-field" style="display:none;" data-reactid=".hbspt-forms-0.1:$1"><label id="label-subscriber-20762415-8082-48f0-b243-36443c93d852" class=""
placeholder="Enter your Subscriber" for="subscriber-20762415-8082-48f0-b243-36443c93d852" data-reactid=".hbspt-forms-0.1:$1.0"><span data-reactid=".hbspt-forms-0.1:$1.0.0">Subscriber</span></label>
<legend class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-0.1:$1.1"></legend>
<div class="input" data-reactid=".hbspt-forms-0.1:$1.$subscriber"><input name="subscriber" class="hs-input" type="hidden" value="CyberScoop" data-reactid=".hbspt-forms-0.1:$1.$subscriber.0"></div>
</div><noscript data-reactid=".hbspt-forms-0.2"></noscript>
<div class="hs_submit hs-submit" data-reactid=".hbspt-forms-0.5">
<div class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-0.5.0"></div>
<div class="actions" data-reactid=".hbspt-forms-0.5.1"><input type="submit" value="GET THE SCOOP" class="hs-button primary large" data-reactid=".hbspt-forms-0.5.1.0"></div>
</div><noscript data-reactid=".hbspt-forms-0.6"></noscript><input name="hs_context" type="hidden"
value="{"rumScriptExecuteTime":664.0999984741211,"rumServiceResponseTime":1531.6999969482422,"rumFormRenderTime":5.799995422363281,"rumTotalRenderTime":1538.8999938964844,"rumTotalRequestTime":864.9000015258789,"lang":"en","embedAtTimestamp":"1649941998741","formDefinitionUpdatedAt":"1586164072742","pageUrl":"https://www.cyberscoop.com/dojs-sandworm-operation-raises-questions-about-how-far-the-feds-can-go-to-disarm-botnets/","pageTitle":"DOJ's Sandworm operation raises questions about how far feds can go to disarm botnets - CyberScoop","source":"FormsNext-static-5.478","sourceName":"FormsNext","sourceVersion":"5.478","sourceVersionMajor":"5","sourceVersionMinor":"478","timestamp":1649941998749,"userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.75 Safari/537.36","originalEmbedContext":{"portalId":"2153467","formId":"20762415-8082-48f0-b243-36443c93d852","target":"#hbspt-form-1649941997563-1967655347"},"renderedFieldsIds":["email"],"formTarget":"#hbspt-form-1649941997563-1967655347","correlationId":"93624d15-4dac-4cae-b225-a4f3b60c50f3","hutk":"29a4870b016b3bb85d6877545c114a7e","captchaStatus":"NOT_APPLICABLE"}"
data-reactid=".hbspt-forms-0.7"><iframe name="target_iframe_20762415-8082-48f0-b243-36443c93d852" style="display:none;" data-reactid=".hbspt-forms-0.8"></iframe>
</form><form autocomplete="off" role="search" class="jetpack-instant-search__search-results-search-form">
<div class="jetpack-instant-search__search-form">
<div class="jetpack-instant-search__box"><label class="jetpack-instant-search__box-label" for="jetpack-instant-search__box-input-1">
<div class="jetpack-instant-search__box-gridicon"><svg class="gridicon gridicons-search " focusable="true" height="24" viewBox="0 0 24 24" width="24" xmlns="http://www.w3.org/2000/svg" aria-hidden="false" style="height: 24px; width: 24px;">
<title>Magnifying Glass</title>
<g>
<path d="M21 19l-5.154-5.154C16.574 12.742 17 11.42 17 10c0-3.866-3.134-7-7-7s-7 3.134-7 7 3.134 7 7 7c1.42 0 2.742-.426 3.846-1.154L19 21l2-2zM5 10c0-2.757 2.243-5 5-5s5 2.243 5 5-2.243 5-5 5-5-2.243-5-5z"></path>
</g>
</svg></div><input autocomplete="off" id="jetpack-instant-search__box-input-1" class="search-field jetpack-instant-search__box-input" inputmode="search" placeholder="Search…" type="search"><button
class="screen-reader-text assistive-text">Search</button>
</label></div>
</div>
</form>Text Content
Close Ad
Continue to CyberScoop.com
Subscribe About RSS
Brought to you by
* Ukraine
* Threats
* Policy
* Privacy
* Technology
* Workforce
* Money
* Special Reports
* Watch
* Listen
* Events
* Upcoming Events
* On-demand Events
* Past Events
* Insights
threats
DOJ'S SANDWORM OPERATION RAISES QUESTIONS ABOUT HOW FAR FEDS CAN GO TO DISARM
BOTNETS
FBI Director Christopher Wray speaks during a press conference at the U.S.
Justice Department on April 6, 2022, announcing the Sandworm operation. (Photo
by Anna Moneymaker/Getty Images)
SHARE
WRITTEN BY
Suzanne Smalley
Apr 8, 2022 | CyberScoop
Written by Suzanne Smalley
Apr 8, 2022 | CYBERSCOOP
The notion that citizens are protected from unreasonable search and seizure is a
bedrock legal principle: A court must issue a search warrant before police can
enter a private home and ransack it looking for evidence.
In what former prosecutors and legal experts call a landmark operation, the
Department of Justice has now tested that principle to disrupt a Russian botnet
that was spreading malware on a far-flung network of computers. Using so-called
remote access techniques, law enforcement effectively broke into infected
devices from afar to destroy what the U.S. government calls the “Cyclops Blink”
botnet — and did so without the owners’ permission.
While the search warrant publicized by DOJ makes clear that this access did not
allow the FBI to “search, view, or retrieve a victim device owner’s content or
data,” legal experts say the case does raise questions about how far the
government’s power should extend under a federal criminal procedure provision
known as Rule 41.
The Kremlin-backed hackers responsible for the botnet — a group known to
cybersecurity researchers as Sandworm — exploited a vulnerability in WatchGuard
Technologies firewall devices to install malware on a network of compromised
devices. By leveraging physical access to a subset of infected devices, the FBI
said it was able to reverse engineer its way into accessing all of the botnet’s
command and control devices.
The government’s use of a search warrant to gain such remote access to
individual computers without notice to the owners relied on a 2016 amendment to
Rule 41, a federal rule of criminal procedure. The culmination of a three-year
deliberation process which included written comments and public testimony before
the federal judiciary’s Advisory Committee on the Federal Rules of Criminal
Procedure — a committee which includes judges, law professors, and attorneys in
private practice — the 2016 amendment was ultimately adopted by the Supreme
Court and approved by Congress.
While the amended rule has been used previously, legal experts say this case
appears to be the most sweeping and high-profile application of the rule to date
and is a notable example of federal prosecutors using it not just to investigate
criminal activity but to disrupt it.
‘DE FACTO CYBERSECURITY REGULATORS’
The 2016 change was designed to help the government more easily battle botnets
and to support cybercrime investigations in situations like this one where the
criminals’ locations are unknown, according to Scott Shackelford, a law
professor and the director of the Ostrom Workshop Program on Cybersecurity and
Internet Governance at Indiana University.
Shackelford said the revision to Rule 41 allows the FBI to access computers
outside the jurisdiction of the court which issued the search warrant.
“This action highlights the precedent, and power, of courts becoming de facto
cybersecurity regulators that can empower the Department of Justice to clean up
large-scale deployments of malicious code,” Shackelford said via email.
Important and unresolved legal issues are embedded in this case, he said. For
instance, he said, society will need to determine how to “balance private
property rights against national security needs in cases like this.”
“Under this authority the FBI could hack into computers at will, and without the
need for a specific search warrant,” Shackelford said. To date, there are no
known examples of the the government using the amended Rule 41 to break into
remote computers without a search warrant, but in this case the search warrant
the government obtained was used in multiple jurisdictions outside of the one
which issued the warrant.
Shackelford added that he is “concerned about the precedent that this sets, both
in the U.S., but also globally as other law enforcement agencies around the
world might well mirror — and even go further — than what the FBI has done to
date.”
The Department of Justice and FBI did answer emails seeking comment by press
time.
In a press release announcing the operation, Assistant Attorney General Matthew
Olsen of the Justice Department’s National Security Division said the
“court-authorized removal of malware deployed by the Russian GRU demonstrates
the department’s commitment to disrupt nation-state hacking using all of the
legal tools at our disposal.”
> “Under this authority the FBI could hack into computers at will, and without
> the need for a specific search warrant.”
>
> — Scott Shackelford, law professor, Indiana University
The Department of Justice’s actions to disrupt Cyclops Blink are also emblematic
of the federal government’s increasing collaboration with the private sector to
achieve dramatic results in a short period of time, according to Mark Bini, a
lawyer at the firm Reed Smith who previously worked on cybercrime as a federal
prosecutor.
“It is particularly interesting that this news comes out at the same time as
Microsoft announcing, related to a separate incident, that it had taken control
of and taken down seven internet domains linked to a Russian state sponsored
hacking group,” Bini said via email. “All of this underscores how important the
private sector will be with respect to the United States’ cyber defense, and
suggests that we will see the Department of Justice working collaboratively with
the private sector to turbo-charge its efforts to combat state-sponsored
cyber-attacks.”
HOW MUCH IS TOO MUCH?
There is some debate in legal circles around how far law enforcement can go when
using remote access technology and how appropriate it is to leverage the tool to
disrupt cybercrimes as opposed to investigate them, according to Christopher
Painter, a former federal prosecutor who prosecuted several high-profile
cybercrimes before becoming the top cyber diplomat at the State Department.
The case “reflects an overall change over the last 10 years at the Justice
Department to not just focus on putting handcuffs on people, which is an
important part of their job, but also to disrupt criminal activity,” Painter
said.
The Justice Department announced a similar case last April, when the agency
publicized what it said in a press release was a “court-authorized operation to
copy and remove malicious web shells from hundreds of vulnerable computers in
the United States.” Hackers in that case exploited zero-day vulnerabilities in
Microsoft Exchange Server software to implant code that could enable remote
administration and allow continued access. Microsoft alleged that a
state-sponsored cyber-espionage group based in China — which it called Hafnium —
was responsible.
In that operation, the Department of Justice said the FBI disrupted the attack
“by issuing a command through the web shell to the server, which was designed to
cause the server to delete only the web shell (identified by its unique file
path).”
Shoba Pillay, a former federal cybercrimes prosecutor who is co-chair of the
data privacy and cybersecurity practice at the law firm Jenner & Block, said the
latest DOJ action is “unique because of the breadth and scope” of the operation.
Other botnet takedowns were not as sweeping as this one, but Pillay said the
Department of Justice has used them to disrupt Sandworm attacks in the recent
past.
While some have raised privacy concerns about federal operations like this one,
Pillay said that because the government obtained a court-authorized search
warrant she sees that as a non-issue. The bigger question is whether the
government should be permitted to trespass into private computers and delete
things without notice to the owner. Pillay said that while she has heard of no
“pushback or risks” from prior botnet takedowns, there are outstanding questions
about how targeted such operations should be.
“Is it a bridge too far for the government to be going into private computers
and deleting things?” Pillay asked. “Does the government feel comfortable that
what they’re doing is controlled, and not otherwise impacting each
individual system?”
Ultimately, Pillay said, she finds it helpful to use a framework she read in the
New York University School of Law publication Just Security to think about the
legal case for operations like this one, particularly in light of the Department
of Justice’s charge to protect public safety.
The author of that article, April Falcon Doss, used an analogy to how the FBI
would react if bombs were planted on private property across multiple states.
“[If] those bombs are armed and could go off at any time, the FBI is going to
take swift action to find and neutralize those devices — especially if it’s
difficult for property owners to detect them,” Doss wrote. “In exigent
circumstances like these, law enforcement would be justified in entering
directly onto the private property in order to neutralize the bombs and seize
the evidence. The nature of this remote access malware is, from a cyber threat
perspective, like an armed bomb.”
Corrected 4/11/22: to fix a misspelling of Scott Shackelford’s name.
-IN THIS STORY-
cybercrime, CyclopsBlink, Department of Justice, Federal Bureau of Investigation
(FBI), hacking, legal, Microsoft, Russia, Sandworm
RELATED NEWS
Threats
GLOBAL ADVERTISING GIANT...
by Tonya Riley • 13 hours ago
Threats
DHS INVESTIGATORS SAY...
by AJ Vicens • 17 hours ago
Geopolitics
FEDS WARN ABOUT FOREIGN...
by Tim Starks • 17 hours ago
* Ad Specs
* Sponsor
* RSS
*
*
*
*
Privacy Policy © 2022 Scoop News Group | All Rights Reserved
Search for:
We use cookies to provide you with the best experience across all Scoop News
Group websites. By using Scoop News Group websites, you consent to the use of
cookies. Learn more
GOT IT!
✓
Thanks for sharing!
AddToAny
More…
The best cybersecurity news, delivered straight to your inbox.
Sign up for our daily newsletter.
Subscriber
Privacy Policy
SEARCH RESULTS
Magnifying Glass
Search
Close search results
Sort by:
RelevanceNewestOldest
FOUND 6,076 RESULTS
1. HOME
* TagCybersecurity
2. RUSSIA TO CREATE ITS OWN SECURITY CERTIFICATE AUTHORITY, ALARMING EXPERTS
Russia responds to economic sanctions hobbling renewals of its Internet
security certificates by saying it will create its own.
3. BIDEN ADMINISTRATION IS STUDYING WHETHER TO SCALE BACK TRUMP-ERA CYBER
AUTHORITIES AT DOD
The Biden administration is considering revising the Trump-era policy that
gave broad cyber authorities to the Department of Defense and Cyber
Command.
4. SPY AGENCIES' LEAKS OF RUSSIAN PLANS POINT TO THE FUTURE OF INFORMATION
WARFARE, SEN. WARNER SAYS
Sen. Mark Warner discussed American intelligence successes and information
warfare at a Washington think tank Monday.
5. DEBATE ERUPTS AT NEWS THE WHITE HOUSE MAY SCALE BACK DOD CYBER-OPS
AUTHORITIES
Cybersecurity and homeland security experts are split on the wisdom of
scaling back broad authorities that DOD has to launch cyber operations.
6. RUSSIAN, CHINESE, BELARUSIAN HACKERS INCREASINGLY USING UKRAINE-THEMED
LURES IN ATTACKS, GOOGLE OBSERVES
The Threat Analysis Group report sheds light on international efforts to
leverage the war in hacking campaigns.
7. GERMAN GOVERNMENT ISSUES WARNING ABOUT KASPERSKY PRODUCTS
The Federal Office for Information Security, or BSI, did not accuse
Kaspersky of any specific violations of customers' trust.
8. CYBER COMMAND CHIEF TELLS CONGRESS CHIP SHORTAGE HAS NATIONAL SECURITY
IMPLICATIONS
China's march toward chip independence is of "great concern" and could have
"broader impacts," he said. It's an issue that dovetails with the
Russia-Ukraine war.
9. KASPERSKY ADDED TO FCC LIST THAT BANS HUAWEI, ZTE FROM US NETWORKS
Kaspersky is the first cybersecurity company and first Russian entity on
the FCC's "Covered List," which so far has focused on China.
10. CYBER COMPANY OKTA IS LATEST POTENTIAL VICTIM CITED BY LAPSUS$ HACKERS
The financially motivated group of malicious hackers posted screenshots
that Okta said could be related to "activity" detected in January.
Load more
FILTER OPTIONS
Search powered by Jetpack