DOJ Takes Down Russian Botnet

Privacy Plus+

Privacy, Technology and Perspective

DOJ Takes Down Russian Botnet. On April 6th, the U.S. Department of Justice (DOJ) announced that it disrupted a botnet controlled by the Russian Federation’s Main Intelligence Directorate (GRU).  What’s notable is how the operation unfolded—in effect, the FBI had to intervene because the owners of the affected devices had failed to patch a known vulnerability.

But let’s start by taking a step back:

What’s a botnet?   A “bot” is generally a computer that has been infected with malicious software, also known as malware, that causes the device to fall under the command and control (C2) of a remote administrator, known as a “botmaster.”  Using C2 servers, the botmaster can remotely direct the compromised computers that compose the botnet.  Hence, a “botnet” is a collection of computers compromised by such malware and controlled across a network. 

Once a botnet is activated, it can be used for malicious purposes, such as distributed denial of service (DDoS) attacks, malware distribution, intelligence collection, and attacks on Internet-connected critical infrastructure. Because botnets are often not detected, they can operate for years.

Taking Down “Cyclops Blink.”  In February, the Federal Bureau of Investigation (FBI), the UK National Cyber Security Center, the Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA), and the National Security Agency (NSA) issued a joint advisory about the Cyclops Blink botnet malware, a link to which follows:

https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf

Cyclops Blink had been deployed by the GRU on network devices worldwide, primarily by exploiting vulnerabilities in WatchGuard firewall devices.  Although WatchGuard (in coordination with the FBI and others) released a patch for one of the vulnerabilities, successful remediation through patching required device owners to make manual updates to their devices.  Later, when the FBI determined that many victims likely lacked the technical ability to remediate their devices, the DOJ stepped in.

The DOJ applied to courts in Pennsylvania and California for criminal seizure warrants, which were granted.  The extraordinary scope of the orders is worth noting.  The courts allowed the FBI not only to hack 26 C2 devices, both in the United States and overseas, but also to hack the “victim network devices” in the United States. The courts also permitted the FBI to log the serial numbers of the devices, remove the malware, and reconfigure the devices’ firewall rules to block remote access to the management interface in order to prevent the botmaster from re-establishing its control of the devices. In the interest of transparency, the courts additionally ordered the FBI to provide notice to the victims and the public after the warrants were executed.

A link to the DOJ’s announcement about the operation follows:

https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-disruption-botnet-controlled-russian-federation

The background of Cyclops Blink and a more detailed explanation are contained in a redacted version of an affidavit filed in the Western District of Pennsylvania in support of the FBI’s warrant application. It is available by clicking on the following link:

https://www.justice.gov/opa/press-release/file/1491286/download

Other Use of Court-Authorized Operations to Disrupt Cyberthreats. This is not the first time courts have allowed the FBI to remove malware using the criminal seizure process.  Last year, the DOJ obtained an order to remove malicious web shells from computers running Microsoft Exchange Server software.  A link to the DOJ’s announcement about that operation follows:

https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-effort-disrupt-exploitation-microsoft-exchange

Lesson to be Drawn: Adhere to your organization’s Patch Management Policy.  We live in a time of state-sponsored sabotage, using unwitting owners’ computers. Especially where the threat of botnets also poses national security threats, every organization should adhere to a patch management policy and procedure for patching known vulnerabilities.  At a minimum, such policy and procedure should include the following:

  • ·      An asset inventory;

  • ·      Assignment patch management roles;

  • ·      Creation of a patching schedule (i.e., patching within 24 hours of notification of a vulnerability);

  • ·      Use patch management software to help automate the patching process; and

  • ·      Documentation of the patching process.

In short, keep up with the news, and patch early and often.  Automate that process as much as possible. And don’t wait to be notified that the FBI has patched for you.   

---

Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.

Previous
Previous

SAAS Services vs. Licensed Software

Next
Next

D Magazine Names Kate Morris & Charles Hosch on Annual Best Lawyers in Dallas List