The Justice Department Broke into American Corporate Networks, Without Permission, to Preempt A Russian Botnet Attack on Critical Services
Posted 17 May at 11:39 pm in Security
[6 min read]
In early April of 2022, the Department of Justice (DoJ) publicly disclosed that they secretly removed various malware and malicious software from thousands of computer networks worldwide. Attorney General Merrick B. Garland announced that this court-authorized operation took place throughout March 2022 in an effort to preemptively counteract Russian cyberattacks and make a statement toward the Russian Federation’s Main Intelligence Directorate (GRU).
The malware in question
The operation duplicated and removed malware from vulnerable internet-connected firewall devices that Sandworm, a Russian cyber-military unit of the GRU, uses for command and control (C2) of botnets. Although the DoJ’s actions did not involve accessing Sandworm’s malware inside the victim’s devices, the Department of Justice disabled command and control mechanisms that provide Sandworm control of the victims’ devices, referred to as “bots.”
The United States suspects that Russia may attack American corporate infrastructure in response to heavy sanctions the U.S. imposed on Moscow as a result of the war in Ukraine.
It remains unclear what the malware’s purpose was, but experts say the botnet could’ve been sued for everything from conventional surveillance to city-wide cyberattacks. Officials involved in the strike state that the United States, in tandem with several other governments around the world didn’t want to wait around to find out how the malware could be used against them.
Hackers create a botnet primarily through phishing scams and implanting malware into users’ computers that lie dormant until attackers wish to use them. Bot attack prevention is slightly different than other forms of malware protection.
Malicious groups of computers can be difficult to detect, and as for users, there is no concrete way to tell if your computer is part of a botnet without actively using updated antivirus software.
The politics surrounding the initiative
The court order equipped the F.B.I with the power to dive into national corporate networks to remove malware, with or without the company’s knowledge. Special Agent Mike Nordwall of the F.B.I stated, “The FBI prides itself on working closely with our law enforcement and private sector partners to expose criminals who hide behind their computers and launch attacks that threaten Americans’ safety, security, and confidence in our digitally connected world.”
Attorney General Olsen stated that the botnet removal “demonstrates the department’s commitment to disrupt nation-state hacking using all of the legal tools at their disposal.”
Investigators suspect that the Russian hackers attempt to persistently access and control international energy sector computer networks. These claims are backed by several phases of historical Russian hacks, such as when the Russian Federal Security Service (FSB) successfully installed malware on over 17,000 devices around the world, primarily those owned by power and energy companies.
Another phase involved calculated spearphishing attacks against over 300 high-profile individuals across more than 500 companies like the Nuclear Regulatory Commission and others around the world.
The importance of the court orders
While many view the Department of Justice’s initiative as an act of preliminary defense, others view it as another breach of privacy, security, and even an act of hypocrisy.
While internet and network attacks are nothing new for the United States, some question the government’s position to hack into corporate systems to prevent attacks, such as botnet or ransomware scams. Several cybersecurity professionals and prominent consumers have pointed out that companies and individuals should be responsible for upholding their own virtual security, and the government is not above the Russian hackers for accessing companies’ data without permission first.
Other industry experts cede that the government acted upon a call of not only the companies’ security but the potential for the hackers to cause mass harm across the nation and other countries. Given the political climate and Sandworm’s history, many cybersecurity analysts and investigators think that the court orders were justified and serve as a reminder to potentially unaware or ill-prepared entities that they are never safe in cyberspace.
The significance of the court orders are a global reminder of where the moral and legal lines lie in cyberspace. As the world grows increasingly reliant on virtual integrity, and some governments struggle to keep up with the information technology revolution, these conversations are critical to strengthening our online defenses moving forward. Where do you stand?