Lethargy is perhaps the most dangerous weapon for hackers.
Expired passwords, applications that are no longer supported, employees that do not prioritize multi factor authentication, networks with antiquated frameworks and tools for cybersecurity… all of these are examples of lethargy on the part of good actors, which makes it easy for bad actors to make a living.
That is why, ultimately, the FBI took matters into its own hands and forcibly removed an entire Russian botnet from thousands of computers without the awareness of their owners.
How Did the FBI Protect Thousands of Computers without Permission?
In April, 2022, the FBI proactively disrupted a Russian botnet by removing malware called Cyclops Blink.
What is a botnet?
A botnet is essentially a multitude of hacked computers. Each computer in a botnet is controlled by a piece of malware that has been installed, usually without the owner’s awareness or authority. This malware allows the computers in a botnet to be tasked by malicious actors and perform any numbers of actions. For example, at the hacker’s command, each computer will request the same web address. When thousands of computers perform the same request, they can overload unprotected web servers and crash them in a Distributed Denial of Service (DDoS) attack. This is only one example. Botnets perform a variety of other actions to gain leverage and destabilize a large network.
The FBI investigation of Cyclops Blink
Cyclops Blink had been under investigation for months by US and UK cyberdefense authorities and had been attributed to a notorious Russian military intelligence agency, codename “Sandworm.” Cyclops Blink infected devices made only by WatchGuard Technologies and ASUS. Then the malware granted remote access for certain actions on these machines, enabling Sandworm to transfer or delete data on the compromised systems, or send requests to a third party, as they would do in case of a DDoS attack.
The FBI worked closely with WatchGuard during its investigation. Initially, officials attempted to subvert Cyclops Blink with an awareness campaign. They attempted to tell owners about the malware on their systems and how they could remove it. However, less than 1 out of 2 machine owners took the actions necessary to clean their machines.
Since the awareness campaign was ineffective, the FBI requested a warrant to remove the malware by a forced update.
“We removed malware from devices used by thousands of mostly small businesses for network security all over the world. We shut the door the Russians had used to get into them.”
— Chris Wray, FBI Director
How Was This Possible?
The move heralds back to a unanimously approved Congressional amendment to Rule 41. The amendment became effective on December 1, 2016 and provided two important exclusions to how judges can approve investigatory and defensive measures by federal agencies.
These amendments remove antiquated legal blocks to receiving a warrant in cases where the location of the cybercriminal is hidden or spans multiple areas. First, it allows agencies to receive warrants to crimes even when they do not yet know the general location of the perpetrator. This exception has already proven critical in cases of child pornography rings, leading to rightful seizure and prosecution of criminals.
The second exception allows agencies to receive general warrants covering larger jurisdictions when crimes span multiple areas, as is often the case in Internet crimes. Prior to 2016, the FBI would have been forced to request dozens of warrants to remove Cyclops Blink, which would have made any defensive measures too impractical for them to succeed.
A Win, and a Takeaway for IT Leaders
There is a lot to think about when we consider Cyclops Blink. Device owners might be grateful; they might be outraged. The fact is: Most users live completely unaware of how easily their information could be surveilled or stolen. Perhaps they want it that way. The FBI took the necessary steps to protect National Security, and only when it was clear that the malware would need to be forcibly removed did the agency take steps to forcibly remove it.
For the same reason, business IT leaders must also do their best to inform users of the right actions they can take to protect themselves, but at the same time automated tests and processes must be put into place. These mitigate the effective lethargy that hackers can use against the network.
If you have any questions about how to protect your business infrastructure, please email firstname.lastname@example.org.