H-ISAC Weekly Blog — Hacking Healthcare — TLP White April 27, 2022

This week, Hacking Healthcare examines how a United States law enforcement agency was given legal backing to remotely access private devices to cleanse malware. This operation raises interesting legal questions as well as concerns over the potential for accidental harm. Then, we provide thoughts on how the United States government’s attempts at public-private collaboration keep falling short. Welcome back to Hacking Healthcare.

FBI Removal of Malware Draws Scrutiny

News that the Federal Bureau of Investigation (FBI) had disrupted a botnet linked to the Russian government’s intelligence service sounds like it should be unequivocally good news for everyone but the Russian government. However, the manner in which the operation occurred has raised some concerns and has highlighted a larger discussion about how cybersecurity, geopolitics, and the law are intertwined.

On April 6, the U. S. Department of Justice (DOJ) issued a press release titled Justice Department Announces Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate (GRU).^[i] The posting announced that a court-authorized operation had been conducted several weeks earlier to “disrupt a two-tiered global botnet of thousands of infected network hardware devices under the control of a threat actor known to security researchers as Sandworm.”^[ii] Sandworm, a well-known threat actor, has previously been linked to Russia with the United States government attributing it to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).^[iii]

To briefly recap, several weeks prior to the operation, the United Kingdom’s National Cyber Security Centre (NCSC), the United States’ Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the National Security Agency (NSA) released a public joint advisory warning of Sandworm’s use of Cyclops Blink malware.^[iv] The advisory included technical details, mitigations, indicators of compromise, and other guidance in a call for action. Furthermore, affected device manufacturers released their own guidance and detection and remediation tools.^{[v], [vi]} In addition, the DOJ stated that it had “been attempting to provide notice to owners of infected WatchGuard devices in the United States and, through foreign law enforcement partners, abroad,” including “[providing] notice to the owners of the domestic C2 devices from which the FBI copied and removed the Cyclops Blink malware.”^[vii]

Despite this, according to the DOJ, by mid-March the majority of “originally compromised devices” remained infected, and it is here that the FBI appeared to have undertaken a court-authorized operation to disrupt the botnet. The operation consisted of the FBI “[copying] and [removing] malware from vulnerable internet-connected firewall devices that Sandworm used for command and control (C2) of the underlying botnet.”^[viii] This action effectively cut off the thousands of infected devices from being reached.

The malware and associated botnet were described as a national security threat by U.S. Attorney Cindy K. Chung for the Western District of Pennsylvania, and the operation was hailed by the FBI as “an example of the FBI’s commitment to combatting cyber threats through our unique authorities, capabilities, and coordination with our partners.”^[ix]

Needing Both Parts in Public-Private Partnership

In early April, the United States House of Representatives’ Committee on Homeland Security’s Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation, held a hearing on “Maturing Public-Private Partnerships to Secure U.S. Infrastructure.” The stated purpose of the hearing was to “assess Federal efforts to mature collaboration with critical infrastructure owners and operators as they work to defend their networks and build resilience,” and to “focus on identifying gaps in existing Federal authorities, opportunities to enhance operational collaboration with key private sector partners, and lessons learned from past efforts to prioritize and secure our nation’s most critical, systemically important assets and systems.”^[x] From the government side, the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the National Cyber Director (ONCD), and the U.S. Government Accountability Office (GAO) were all present.

Notably absent was the participation of any members of the private sector.

1. https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-disruption-botnet-controlled-russian-federation
2. https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-disruption-botnet-controlled-russian-federation
3. https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-disruption-botnet-controlled-russian-federation
4. https://www.cisa.gov/uscert/ncas/alerts/aa22-054a
5. https://detection.watchguard.com/
6. https://www.asus.com/content/ASUS-Product-Security-Advisory/
7. https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-disruption-botnet-controlled-russian-federation
8. https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-disruption-botnet-controlled-russian-federation
9. https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-disruption-botnet-controlled-russian-federation
10. https://homeland.house.gov/news/media-advisories/tomorrow_10am-cybersecurity-hearing-on-maturing-public-private-partnerships-to-secure-us-infrastructure