FBI, DOJ defend ‘offensive’ actions against Chinese, Russian operations

Representatives from the Justice Department and FBI defended offensive cyber operations taken over the last two years against Chinese and Russian government hacking campaigns after critics questioned the privacy implications of government agencies unilaterally going into devices to remove malware.

Adam Hickey, deputy assistant attorney general at the Justice Department, and Bryan Vorndran, assistant director of the cyber division at the FBI, told an audience at the Billington Cybersecurity conference this week that the agencies were justified in the actions taken to stop the Hafnium campaign by Chinese state actors and the Cyclops Blink operation by Russian army hackers.

Both operations involved warrants that allowed government agents to go into devices and remove malware installed by hackers from both countries. 

“The Bureau and DOJ [have] been criticized publicly about those actions because it's an overstep of privacy, but I think it's important to understand what's behind them,” Vorndran said. “In all these scenarios, we published multiple cybersecurity advisories in tandem with the mitigation and remediation guidance from the affected vendor.”

Vorndran explained that in the case of Hafnium, government agents went into base infrastructure, which includes servers and computers. For Cyclops Blink, government agents had to go into edge routers and surgically remove malware planted by Russian state-backed groups. 

He said the government took these actions as a last resort following several other efforts that came before it. After publishing advisories about the issues, Vorndran said the FBI saw an immediate, exponential drop in terms of potential victims. 

From there, the FBI specifically went to victims to notify them that some of their systems or devices were affected. For Hafnium, this involved thousands of victims and for Cyclops Blink, it was hundreds, according to Vorndran. 

Those actions brought the number of victims in both cases down to about 7%-9% of original victims infected with the malware, he explained

“At that point, it's really important that we remove the attack surface from Hafnium in China, and from Cyclops Blink, from Russia’s GRU, simultaneously. And so we made the decision through the Rule 41’s search and seizure process to take that action,” he said. 

“But understand, when we take that action, our work does not touch anything on the victim's computer server infrastructure besides that malware. That malware is essentially surgically copied for evidence and then removed, which breaks the communication back to the adversary.”

'Operations of last resort'

The Department of Justice announced the action against Hafnium in April 2021, explaining that a U.S. judge granted the FBI the authority to log into web shells planted by hackers on Exchange email servers across the U.S. and remove the malware as part of a mass-uninstall operation.

The web shells had been planted on Exchange servers by Chinese state-sponsored threat actors in a hacking campaign that took place through January and February 2021.

Multiple Chinese threat actors abused a quartet of security flaws — also commonly known as ProxyLogon — to take over Microsoft Exchange email servers, where they installed a web shell as a backdoor mechanism into corporate and government networks.

Almost exactly one year later, U.S. Attorney General Merrick Garland announced that officials disrupted Cyclops Blink, a global botnet of thousands of infected devices allegedly controlled by the Russian military. 

Assistant Attorney General Matthew Olsen said U.S. officials worked with law enforcement in the United Kingdom and network security company WatchGuard to analyze the malware and develop detection and remediation tools. 

Hickey acknowledged that the government “touching” an innocent, privately owned computer is a serious matter with significant implications. But he noted that there are circumstances where the government has to take action in an effort to “protect public safety.

He compared it to actions government officials may take in going on to an innocent person’s land to collect contraband or rescue a kidnapped person. 

Privacy “is an important gating consideration but it can’t be the final answer as to whether we take an action or not,” he explained. 

“These operations are operations of last resort. We tend to use them when merely sharing information with the private sector or public isn't enough to help people clean up the malware on their computers,” Hickey said. “We tend to use them when there's a need for simultaneity. If we tried to knock on every door of every infected person, the adversary would simply learn what we were up to and they would retool and we would lose the opportunity to protect public safety.”

They also work with vendors to make sure there will not be any collateral consequences of their actions, Hickey added. 

A new realm

The Justice Department typically gets a search warrant, which requires them to lay out probable cause to a judge about how the malware functions and how a disruptive action would help the situation. 

The affidavit typically becomes public, according to Hickey, so “there is transparency about what we did and how we did it.”

“Individual computer owners are notified, either from us or through their ISP. So that's how we try to balance the need for privacy and respect for individual rights with the broader need to protect public safety,” he said.  

Both Hickey and Vorndran said in both Hafnium and Cyclops Blink, victims are often not aware or not able to identify the exact device or router in order to take action themselves.

“There was an explanation for why you see the leveling off of self-remediation. And in both cases, you've got pernicious state actors who pose a greater than the average threat,” Hickey said.

They noted that it was difficult for some victims in both cases to get below the MSP or ISP level, prompting the government to take proactive measures. 

In both cases, Hickey said the Justice Department had reason to believe why an individual victim could find it difficult to locate the malware.”

Vorndran added that these actions are a new realm for the FBI and DOJ.

“It's been cultural evolution for the FBI over the past two years about moving away from traditional, rule of law decisions and into the space of proactive operations, putting pressure on the threat,” he said.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.