UPDATES TO Chapter 14
Self-Protective Measures
UPDATES TO THE SECOND EDITION
14.2 Information Sharing
In March 2024, the Department of Defense finalized revisions to the eligibility criteria for its voluntary Defense Industrial Base (DIB) Cybersecurity Program. 89 Fed. Reg. 17741 (Mar. 12, 2024), amending 32 C.F.R. part 236. Under the program, first established in 2012, the DoD provides cyber threat information to defense contractors to help them defend their networks. The revisions expanded eligibility to participate in the program to all defense contractors that own or operate an unclassified information system that processes, stores, or transmits covered defense information—that is, to all contractors subject to DFARS 252.204–7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. The baseline information shared is unclassified. As before the revisions, defense contractors meeting the additional eligibility requirements can access and receive classified information electronically. See 32 C.F.R. § 236.7. With the changes to the eligibility criteria, an estimated additional 68,000 defense contractors will be eligible to participate in the voluntary DIB program.
The March 2024 revisions also changed the process for cyber incident reporting required of all defense contractors. To submit incident reports, the amendment requires contractors to complete the identity proofing and registration required to obtain a Procurement Integrated Enterprise Environment (PIEE) account. Contractors are encouraged to voluntarily report other cyber threat indicators.
14.8 DOJ Removal of Malware from Privately‑Owned Computers
The Department of Justice took Rule 41 to a new level in December 2023 when it disrupted a botnet under the control of a People’s Republic of China (PRC) state-sponsored hacking group known as Volt Typhoon. The hackers had hijacked hundreds of U.S.-based small office/home office routers in support of further hacking activities directed against U.S. and other foreign victims, including critical infrastructure organizations. As in prior operations, the warrant authorized the FBI to use the botnet’s own functionality to send messages to, and thereby obtain identifying information from, the infected routers. Also as in earlier operations, it then authorized the FBI to delete the Volt Typhoon malware from infected routers. But, in what may have been a first, the warrant authorized the FBI to make changes to the routers to block their connections to the botnet and to prevent their reinfection.
________________________________________________________________
ARCHIVED UPDATES TO THE FIRST EDITION (last updated December 10, 2021), INCORPORATED INTO THE SECOND EDITION
14.7 Domain Name Seizures and IP Address Blocking
On December 6, 2021, Microsoft announced that it had obtained a court order to seize websites used by a China-based hacking group call Nickel to attack organizations in the United States and 28 other countries. The court order directed domain name registries Verisign and Public Interest Registry to give Microsoft control over domain names Nickel was using (and thus control over traffic to and from the servers associated with those domain names), enabling Microsoft to cut off Nickel’s access to its victims and prevent the websites from being used to execute attacks. The complaint, like others filed by Microsoft in similar cases, asserted eight claims for relief: (1) Computer Fraud and Abuse Act, 18 U.S.C. § 1030; (2) Electronic Communications Privacy Act, 18 U.S.C. § 2701; (3) trademark infringement under the Lanham Act, 15 U.S.C. § 1114 et seq.; (4) false designation of origin under the Lanham Act, 15 U.S.C. § 1125(a); (5) trademark dilution under the Lanham Act, 15 U.S.C. § 1125(c); (6) common law trespass to chattels; (7) unjust enrichment; (8) conversion; and (9) intentional interference with contractual relationships. The case is significant in that Nickel is controlled by the Chinese government and its targets included diplomatic missions and government employees. So a private company used the U.S. courts to disrupt the espionage activities of a foreign government. Microsoft said this was the fifth lawsuit it had brought to disrupt the activities of nation-state actors.
[New subchapter:] 14.8 DOJ Removal of Malware from Privately-Owned Computers
In April 2021, the U.S. government crossed a Rubicon, remotely entering privately-owned computers of entities not suspected of any wrongdoing and deleting malware from those computers, with at most only after-the-fact notice of its actions. To reach into and alter the computers of innocent victims, the Justice Department invoked the Computer Fraud and Abuse Act and the warrant procedures of Rule 41 of the Federal Rules of Criminal Procedures.
The action came in response to a campaign, begun in January 2021, by state-sponsored hackers known as Hafnium operating out of China who exploited zero-day vulnerabilities in the Microsoft Exchange Server software to access e-mail accounts and place onto victimized computers web shells for continued access.[1] (Web shells are pieces of code or scripts that enable remote administration). Microsoft issued a patch, and many infected system owners successfully removed the web shells from their computers, but others appeared unable to do so, and hundreds of such web shells persisted unmitigated, enabling persistent and escalated access. In the April 2021 action, the FBI accessed the infected computers, with a search warrant, effectively taking them over for this purpose, and used the malicious web shell to issue a command to its server, which was designed to cause the server to delete only the web shell. The operation did not patch any Microsoft Exchange Server zero-day vulnerabilities on the targeted computers nor did it search for or remove any additional malware or hacking tools that hacking groups may have placed on victim networks by exploiting the web shells.
It has long been recognized that the DoJ has the authority under a warrant issued pursuant to Rule 41 to remotely and surreptitiously access computers to conduct a search. See, for example, United States v. Scarfo, 180 F. Supp. 2d 572, 574 (D.N.J. 2001). Rule 41(b)(6)(B) provides that a single judge may issue nationwide warrants:
a magistrate judge with authority in any district where activities related to a crime may have occurred has authority to issue a warrant to use remote access to search electronic storage media and to seize or copy electronically stored information located within or outside that district if:
…
(B) in an investigation of a violation of 18 U.S.C. § 1030(a)(5), the media are protected computers that have been damaged without authorization and are located in five or more districts.
The DoJ theory is that the planting of the web shells constituted a violation of the CFAA, specifically Sections 1030(a)(5)(A) and 1030(e)(2)(B), and the conspiracy statute, 18 U.S.C. 371. The warrant the government obtained authorized the use of remote access techniques to search the infected computers identified by the unique paths associated with each shell and to seize and copy from those computers the web shells (which were being used to communicate with the victim computers and to infect them with malware), as evidence and/or instrumentalities of the computer fraud and conspiracy in violation of Title 18, United States Code, Sections 1030(a)(2) (theft from a protected computer), 1030(a)(5)(A) (damage to a protected computer), and 371 (conspiracy). The warrant authorized the use of remote access techniques to access the web shells and issue commands through the web shells to the software running on infected computers to delete the web shells themselves.
The FBI for quite some time has used search warrants to plant on suspects’ computers software that then communicates with the government, essentially remotely commandeering the computer to disclose information to the government. (Normally, the information sought is information identifying the computer and its IP address, often in order to then physically locate the computer so that it can be physically seized and searched.) This process has come to be known as a Network Investigative Technique (NIT). See Susan Hennessey and Nicholas Weaver, A Judicial Framework for Evaluating Network Investigative Techniques, Lawfare (July 28, 2016); United States v. Henderson, 906 F.3d 1109 (9th Cir. 2018); Third Amended Application for a Search Warrant, In re Matter of the Search of Network Investigative Technique (NIT) for E-mail Address texan.slayer@yahoo.com, No. 1:12-sw-05685-KMT, at 1 (D. Col. Dec. 11, 2012).
In 2016, Rule 41 was amended to add subdivision (b)(6), authorizing federal magistrate judges in a district where activities related to a crime may have occurred to issue a warrant to use remote access to search electronic storage media and seize or copy electronically stored information even when that media is located outside of the district. Subparagraph (b)(6)(B) allows a warrant to use remote access within or outside the district in an investigation of a violation of 18 U.S.C. § 1030(a)(5) if the media to be searched are protected computers that have been damaged without authorization, and they are located in many districts.
[1] DOJ Press Release, Justice Department Announces Court-Authorized Effort to Disrupt Exploitation of Microsoft Exchange Server Vulnerabilities (Apr. 13, 2021). See Search and Seizure Warrant, Application, and related documents, In re Application for a Warrant to Search Certain Microsoft Exchange Servers Infected with Web Shells, Case No. 4:21mJ755 (S.D. Tex. Apr. 9, 2021).
Last updated: April 9, 2024.
Photo: “The Allegory of Good Government," by Ambrogio Lorenzetti, 1338, Museo Civico, Siena, (c) Erik Törner, CC BY-NC-SA 2.0.