US Gov’t Again Hacks Thousands Of Computers To Thwart Foreign Gov’t Hackers Who Hacked Thousands Of Computers
It’s not the first time. It certainly won’t be the last. But every time, we’re expected to hang back and assume the FBI is on the right side of history.
Something the FBI has tried a couple of times previously is back in the news: the remote access of thousands of computers containing foreign spyware for the purpose of dismantling botnets and/or thwarting foreign access to US-based devices.
The first attempt was made more than a half-decade ago, right after federal law (specifically Rule 41) was altered to allow the feds to ignore jurisdictional limitations when crafting warrants. This issue presented itself during the FBI’s “Playpen” investigation — one in which it took over a server hosting CSAM and kept it running while it deployed its remote access tool to visitors’ computers, forcing their devices to give up identifying info, including where these devices might be located (IP addresses, in other words).
A single warrant obtained in Virginia resulted in the FBI accessing computers all over the nation (and all over the world). While this raised constitutional questions, most courts were fine with this because, well, the defendants were just people facing CSAM-related charges. The Rule 41 alterations codified the FBI’s previous abuse of the legal process.
Now, with a single warrant, the FBI can access computers anywhere in the US. Which it has. Multiple times. The incidents the FBI actually wants to talk about publicly involve rooting out botnets and thwarting malware deployed by hostile state actors. In addition to nuking malware servers, the warrants also allowed FBI agents to pull identifying information from targeted users, including IP addresses and routing info, supposedly for the sole reason of confirming the infections had been removed and the targeted computers were no longer communicating with malware “administrators.”
It has happened again, as Emma Roth reports for The Verge:
The FBI hacked about 4,200 computers across the US as part of an operation to find and delete PlugX, a malware used by state-backed hackers in China to steal information from victims, the Department of Justice announced on Tuesday.
In an unsealed affidavit, the FBI says the China-based hacking group known by the monikers “Mustang Panda” and “Twill Typhoon” used PlugX to infect thousands of Windows computers in the US, Asia, and Europe since at least 2012. The malware, which infects computers through their USB ports, operates in the background while allowing hackers to “remotely access and execute commands” on victims’ computers.
It worked like this. The FBI gained access to the command-and-control server, obtained a list of IP addresses of infected computers, and sent its own command to those devices to end the malware’s operation and delete the malware when the operation was finished. As in the earlier cases, users whose computers were accessed remotely by the FBI were not notified of this action.
All’s well that ends well, I guess. But we perhaps should offer only the most cautious of applause for this anti-malware action. While it’s nice to see power used for good, the underlying problem is that the FBI has both the power and permission to access an unlimited number of computers using a single warrant obtained in whatever jurisdiction the agency feels might be most receptive to its overtures. I’m not saying the FBI will abuse these powers. But I am saying that having these powers at your disposal, untethered from anything one might call rigorous oversight, is definitely an open invitation to abuse.
And while the DOJ is more than happy to talk about G-men performing virtual raids to rid citizens’ computers of unwanted spyware, it’s pretty much guaranteed the moment the FBI does something a bit more questionable, it will take a ton of litigation to force the DOJ to divulge details on operations that don’t reflexively lead to self-congratulatory press releases.