On June 5, Microsoft announced that, along with leaders of the financial-services industry, other information-technology firms and the FBI, it had “successfully disrupted more than a thousand botnets that are responsible for stealing people’s online banking information and personal identities.”
The counter-attack focused on botnets carrying a breed of malicious software called Citadel. Botnets, Microsoft explained in its press release, are computer networks infected by malware that’s controlled by cyber wrongdoers called “bot herders.”
The “coordinated disruption” of the robot computers stemmed from a probe that Microsoft, which has its own digital crimes unit, and its banking and tech partners launched in early 2012. After looking into this threat, Microsoft and its partners discovered that once a computer was infected with Citadel malware, that malware began monitoring and recording a victim’s keystrokes.
Microsoft found that besides being responsible for more than $500 million in losses to people and businesses spanning the world, the Citadel malware affected more than five million people.
But before launching its attack on the bot herders, Microsoft had to go to court. The company filed a civil suit against the perpetrators operating the Citadel botnets, thus gaining authorization from the U.S. District Court for the Western District of North Carolina to cut off communication between 1,462 Citadel botnets and the millions of infected computers. On June 5, escorted by U.S. Marshals, Microsoft operatives seized data and proof from the botnets, which included servers from two data-hosting facilities in New Jersey and Pennsylvania.
The “cooperative action is part of a growing proactive effort by both the public and private sector to fight cybercrime, help protect people and businesses from online fraud and identity theft, and enhance cloud security for everyone,” the company said.
Indeed, Microsoft’s efforts are in the vanguard of what risk management experts are calling a more aggressive corporate approach to preventing the damage from cybercrime.
Daniel Garrie, an executive managing partner at Law and Forensics, a boutique legal strategy and forensics firm, says, in fact, that he’s seeing medium-sized as well as big businesses engaged in what he calls “active defense.”
He defines the term as companies “taking proactive measures to thwart or limit or reduce the amount of potential liability and damage that is a result of them being hacked.”
An Anomaly
In two ways, however, Microsoft may be anomaly in this arena, experts say. For one thing, unlike almost anyone besides the firms it partners with in its crime-fighting activities, it has no problem with making them public. For another, the resources it can muster seem unparalleled outside the government sector.
Thus, the retaliatory and legal risks presented by active defense should make other corporations extremely careful about employing it, lawyers advise. Referring to Microsoft’s efforts, Paul Paray, a partner in InfoLawGroup, notes that “they’ve spent a lot of money to do that, which is all good.”
But most companies can’t afford such vast pre-emptive attacks. “And the exposure that they risk in terms of affirmatively [going out and hacking the hackers] — it’s dangerous,” he says.
One of the biggest perils from a counter-attack is retaliation. “Generally, hackers are better at it than you are, so why raise the ante? And there are a lot of them out there,” says Pare. “So it’s probably better to be a little bit more circumspect in how you deal with those situations.”
Then there are the legal risks. A corporation bent on rooting out its attackers may, for example, find that it has taken illegal actions against the wrong source — another company, say, or even another country.
Sophisticated cybercriminals can redirect counterattacks by masking their internet protocol (IP) addresses — the numerical labels assigned to the computers in a given network, Pare said, noting that it’s like “being able to point a finger in the wrong direction.”
Some countries use this technique very effectively, so that the hacker seems to be “in a … different location … than the actual actor,” according to the attorney.
Then, if the company retaliates against the wrong party — or even, in the case of a foreign country, the right one — “you’re in effect doing what you’ve just considered to be illegal conduct,” Pare said. “There’s the potential that you could be at risk of prosecution by any number of entities, including the Justice Department.”
Garrie offers the hypothetical example of a company prone to active defensive that’s hacked into by a sovereign nation, which illegally steals some of the company’s most sensitive intellectual property. If the company’s defense system is able to “piggyback” on its stolen IP and take out the hacker’s server, “that’s clearly illegal,” Garrie says.
Such “self-help” remedies are “extremely limited” in the U.S. legal system, according to the attorney. “You can’t just hack into someone else’s computer system and destroy their data,” he adds.