North Korean Hacker Indictment

Today Federal prosecutors in California unsealed an indictment against North Korean members of Lazarus Group and APT38 alleging $1.3 billion in theft and extortion. The Indictment is notable for the scale of the nation-state sponsored economic criminal activity it describes.

Published
Categorized as Cyber Crime

The Virus and Ransomware

In the middle of the pandemic, things we used to take for granted feel frightening.  A trip to the grocery store, taken only when truly necessary, seems like stepping onto the set of a post-apocalyptic movie, as shoppers eye each other suspiciously from behind face masks while picking over thinly-stocked shelves.  Cyber criminals, unfortunately, know how to prey on these fears.  From early in the COVID-19 crisis, cybersecurity experts have warned about a rise of social engineering attacks, such as phishing emails, spoofed websites impersonating public health authorities such as the World Health Organization and the U.S. Centers for Disease Control, and fake coronavirus mobile apps.   

Some of these social engineering campaigns have been linked to ransomware attacks on health care facilities, financial services providers, and other essential businesses.  A study done by Carbon Black, for example, showed a 148% increase in ransomware attacks between February and March 2020.  Another study released by Checkpoint Research on April 16, 2020, found that ransomware attackers are increasingly engaging in “double extortion.”  This kind of attack begins as a typical ransomware incident:  the attacker encrypts the victim’s data and demands a ransom to decrypt it.  It also adds a second stage:  the attacker makes a copy of sensitive data and then, after receiving the decryption ransom, demands a second payment to prevent public disclosure of the stolen data.

Although the COVID-19 crisis creates fear, it also prompts generosity and altruism – ranging from the heroism of front-line health care workers to everyday acts of kindness like checking in virtually on friends and neighbors.  At the start of the crisis, leading ransomware groups such as DoppelPayemer and Maze seemed to join this wave of altruism by promising to avoid attacks on health care facilities.  These groups try to position themselves as modern-day cyber Robin Hoods, stealing from wealthy banks and other for-profit companies while avoiding entities such as healthcare facilities that serve the poor. 

Almost immediately after this promise, however, Maze hit Hammersmith Medicines Research, a British company that may serve as a COVID-19 vaccine test center.  The truth is that these are ruthless organized crime operations that will not hesitate to take advantage of this crisis.

Now more than ever, even as we practice social distancing to flatten the curve of the coronavirus infection, we need to practice good cyber hygiene to flatten the curve of cyber attacks.  It’s a good time to remind employees working from home of some basic principles: 

  • Be wary of texts or emails that seem unusually alarmist or urgent, particularly if they purport to originate from high-level government or corporate sources.

  • Avoid apps and websites that claim to offer some inside information or cures beyond what is being reported by official government sources and reputable news outlets.

  • If presented with a request for information that seems suspicious, use recognized channels, including a phone call to the supposed source, to confirm whether the request is authentic.

  • Notify the appropriate persons in your organization of contacts that appear to be social engineering scams.

Microsoft and the Law of the Cloud: to the Supreme Court

Last year I wrote about Microsoft’s Stored Communications Act litigation.  The dispute has now worked its way up to the Supreme Court.  Andrew Keane Woods offers a good primer on the case on the Lawfare Blog.  I generally agree with Andrew’s take:  (1) the extraterritoriality issues do not seem to raise major sovereignty concerns; and (2) it is not really a “privacy” case.  It’s also interesting, as Andrew notes, that Silicone Valley seems uncertain about how to approach this dispute.  But here’s where I might go a bit further than Andrew:  the extraterritoriality issues do not raise major sovereignty concerns unless you think the cloud is really something different.  The Supreme Court continues to make Internet-exceptionalist noises, such as Justice Kennedy’s ode to the Net in the Packingham case last year:

While we now may be coming to the realization that the Cyber Age is a revolution of historic proportions, we cannot appreciate yet its full dimensions and vast potential to alter how we think, express ourselves, and define who we want to be. The forces and directions of the Internet are so new, so protean, and so far reaching that courts must be conscious that what they say today might be obsolete tomorrow.

Packingham v. North Carolina, 137 S. Ct. 1730, 1736 (2017).  The cloud, of course, is just a marketing term for storing stuff and running apps on the Internet.  In my view, the Court should avoid rhapsodizing about the cloud or the Internet in the Stored Communications Act context, apply ordinary principles of extraterritoriality to find that Microsoft was required to produce the records in this case, and leave further tinkering with the statutory framework to Congress.

The FTC, Ransomware, and You

150px-us-federaltradecommission-seal-svgRansomware” is malicious software that enables attackers to hold computer data or a computer network hostage until a ransom is paid.  Ransomware often encrypts all the files on a system, making them unusable until the attacker supplies an encryption key.  An FBI Alert issued last week stated that ransomware infections are at an “all-time high.”  According to the FBI Alert, just one recent strain of ransomware infected about 100,000 computers per day.  Id.  Commenting on the Alert, security expert Brian Krebs said “[w]hat we can expect is not only more targeted and destructive attacks, but also ransom demands that vary based on the attacker’s estimation of the value of the data being held hostage and/or the ability of the victim to pay some approximation of what it might be worth.”

The ransomware threat is troubling from the perspective of business continuity, lost productivity, lost data, and possible ransom payment costs.  The threat is also troubling from a legal perspective because in public comments earlier this month, FTC Chairwoman Edith Ramirez suggested that failure to address vulnerabilities that could be exploited by ransomware can comprise an FTC Act violation.  This means companies now face two kinds of liabilities from ransomware:  business costs, and civil liability to the FTC and perhaps private litigants.

The Federal Trade Commission has no specific statutory mandate over cybersecurity compliance.  Nevertheless, the FTC has made cybersecurity enforcement central to its institutional mission.  Legal challenges to the FTC’s authority over cybersecurity so far have failed.  In FTC v. Wyndham Worldwide, 799 F.3d 236 (3rd Cir. 2015), for example, the Third Circuit held the FTC’s statutory mandate under the Federal Trade Commission Act, 16 U.S.C. § 45(a), to prevent “unfair methods of competition in commerce” encompasses cybersecurity policies and requirements relating to a company’s customer data.  And the FTC recently concluded that the FTC Act’s general balancing test for determining if an act or practice is “unfair” applies to cybersecurity issues.  See In the Matter of LabMD, Docket No. 9257, Opinion of the Commission (July 29, 2016).

These risks are particularly difficult to manage because of the FTC Act’s standard of liability and the nature of ransomware.  Under Section 5(2) of the FTC Act, an act or practice is “unfair” only if

(1) it “causes or is likely to cause substantial injury to consumers;”

(2) the injury “is not reasonably avoidable by consumers themselves”; and

(3) the injury is “not outweighed by countervailing benefits to consumers or competition.”

In the Matter of LabMD, at 9 (quoting 15 U.S.C. § 45(n)).  In LabMD, the Commission stated that “’[t]he touchstone of the Commission’s approach to data security is reasonableness.’”  Id. at 11 (quoting Commission Statement Marking the FT’s 50th Data Security Settlement, at 1 (Jan. 31, 2014)).  While a “reasonableness” standard sounds reasonable, the statutory test essentially encodes a kind of “negligence balancing test” in which “reasonableness” is measured by the risk and probability of harm in comparison to the burden of taking precautions.  Most of us will remember – with varying degrees of fondness – this test from Judge Learned Hand’s famous opinion in U.S. v. Carroll Towing Co., 159 F.2d 169 (2d Cir. 1947):  B >< PL.

The problem with this kind of test in relation to cybersecurity is that the probability of some loss is very high and the scope of the loss could be enormous.  This means just about any kind of precaution could be considered reasonable.  Indeed, in LabMD, the Commission found that LabMD “did not employ basic risk management techniques or safeguards such as automated intrusion detection systems, file integrity monitoring, or penetration testing.”  In the Matter of LabMD, at 11.   “Penetration testing,” which involves employing “white hat” hackers to probe a network for vulnerabilities, can be a valuable part of a cybersecurity hygiene program, but it is a stretch to suggest that penetration testing should always be employed by every entity on every kind of network.  See SANS Institute InfoSec Reading Room, Penetration Testing:  Assessing Your Overall Security Risks Before Attackers Do (June 2006).

The U.S. Department of Justice has published an interagency technical guidance document on protecting networks from ransomware that could serve as a useful rough measure of reasonable care.  According to the Justice Department guide, preventive measures against ransomware should include a number of specific technological measures together with an “awareness and training program.”  Id. at 3-4.  The guide notes that “[b]ecause end users are targets, employees and individuals should be aware of the threat of ransomware and how it is delivered.”  Id. at 3.  The DOJ’s guide also includes lists of instructions for business continuity and for incident response if infected with ransomware.  See id. at 4-5.

The growth in ransomware and other cybersecurity threats and the FTC’s aggressive enforcement posture suggest that companies should carefully consider their preparations for ransomware and other malware attacks in conjunction with legal counsel.  And even with what seem like reasonable preparations, companies of every size must prepare for an adverse incident.  In this regard, the following DOJ recommendations for incident response is particularly noteworthy:

Contact law enforcement immediately. We strongly encourage you to contact a local field office of the Federal Bureau of Investigation (FBI) or U.S. Secret Service immediately upon discovery to report a ransomware event and request assistance

Id. at 5 (emphasis in original).

Contacting the FBI or Secret Service might be a good idea, because ransomware attackers often are connected to foreign criminal syndicates and might even help finance terrorism.  However, companies should keep in mind the FTC’s commitment to enforcing its broad unfairness standard against companies suffering from ransomware attacks.  In addition, companies sometimes decide to pay the ransom quietly in order to regain access to their data.  Brian Krebs, for example, describes an incident in which a company’s finance department “didn’t bat an eyelash when asked to authorize several payments of $600 to satisfy the Bitcoin ransom demanded by the intruders: After all, . . . the data on one of the infected systems was worth millions — possibly tens of millions — of dollars, but for whatever reason the company didn’t have backups of it.” Once the government is involved, a quiet ransom payment might not be possible – if it is even considered lawful under the circumstances.  Any investigation of the incident, and particularly any coordination with the FBI, should involve legal counsel to protect privilege and limit liability as much as possible.

xDedic Marketplace

Kaspersky Lab released a report on June 15 on the “XDedic” marketplace.  According to the report,

“xDedic” is a trading platform where cybercriminals can purchase any of over 70,000 hacked servers from all around the internet. It appears to be run by a Russian-speaking group of hackers.

The report includes screenshots of the XDedic user dashboard, which includes information about price to obtain access to the server, the server’s location and speed, and other details.

xdedic

Kaspersky’s investigation suggests that the servers are first accessed through password brute-force attacks, after which a malware (Trojan) client is installed that makes the server available on the XDedic network.  Another program is also installed that uses the compromised server to mine bitcoins.  Access to some of the servers available on this marketplace can be gained for as little as $8.

This report underscores both the technological and commercial sophistication of the cybercrime underworld.

[google-drive-embed url=”https://drive.google.com/file/d/0BzS0leqU862xT3U5WWk5S0NnSEE/preview?usp=drivesdk” title=”xDedic_marketplace_ENG.pdf” icon=”https://ssl.gstatic.com/docs/doclist/images/icon_12_pdf_list.png” width=”100%” height=”400″ style=”embed”]