With the proliferation of smart devices connected to the public internet the population of botnets – networks of compromised devices that can be leveraged for large-scale cyber attacks – has exploded. The Cipher Brief spoke with Kevin Reid, Vice President of National Security and Chief Information Officer at KeyLogic and former Assistant Director of the IT Infrastructure Division at the FBI, about the threat botnets pose and how to manage risks.
The Cipher Brief: The Justice Department, using new authorities under Rule 41, has announced efforts to disrupt the Kelihos botnet. Please explain these new authorities and how Justice disrupts botnets?
KR: Recently the Kelihos botnet sent out millions of infected emails, which are capable of compromising people’s computers with ransomware, and intercepting online financial information, passwords and more. Since this botnet is strong and quickly weaponized, Kelihos presents a great risk for our nation’s infrastructure.
The judicial warrant used to disrupt the botnet came as a direct result of Rule 41, allowing law enforcement to intercept and reroute network activity from infected machines.
The rerouted internet traffic revealed the IP addresses associated with the botnet, allowing law enforcement to flag dangerous IP addresses for internet service providers. While this law and the resulting action came under heavy scrutiny at during the PlayPen cases allegedly involving illegal hacking by the FBI, if Rule 41 weren’t in effect, the government would have no way to protect U.S. citizens from such vast and dangerous cyber attacks such as those conducted by the Kelihos botnet.
TCB: According to news reports, Russian intelligence piggy-backed off the GameOver ZeuS botnet, which facilitated widespread espionage. Similarly, Russian intelligence also used cybercriminals to access to user account information held by Yahoo. Could you describe how an agency might use criminal actors for espionage and why criminal botnets are an attractive tool for Russian spy agencies?
KR: For distributed denial of service (DDoS) attacks, which flood a server or website with false traffic, botnets are basically injecting malicious code in the software of commercial products and exploiting them when the time is right. A lot of that is being done covertly, before the software is deployed to various devices, and then the malware is turned on as needed. This was a tactic used by the Russians in Crimea – they turned off the power grid prior to their invasion by exploiting botnets that had been put in place by Russian mafia.
These DDoS attacks are often used for espionage purposes, with cyber-spies setting up a bunch of devices – cameras, TVs, ATM machines or a combination. They are all vulnerable to malware.
These types of attacks are hard to isolate because they are coming from countless directions and a network of devices. That makes it hard to diagnose and determine if there is a trend to catch early on. That’s the reason they can be effective.
TCB: Has the U.S. effort to clamp down on Russian cybercriminals as they travel outside of Russia had an effect, not just on cybercrime, but also the ability for the U.S. to collect intelligence on these criminal networks?
The problem the U.S. faces with Russian criminals is that the U.S. is reactionary as opposed to proactive around attacks and detections. It is hard to prosecute someone who is in Russia, since the Russian government does not allow the U.S. to go in and arrest that person. There are probably some things the U.S. can do to shut criminals down once it figures out what the criminals’ signatures and trends are, for example, attacking back through cyberspace to dismantle criminal infrastructures. The problem is that the U.S. really wants to figure out the trends and techniques before it shuts criminals down. The U.S. may want to gather intelligence so that it can figure out how to get criminals in the future. There are problems with just going out and shutting them off right after an attack happens.
In some cases, because the U.S. has an ongoing intelligence operation, it really doesn’t want to arrest an individual because he is a source of intelligence. The U.S. government may put up some safeguards so that the criminals don’t get the keys to the kingdom, but it has to be a little bit proactive. The answer is essentially that it all depends – it depends on where the criminal is in the attack and how much more intelligence the U.S. government thinks it can gather without allowing disruption of infrastructure or loss of potential financial gains. It is an evaluation of the pros and cons at that point. When those indictments are handed down, saying this person needs to be arrested, it is typically so far after the fact that it’s really just a gesture saying “Hey guys, we know what you are doing, stop doing it.”
Another problem the U.S. is having is that the actual hacking of devices is done prior to the concerted botnet attack. It is not an ongoing “man in the loop” attack. Typically the penetration is done far in advance, and if it isn’t detected when the breaches actually occur, it is really hard to go in and say, “I am going to arrest this guy right now,” because he is already gone, and getting access to him is a problem.
TCB: Could you explain how botnets can be used in an attack?
KR: It pulls a lot of resources to check where the attackers are coming through and what they are trying to do. Typically, when people deploy these kinds of botnet attacks, it pools limited U.S. resources and workforce to one line of defense when other attacks are simultaneously happening in other places that defenders may not be focusing on. Some of the attacks could just be feints. In order to fix this problem, the U.S. needs ways to not only to detect, but also to track multiple attacks happening. Otherwise, defenders could miss something that is going on in the background because they have several botnets attacking simultaneously to create diversions. Artificial intelligence could play a major role in detecting and tracking multiple attacks.
TCB: Similarly, there has been much discussion of bots on social media platforms that amplify and disseminate disinformation on behalf of governments such as Russia. Do social media companies have a conflict of interest in clamping down on bots because they artificially boost their user numbers?
KR: Absolutely. There are a couple different ways to look at it. One way is that being proactive can be beneficial to commercial entities just by the fact that they are helping government defeat something like bots – or other malicious things out there. This is always self-promoting to industry. However, from the perspective of pure profit, resources dedicated to clamping down on bots are not helping the bottom line. There are, however, incentives for companies to remove bots. If it is affecting the bottom line, companies absolutely need to set something up to collectively fight botnets.
Ultimately, the only way the U.S. will be able to fight these botnets is to use common tools and techniques across the board, because right now the U.S. is tackling it from a hundred different directions. There is some standardization that needs to happen. The federal government needs to help commercial entities do that.
TCB: How can the U.S. government go about addressing the prevalence of bots on social media that spread disinformation? How does that work on an international level when dealing with multinational companies?
KR: One of the things that most people agree on is that there has to be some consistency in standardization on how we not only deal with bots, but also any type of malware or ransomware. Governments have been establishing things such as the National Institute of Standards and Technology (NIST), and rolling those out to the private industry, which will help across the board. The other thing that government needs to do is work with cloud providers. Standardization among cloud providers is going to help greatly, not only for bots, but also all the other cyber threats that are coming in.
