Applying CyberUp’s Defence Framework… to Trend Micro’s research on cybermercenaries’ Void Balaur
Introduction
During BlackHat Europe earlier this month, Trend Micro published its Amsterdam-based senior threat researcher Feike Hacquebord’s research report into cybermercenary group Void Balaur which received widespread media coverage, including a Forbes Exclusive. Amongst other things, Infosec Twitter quickly asked if Hacquebord’s observation of the group for over a year was “necessary”.
Following the publication of CyberUp’s Defence Framework, the Trend Micro investigation offers a timely opportunity to apply the framework to a real world example – and see what conclusions we can draw.
The Defence Framework in action
As the CyberUp Campaign has stated previously, the purpose of the Defence Framework is to demonstrate that courts are capable of successfully and consistently applying an assessment of whether an act of unauthorised access was defensible, and inform an evolving understanding of what constitutes legitimate conduct in cyber space.
This includes four principles which we reiterate below before applying them to the Trend Micro research in question:
Principle 1: The (prospective) harm-benefit profile of the act
This means unauthorised access is defensible if… the (prospective) benefits of the act outweigh the (prospective) harms, including where action was necessary to prevent a greater harm.
· We understand that, drawing on data collected by Trend Micro, Hacquebord identified the rockethack.me domain name, a website advertising services available under an IP address, and a sample communicating with the group’s command & control server (control panel), used to monitor its victims.
· The Forbes article states that no password was required to access the control panel (though it is unclear if the IP address was available on the open Internet).
· We understand that, as a result of the access gained, Hacquebord was able to collect more than 3,500 email addresses of individuals and companies targeted by the group for malware deployment, and identified telecoms, ATM machine vendors, fintech companies, aviation, IVF clinics and genetic testing as the group’s main target sectors.
· Hacquebord’s work also identified a previously unknown threat actor and their operations, contributing to a wider understanding of evolving cyber crime models.
· Hacquebord’s (likely unauthorised) access to the control panel appears of limited intrusiveness, and subsequent activities seem largely passive, and thus of limited harm potential.
· The benefits gained through a volume of meaningful information, on the other hand, seem significant.
Assessment: defensible
Principle 2: The proportionality of act
This means unauthorised access is defensible if… reasonable steps were undertaken to minimise risks of causing harm
· It is unclear if Hacquebord considered less intrusive or alternative methods to achieve his aim.
· Questions regarding the proportionality of his act are raised beyond initial access, however, as the Forbes article reveals that he observed the group for over a year to collect information.
Assessment: Indefensible; lack of proportionality due to the duration of access.
Principle 3: The actor’s intent
This means unauthorised access is defensible if… the actor demonstrably acted in good faith, in an honest and sincere way
· As outlined in Trend Micro’s report, the company was contacted by a target of APT28 whose wife had received phishing emails. This prompted the initial investigation and research which thus arguably served the good faith objective better to understand a threat actor.
· However, Hacquebord’s subsequent conduct (which we believe should be part of assessing intent) raises questions. As outlined in the Forbes article, at the time of publication, he had only informed a handful of the group’s victims, and only then planned to inform law enforcement about their activities.
· We outline that good faith intent includes a belief to prevent crime, or protect computer systems. Arguably, that intent would have been best served had Hacquebord informed and collaborated with law enforcement upon discovering the group’s activities, allowing law enforcement to stay a step ahead of the attackers. In this instance, the Forbes article may have allowed the Void Balaur threat actor to take counter-measures. An earlier disclosure would also have given victims the opportunity to take mitigating actions (though Trend Micro has made available Indicators of Compromise to allow organisations and individuals to check if they have been targeted).
· As it stands, Hacqebord’s period of observation without allowing for preventative action makes the act seem driven by professional curiosity at best, and an interest in publicity for uncovering a (new) cybermercenary at best. There are clear incentives for cyber security researchers such as Hacquebord to promote their work to their peers through traditional and social media, and this is permissible so long as in the first instance they are driven by a desire to prevent crime/improve cyber resilience. Where there is reason to believe that an actor was motivated primarily by a desire to promote themselves and their work, and this might inhibit an effective law enforcement response, it should call into question the actor’s good faith intent.
Assessment: Indefensible; subsequent conduct does not primarily serve the prevention of crime, or protection of systems.
Principle 4: The actor’s competence
This means unauthorised access is defensible if… the actor is able to demonstrate their competence (authority and expertise)
· According to publicly available profiles, Hacquebord has more than 15 years’ experience in threat research, and has regularly advised international law enforcement agencies on investigations.
· In addition to having a PhD in theoretical physics from the University of Amsterdam, he has published a range of research papers and delivered presentations at international cyber security conferences. All this suggests that he is a competent and experienced cyber security professional with a demonstrable track record.
Conclusion
The application of the principles of the Defence Framework shows that questions can be raised as to the defensibility of Feike Hacquebord’s actions in the threat research undertaken in relation to cybermercenary group Void Balaur.
Beyond a lack of clarity as to whether the act undertaken (to gain access to the group’s control panel) did, in fact, constitute unauthorised access, there are questions regarding the proportionality and subsequent conduct. In simple terms, while the initial unauthorised access to understand threat actors and victims is defensible, a clear judgment of defensibility, based on the Defence Framework, would have required the timely sharing of information with law enforcement, notification of victims and collaboration and coordination with the right authorities.
It is worth adding a caveat that that what we have set out here is not a final judgment on whether Hacquebord would be able to, in a UK court (assuming the activity was carried out in the UK), succeed in having a defence applied under a reformed CMA. The purpose of the exercise has been to use a publicly available instance of what we believe would have included unauthorised access (and thus been illegal under the CMA) and apply the defence framework to continue to test its real-world applicability, and use it as a lens through which to discuss acceptable / unacceptable conduct. A court and a jury would have access to a great deal more information through witnesses and documents. It may be the case that in the course of a trial information comes to light to satisfy the jury that Hacquebord, in the case in question, was, in fact, acting in the first instance out of desire to improve cyber security and prevent crime. But this blog has commented that, on the basis of the information publicly available at present, we think he might find it more difficult to prove his eligibility for a statutory defence.