Global investigation shows shortcomings of UK cyber crime laws
6 October 2020
Earlier in 2020, the VMWare Carbon Black Threat Analysis Unit (TAU), headquartered in the USA and NASDAQ-listed, published an analysis by a Japanese employee detailing how its threat researchers investigated and discovered attackers’ command and control (C2) hosts deploying the latest version of the Winnti malware, used by attackers to infect the systems of large corporations worldwide.
Winnti is a very common type of malware has been around for a decade and evolved into an advanced and sophisticaed toolkit for cyber adversaries. Winnti malware gives the adversary the capability to control a victim’s computers remotely, allowing threat actors quietly to exfiltrate data and information over a long period of time, for a variety of intents including industrial espionage or to gather intelligence on the international movements of high profile indivduals. In its most recent large-scale deployment, in 2019, Winnti targeted large corporations in Germany, Switzerland, the US and Asia. German manufacturing giant, ThyssenKrupp, for example, suffered the theft of trade secrets regarding steel production and manufacturing plant designs.
Researchers at TAU, having identified a new variant of the Winnti malware, conducted investigation to discover systems and computers that were either infected with the malware, or demonstrated a link to the adversaries. This involved a large-scale scan of the public internet to discover open or respondent IP addresses. They then sent requests to the hosts that were found to have open ports, and subsequently tested if the system in question was infected with or linked to the Winnti malware. The simplified diagram below illustrates this:
The researchers found nine command and control (C2) servers that they suspected of being controlled by adversaries operating Winnti malware. Due to the geographical focus and footprint of the C2 systems (using, for example, Japanese hosting providers), TAU notified the Japanese Computer Security Incident Response Team (JPCERT/CC) to coordinate the take-down of the C2 systems, hence interrupting adversaries’ activities, and potentially preventing considerable financial and human harm.
Unfortunately, had the threat intelligence researcher been operating in the UK, they would have been precluded by section 1 of the Computer Misuse Act to conduct this type of scanning activity using a custom protocol that was derived through research engineering.
Had TAU researchers been based in the UK, their alternate course of action would have been to make the tool they used to scan the Internet and check for infections openly available and encourage individual organisations to use it to check whether or not they had been infected, and take remedial action as a result.
While the notion that individual organisations would need to grant researchers permission has some intuitive appeal, there are many downsides to this approach:
Relying on individual organisations to deploy a tool inevitably means that a significant percentage of organisations will not do so, reducing the detection rate of infections. The inability proactively to alert organisations furthermore limits the ability to protect and defend them adequately.
Similarly, relying on organisations to share information about their infection severely limits overall visibility of the scale and systemic nature of any cyber adversary campaign.
And finally, the limited ability to identify adversaries’ C2 systems proactively puts UK defenders at an even bigger disadvantage in the game of whack-a-mole as response time is significantly slowed down while exposure grows.
UK cyber security researchers – our nation’s cyber defenders – continue to be left operating with one hand tied behind their backs. The example highlighted here drives home the case for reform of the Computer Misuse Act that would lead to a more permissive regime.