Published by The Lawfare Institute
in Cooperation With
The Department of Justice dealt a blow to global cybercrime on April 6 with the takedown of a massive botnet controlled by “Sandworm”—the Russian General Staff Main Intelligence Directorate (GRU) unit responsible for the 2017 NotPetya attack, among others. This operation reflects the department’s strategy of prioritizing what it calls “disruptive capabilities” over long-term plays for arrests and extraditions. Not to be outdone, in the same week, Microsoft obtained a court order to seize seven domains being used by another GRU unit, best known as “Fancy Bear,” to target Ukrainian institutions. The two operations illustrate an important truth: The Justice Department’s best tools for fighting cybercrime can also be wielded by any private company willing to invest the necessary resources. And many companies have been eager to do so.
Since 2010, Microsoft alone has won court orders to seize command and control (C2) servers and sinkhole malicious traffic in 24 cases, seizing a total of more than 16,000 malicious domains. Mechanically, these cases work a lot like the Justice Department’s botnet takedowns: Both entities compile evidence that particular domains are being used to control botnets and use that evidence to obtain court orders requiring U.S.-based domain registries to redirect those domains to servers controlled by the entity that sought the order, among other possible court-authorized remedies. And botnet takedowns are not the only Justice Department tactic that private companies can emulate: By naming John Doe hackers as defendants in civil suits, Microsoft has been able to obtain subpoena power to require third-party internet service providers (ISPs) to produce the information it needs to help identify the hackers. Recently, other big tech companies, including Google and Meta, have begun to employ Microsoft’s strategy of suing cybercriminals who operate major botnets or engage in massive phishing schemes.
We believe this is a highly positive trend that has the potential to address the main weakness of the Justice Department’s cyber disruption strategy: resource constraints. Botnet takedowns are a game of whack-a-mole. By supplementing the department’s efforts, private industry can help take a significant bite out of cybercrime. And, from the companies’ perspective, civil suits enable them to show their customers tangible results, and to obtain critical intelligence about threat actors, without waiting for the Justice Department to act. To be sure, civil suits are not a silver bullet, but in the absence of a more comprehensive institutional framework for addressing cybercrime, civil botnet takedowns are a powerful force-multiplier to current government efforts.
How to Sue an Anonymous Hacker
Causes of Action
Botnets, by definition, violate the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, insomuch as they are created by gaining persistent unauthorized access to victim computers. While the CFAA is best known as the Justice Department’s primary tool for prosecuting hackers, the statute also contains a civil cause of action that allows those harmed by such unauthorized access to bring suit.
Cybercrime activities can also give rise to claims of trademark infringement under the Lanham Act, 15 U.S.C. §§ 1114, 1125(a), 1125(c), since hackers frequently use company trademarks to trick victims into disclosing their credentials or downloading malware. Consequently, trademark claims have featured prominently in virtually every case brought by Microsoft, Google and Meta since 2010. For instance, Meta recently filed a Lanham Act complaint against 100 John Doe defendants for creating more than 39,000 fake versions of Facebook, Instagram and WhatsApp login pages to trick users into giving up their credentials. Similarly, Microsoft brought a Lanham Act suit against Nickel, a Chinese nation-state advanced persistent threat (APT) that injected malicious code into an image of Microsoft’s Internet Explorer trademark.
While less frequent, companies, including Google, have used the Racketeer Influenced and Corrupt Organizations Act (RICO) to sue cybercriminals, relying on predicate acts of computer intrusion, wire fraud, identity theft and access device fraud. Companies also supplement the federal claims listed above with state common law claims such as trespass, unjust enrichment, conversion, tortious interference with contractual relationships, negligence and breach of contract.
While it is unsurprising that criminal hackers violate a variety of U.S. laws, it may be less clear why big tech companies have standing to enforce those laws, especially where the ultimate target of the hacks is not the company itself, but its customers. But courts have repeatedly accepted that tech companies have standing to sue hackers, having granted dozens of court orders allowing Microsoft, Google and Meta to seize botnet infrastructure and obtain other relief.
To establish standing, tech companies most commonly rely on the CFAA (18 U.S.C. § 1030(g)), which permits civil suits by “[a]ny person who suffers damage or loss by reason of a violation” of the statute. The CFAA (18 U.S.C. § 1030(e)(11)) defines “loss” broadly to include “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” Below is a summary of the theories that tech companies have used to allege “damage” and “loss” under the CFAA. Companies bringing RICO claims can rely on similar theories as RICO similarly permits suits by “[a]ny person injured in his business or property by reason of” a RICO violation (18 U.S.C. § 1964(c)).
- Remediation and Protection Costs. Tech companies frequently assert that they are harmed by hackers who misuse their products and target their customers because it requires them to provide remediation services to affected customers and to invest in defensive measures to thwart similar attacks in the future. In WhatsApp Inc. v. NSO Grp. Techs., WhatsApp sued the NSO Group, an Israeli surveillance company that allegedly developed tools to compromise WhatsApp communications. While users of NSO’s hacking tools were ultimately targeting WhatsApp’s end users and accessing data on those devices, the U.S. District Court for the Northern District of California held that WhatsApp could sue NSO Group under the CFAA because it incurred costs associated with “upgrading the WhatsApp system in response to [NSO Group’s] intrusion.” Microsoft has relied on similar theories of CFAA damage. Its complaint against Fancy Bear (which Microsoft dubs “Strontium”) noted that “mitigating Strontium intrusions on customer networks are often extremely expensive” and “average costs can range from 250,000 to approximately 1.3 million dollars per incident, or more.” Likewise, Google brought CFAA claims against operators of the Glupteba botnet, alleging that the botnet had swept up credentials of Google customers, thereby requiring Google to “expend substantial resources to detect, deter, and disrupt” the malicious activity.
- Unauthorized Access to Servers or Products. Companies have also relied on claims of unauthorized access to their servers or products. WhatsApp, for instance, alleged that NSO group used WhatsApp’s servers to distribute its malware without authorization. Similarly, Microsoft alleged that Strontium damaged the Microsoft Windows operating systems licensed to device users when it “download[ed] additional malware and hacking tools into system folders that are used by Windows.”
- Harm to Brand and Reputation. While allegations of harm to a company’s brand are most relevant to trademark claims, companies have also relied on such damage to assert CFAA claims. Google, for instance, alleged that the Glupteba botnet harmed “Google’s relationships with Google users,” disrupted “users’ experiences with the Google platform,” impaired “the value of Google marks,” and undermined “Google users’ confidence and trust in Google, its services, and its platform.” Similarly, Microsoft alleged that Strontium harmed its brand by deploying malware through file paths using Microsoft’s trademarks.
In most cases, companies sue the hackers as “John Does” because their identities are unknown. A company can sue in any federal district where it has identified victims of cybercrime. While companies have brought these suits in a variety of jurisdictions, the Eastern District of Virginia is most popular because it is home to Verisign, which registers all .com, .net and .org domains, and because its judges have been particularly receptive to these suits.
To prevent hackers from taking actions to preserve their botnet infrastructure, companies typically file their cases under seal and move for an ex parte temporary restraining order requiring the domain name registries to redirect the malicious domains to secure servers. At this time, plaintiffs also move for an order to show cause why a preliminary injunction should not be issued. After the judge grants an ex parte temporary restraining order (TRO), the case is unsealed and the defendants are served with a copy of the complaint and summons. Under a new provision of Fed. R. Civ. P. 4 that allows service of process by any means “reasonably calculated to give notice,” courts have permitted service using the contact information the hackers used to register the domain names at issue, as well as by publication on the internet. When the hackers inevitably fail to respond, courts grant preliminary injunctions, and ultimately default judgments, requiring domain registrars to redirect C2 domains to servers controlled by the plaintiff company, among other possible relief. Additionally, companies may seek third-party discovery necessary to identify the John Doe defendants.
The Benefits of Suing Hackers
Disruption of Botnets and Other Malicious Domains
Building large botnets requires a significant investment in time and money. According to one estimate, a botnet consisting of 10 million computers costs approximately $16 million to create. This investment can pay off: A bot herder that uses 10,000 bots to disseminate malicious spam can generate an estimated $300,000 per month. By severing the victim bots from their C2 servers, botnet takedowns require criminals to go back to square one and may change the value proposition of building a large botnet in the first place. As Microsoft’s Digital Crimes Unit has stated, “We aim for their wallets. Cyber criminals operate botnets to make money. We disrupt botnets by undermining cyber criminals’ ability to profit from their malicious attacks.”
As hackers attempt to rebuild botnets disrupted by civil suits, many courts have been willing to issue additional orders to seize new C2 domains, including those created by using domain-generating algorithms. In Microsoft’s 2019 case against the Iranian state-sponsored APT “Phosphorus,” the U.S. District Court for the District of Columbia issued four supplemental preliminary injunctions “to address Defendants’ continuing efforts to rebuild Phosphorus’ command and control infrastructure and continue their illegal activities in open defiance” of the court’s previous injunctions. Upon granting Microsoft’s motion for default judgment and permanent injunction, the court appointed a special master empowered to authorize the seizure of any newly created domains that Microsoft could show were associated with the same botnet. Judges in the Eastern District of Virginia have also experimented with using special masters in this way. Relying on special masters with expertise in cybercrime can address concerns that courts lack the technical expertise to meaningfully scrutinize ex parte requests for takedown orders.
Companies have also successfully used civil suits to compel the cooperation of foreign ISPs that host malicious servers. In 2012, Microsoft sued Peng Yong, the owner of a company based in China that operated a domain that hosted malicious subdomains connected to the Nitol botnet. After Microsoft secured a TRO in the Eastern District of Virginia that enabled it to take over the domain and block the operation of 70,000 malicious subdomains, Peng Yong agreed to a settlement that permitted his company to relaunch the domain upon taking steps to identify and block malicious subdomains. In another case, Microsoft worked with Kyrus Inc. and Kaspersky Labs to pursue a case against DotFree Group, a company based in the Czech Republic, based on its links to the Kelihos botnet. In a consent preliminary injunction, DotFree agreed to “disable malicious subdomains and [implement] a process to verify the identities of sub-domain registrants.” Three months later, Microsoft announced it had named a new defendant to the civil lawsuit, Andrey Sabelnikov, whom it believed to be the operator of the Kelihos botnet, “thanks to [DotFree’s] cooperation and new evidence.”
Deterrence Through Attribution
As illustrated by the Sabelnikov case, civil suits may help companies identify cybercriminals. Microsoft, for instance, has asked for and received six months of third-party discovery to investigate John Doe defendants’ true identities. Courts have permitted Microsoft to subpoena third-party ISPs, email service providers, domain registrars, hosting companies and payment providers for potentially identifying information about hackers. With such subpoena power, Microsoft’s investigators can replicate one of the main processes that the Justice Department uses to identify hackers.
There is nothing hackers hate more than having their true identities exposed. Indeed, hackers often expose one another’s true identity, a practice known as doxing, as punishment for perceived wrongs. Hackers hate being exposed because it may make it more difficult for them to operate, and may harm their ability to travel or maintain employment. The angst caused by being doxed often leads hackers to cease their activities, or at least abandon their infrastructure, communication channels, and co-conspirators and start over. The chilling effect of public attribution could be particularly useful in the wake of a major data breach because a scared and outed hacker may be less likely to sell massive amounts of stolen data online.
A company that successfully identifies a hacker may be able to enforce a civil judgment in any friendly jurisdiction in which the hacker maintains funds. And a company that can learn a hacker’s identity will not have a hard time finding a federal prosecutor willing to accept a ready-made case. When this happens, most prosecutors would make a point to publicly praise the company for its assistance when issuing any press releases on indictments or arrests.
The power to subpoena third-party ISPs, even where it does not lead to a hacker’s true identity, can result in IP addresses, domains and other identifiers associated with the hacker or hacking group. This intelligence can be valuable to network defenders, which can block malicious IP addresses and domains and adjust to hacker’s tactics, techniques and procedures.
Some civil suits have even resulted in the seizure of C2 servers. In a case against the operators of the Rushtock botnet, Microsoft obtained a court order allowing it to “work with the U.S. Marshals Service to physically capture evidence onsite, and in some cases, take the affected servers from hosting providers for analysis.” This enabled investigators to “inspect the evidence gathered from the seizures to learn … about the botnet’s operations.” Obtaining a copy of a hacker’s server, particularly a C2 server tied to a botnet, can provide critical intelligence to network defenders and cybersecurity professionals, such as the number of computers that have been infected and the methods the botnet uses to propagate its malware. This intelligence is particularly useful for large technology companies that must defend sprawling ecosystems against ever-evolving threats.
Improvement of Relations With Customers, Law Enforcement and the Public
Civil botnet takedowns provide a major public relations boost to companies that can tout these cases as evidence of their commitment to cybersecurity. For example, Meta recently filed two suits (in December 2021 and February 2022) against John Doe defendants engaged in massive phishing schemes. In other recent cases, the company has sued entities that have employed data scraping tools and malicious software development kits to collect user information in violation of Meta’s terms of service. These cases are likely part of a broader strategy to demonstrate Meta’s commitment to consumer privacy. Indeed, Meta has celebrated these legal actions as “one more step in our efforts to protect people’s safety and privacy, send a clear message to those trying to abuse our platform, and increase accountability of those who abuse technology.”
Building a track record of being forward-leaning on cybersecurity can pay dividends down the road, especially when the inevitable data security incident occurs. When a company is hacked, or when criminals use a company’s platform, products, or infrastructure to victimize third parties, the company will inevitably be called to account by regulators, plaintiffs’ lawyers and even congressional committees. When that day comes, a long and established record of being a leader and innovator in cybersecurity is critical. Fighting hackers through affirmative civil litigation is a great way to build that track record while making the internet a safer place for everyone.