U.S. Companies Need More Authority to Open Covert Channels to Deter IP Theft

By V.S. Subrahmanian, Walter P. Murphy Professor of Computer Science; Buffet Faculty Fellow, Northwestern University

This past Friday, November 3, U.S. Deputy Attorney General Lisa Monaco stated that the FBI took down the notorious HIVE ransomware group by “hacking the hackers”. The remarks, made at a conference that I spoke at on Reimaging National Security at the University of Chicago Legal Forum, confirmed what other security experts and I have long suspected: that hack backs have been an instrument of the US Government for several years. How else can we explain the Jan 2020 indictment of 4 PLA hackers in connection with the 2017 hack of credit giant Equifax? Likewise, it is hard to imagine how the FBI could have indicted six members of the Russian GRU intelligence agency for attacks in several countries (France, Georgia, S. Korea, Ukraine) without hack backs. Because intelligence agencies are highly reluctant to jeopardize human assets (or moles) within foreign institutions, it seems likely that hack backs and not human intelligence was one of the instruments used in gathering intelligence on identifying the perpetrators of these attacks and gathering the evidence needed for an indictment.

An ”advanced persistent threat” (APT) is an attack where the perpetrator silently penetrates a victim organization to steal data, intellectual property, and/or intelligence, typically over an extended period of time.

An ”advanced persistent threat” (APT) is an attack where the perpetrator silently penetrates a victim organization to steal data, intellectual property, and/or intelligence, typically over an extended period of time. Attackers typically use phishing or spear-phishing attacks first to target individuals within an organization. In the case of the 2017 French election, several close associates of President Emmanuel Macron were deceived into clicking on a link purporting to be one for a popular file-sharing platform. Once they clicked on this link, their computers were infected with malware and a covert channel was used by the attackers to siphon away a treasure trove of over 20,000 emails, documents, and images. Once such a covert channel is created linking a victim organization to the hackers’ command and control center, the attackers can update the malware, move laterally through the victim network, and more. It is like a secret door a burglar found in a bank. He can enter the bank at will and remove whatever assets he wants if he doesn’t do anything overt that causes other security tripwires to be set off.

A defender who discovers the hack can use the same covert channel to send malware in the other direction – to the attacker’s command and control center. It’s a bit like a tiny invisible soldier following the bank robber through the door back to his home base. In security parlance, the hack back can use the covert channel to send malware disguised as normal traffic back to the attacker’s command and control center. CISOs I have spoken to do not do this today because the legal landscape is unclear and fraught with risk.

For years, my research team at the Northwestern Security & AI Lab has suggested the use of fake documents to deter IP theft and impose costs on attackers who steal intellectual property. Consider an inventor at a major US corporation writing up his invention. Either at periodic intervals or when he saves his document, imagine a flow that automatically generates 99 fake versions of his document. Suppose the fakes are similar enough to the original document to be credible, yet sufficiently different to be wrong. In that case, the malicious hacker who steals the document archive now has a problem. Which of the 100 versions (original + 99 fake) of the document is real? His technical staff will have to invest time and effort in identifying the correct document. That will take time and money and induce uncertainty and frustration on the hacker’s technologists. Even if they eventually find the correct document, management may not be 100% sure they got it right, leading to more delays, uncertainty, and infighting amongst the IP thieves. We developed systems such as FORGE and WE-FORGE to induce such costs on attackers by automatically generating fake documents.

At the same time, we wondered why companies cannot additionally embed malware within the 100 versions of the original document? Were this to be allowed, the attacker who steals even one of the 100 document versions would have an infected file inside his network. The malware within the stolen document could be easily programmed to recognize its location, and its logic could cause it to open a covert channel back to the network of the original owner of the IP to say something as uncomplicated as “Agent X reporting. It’s now 1811 hours GMT and I am at location L.” The location could be a unique geolocator that includes relevant network and device addresses. This is a no harm, no foul situation. The agent X (malware) causes no damage to the attacker’s network or systems except for any tiny resources consumed in creating the covert channel and occasionally communicating on that channel.

Upon receiving such a message and discovering that a company asset has been stolen, the company could call in the FBI, who, under authorities granted to them by US law, can update agent X to do other things – such as turning on the camera on the attacker’s devices, capturing his keystrokes, capturing emails, documents, images, and more, and moving laterally through the attacker’s organization to uncover the identities of all of those involved. They can replace the real document with another fake and change system logs to conceal this.

If you see your friend’s handbag being grabbed, it is legitimate to give chase to the attacker to retrieve the handbag and restrain the thief. But it is not legal to beat up the attacker. Following this analogy, it should be legal for potential US victim organizations to embed malware within their own documents, real or fake, to open a covert channel when the document lands at the attacker’s command and control center. This is the digital equivalent of chasing the handbag thief, but damaging the attacker’s network in any way is the digital analog of beating up the robber. US companies need to have legal authorities and protection to create the covert channel, but not the legal authorities to take intelligence gathering and other actions within the hacker’s network. They need the first urgently. Congress needs to act to make such protections explicit in law. They need to clarify what additional actions victims are allowed to take and what are not permissible. Now.

V.S. Subrahmanian is the Walter P. Murphy Professor of Computer Science and a Faculty Fellow at the Buffett Institute for Global Affairs at Northwestern University. He heads the Northwestern Security & AI Lab. He can be reached at vss[at]northwestern.edu and on X (formerly Twitter) at @vssubrah