DOJ’s Sandworm operation raises questions about how far feds can go to disarm botnets
The notion that citizens are protected from unreasonable search and seizure is a bedrock legal principle: A court must issue a search warrant before police can enter a private home and ransack it looking for evidence.
In what former prosecutors and legal experts call a landmark operation, the Department of Justice has now tested that principle to disrupt a Russian botnet that was spreading malware on a far-flung network of computers. Using so-called remote access techniques, law enforcement effectively broke into infected devices from afar to destroy what the U.S. government calls the “Cyclops Blink” botnet — and did so without the owners’ permission.
While the search warrant publicized by DOJ makes clear that this access did not allow the FBI to “search, view, or retrieve a victim device owner’s content or data,” legal experts say the case does raise questions about how far the government’s power should extend under a federal criminal procedure provision known as Rule 41.
The Kremlin-backed hackers responsible for the botnet — a group known to cybersecurity researchers as Sandworm — exploited a vulnerability in WatchGuard Technologies firewall devices to install malware on a network of compromised devices. By leveraging physical access to a subset of infected devices, the FBI said it was able to reverse engineer its way into accessing all of the botnet’s command and control devices.
The government’s use of a search warrant to gain such remote access to individual computers without notice to the owners relied on a 2016 amendment to Rule 41, a federal rule of criminal procedure. The culmination of a three-year deliberation process which included written comments and public testimony before the federal judiciary’s Advisory Committee on the Federal Rules of Criminal Procedure — a committee which includes judges, law professors, and attorneys in private practice — the 2016 amendment was ultimately adopted by the Supreme Court and approved by Congress.
While the amended rule has been used previously, legal experts say this case appears to…
