Anti-Malware , Cybersecurity , Ransomware
Report: British Officials Knew of Marcus Hutchins Arrest Plans Information Security Researchers Fault GCHQ for Failing to Help WannaCry 'Hero'
What rights, privileges or courtesies can a U.K. researcher who helped stop a global malware outbreak expect to receive at the hands of the FBI? And what protections should he enjoy via British officials and institutions?
See Also: IoT is Happening Now: Are You Prepared?
The answer appears to be "none at all," in the wake of a Sunday report that claims British intelligence agency GCHQ knew in advance that the FBI planned to arrest security researcher Marcus Hutchins when he visited the United States for the annual Black Hat and Def Con conferences last month.
GCHQ and British government officials evidently did nothing to help resolve related questions in advance or avert the arrest.
"Our U.S. partners aren't impressed that some people who they believe to have cases against [them] for computer-related offences have managed to avoid extradition," an unnamed source told the Sunday Times, which reported that GCHQ was tipped off to the arrest in advance. "Hutchins's arrest freed the British government and intelligence agencies from yet another headache of an extradition battle," the source added.
What the Sunday Times source overlooks, of course, is that it's not up to Americans to decide if they think British extradition laws are too onerous, or British government officials to bypass laws designed to protect U.K. citizens, simply because they might create diplomatic headaches.
Rather, foreign governments should have to convince a U.K. judge that they have an ironclad case against a suspect for whom they're seeking extradition, and that a British suspect, tried in U.S. courts, will not face unduly harsh punishment. And the British government must safeguard those rights.
Mixed Extradition Success
To date, U.S. attempts to extradite British nationals for alleged cybercrime activities have had mixed success. Lauri Love, for example, has been charged with 2012 and 2013 hack attacks against U.S. government computers. But in April, Britain's high court ruled that he can challenge an extradition order signed last year by U.K. Home Secretary Amber Rudd (see 'Real People' Don't Want Crypto, UK Home Secretary Claims).
That followed the British government in 2012 blocking the extradition of Gary McKinnon on medical grounds. The Scottish man has been accused by U.S. prosecutors of executing "the biggest military computer hack of all time." A medical review board, however, had warned that the extradition of McKinnon, who has Asperger Syndrome and "suffers from depressive illness," would result in a "high risk" that he would commit suicide.
Hutchins, meanwhile, has no criminal history, and the 23-year-old pleaded not guilty last week in a Wisconsin federal court to a six-count indictment tied to his alleged development of Kronos banking Trojan from July 2014 to July 2015 (see WannaCry 'Hero' Pleads Not Guilty, Allowed Back Online).
He's been freed after posting a $30,000 bond, has had his British passport confiscated and must wear a GPS location-monitoring device. He's been allowed to travel to Los Angeles, however, where his employer Kryptos Logic is headquartered, and it appears he'll be based there pending the resolution of his trial.
Criticism for GCHQ
The suggestion that British authorities might have looked the other way on Hutchins' arrest to please their American law enforcement counterparts has triggered widespread condemnation from members of the information security community, on both sides of the pond.
"GCHQ wants the best and the brightest to work with them, but will sell them out to the U.S.," says Jake Williams, principal consultant at Rendition Infosec, who formerly served in the U.S. Army, via Twitter. "Good recruiting plan ..."
GCHQ wants the best and the brightest to work with them, but will sell them out to the US. Good recruiting plan... https://t.co/QyEBGnG0RY
GCHQ couldn't be immediately reached for comment on the Sunday Times report.
Will Charges Hold Up?
A six-count indictment filed July 11 against Marcus Hutchins and a co-defendant whose name has been redacted.Anyone who has committed a crime should be forced to defend themselves in court.
But based on the allegations that have so far been made public against Hutchins, the U.S. indictment looks thin. For example, he's been accused of developing the Kronos banking malware based on chat logs in which he allegedly claimed to have done so.
Some of the supposed evidence against Hutchins, however, appears to fail sniff tests. For starters, "good guy" researchers may pretend to be one of the "bad guys" to trick cybercrime syndicates into sharing their code, so they can take it apart and find better ways to defeat it.
Security firms have also reported that Kronos appears to be a product of the Russian cybercrime underground and has been advertised in multiple Russian-language forums. The malware appeared in 2014, but was seen - being distributed by the RIG exploit kit - as recently as last month.
Kronos Code: Sophisticated
Following Hutchins' arrest, security firms have begun taking a much closer look at Kronos. And security firm Malwarebytes reported Friday that Kronos appears to have been developed by an individual or group with extensive experience.
"An overall look at the tricks used by Kronos shows that the author has a prior knowledge in implementing malware solutions," according to a blog posted by security researchers at Malwarebytes. "The code is well obfuscated, and also uses various tricks that requires understanding of some low-level workings of the operating system. The author not only used interesting tricks, but also connected them together in a logical and fitting way."
The security firm's takeaway is that it would have been highly unusual for a 21-year old to be able to write such a sophisticated piece of malware.
"The level of precision lead us to the hypothesis that Kronos is the work of a mature developer, rather than an experimenting youngster," it says.