The FBI Blindly Hacked Computers in Russia, China, and Iran
New court papers show the Bureau repeatedly broke into devices overseas as part of ordinary, criminal investigations. In countries hostile to the U.S., that may be a problem.
During a hacking operation in which U.S. authorities broke into thousands of computers around the world to investigate child pornography, the FBI hacked a number of targets in Russia, China, and Iran, The Daily Beast has learned.
The news signals the bold future of policing on the so-called dark web, where investigators are increasingly deploying malware without first knowing which country their suspect is located in. Legal experts and commentators say the approach of blindly kicking down digital doors in countries not allied with the U.S. could lead to geopolitical fallout.
The FBI’s actions are “essentially opening the door for other countries to unilaterally hack devices located in the U.S. in the law-enforcement context,” Scarlet Kim, legal officer at U.K.-based activist group Privacy International, which has closely followed the FBI’s global hacking operation, told The Daily Beast.
The case centers around the FBI’s 2015 Operation Pacifier investigation, which delved into a child-pornography site called Playpen. Playpen was part of the dark web, a small collection of sites that use special software called Tor to mask the physical location of their servers. Visitors to these sites also use Tor to conceal where they’re connecting from—meaning law enforcement couldn’t simply identify who was using the illegal site.
So, when a foreign law-enforcement agency found Playpen’s administrators were running the site from the U.S., the FBI seized Playpen’s server. Instead of shutting the site down straight away, however, the FBI moved it to a government facility and kept Playpen operational for 13 days. During this time, the Bureau deployed what it describes as a network investigative technique (NIT)—a computer exploit and piece of malware—to break into Playpen users’ computers and grab identifying information; most importantly, their IP address. Armed with this, the FBI could subpoena internet service providers to reveal who had accessed Playpen. It’s a digital equivalent of an FBI squad picking the lock of a private residence, collecting evidence, and taking it back to headquarters.
In all, the FBI hacked over 8,000 computers in 120 countries, including across South America, Europe, and in the U.S. too. The operation led to hundreds of arrests, as well as the identification and rescue of hundreds of victims of child abuse, according to the FBI’s own figures.
However, something the FBI has kept quiet and has not previously been reported, is the Bureau also hacked computers in countries that have a particularly volatile relationship with the U.S, especially around issues of malicious hacking, “including Russia, Iran, and China,” according to a recently filed court record.
An FBI spokesperson declined to comment.
The court document was filed as part of an appeal in U.S. v. Tippens. A federal judge sentenced David Tippens in June after the FBI’s evidence linked him to the Playpen website. Tippens’ federal public defender, Colin Fieman, like dozens of other lawyers across the country, has pushed back against the FBI’s hacking of his clients’ computers, questioning the legality of the search. The American Civil Liberties Union and the Electronic Frontier Foundation, as well as Privacy International, have filed briefs in Tippens’ case.
Some of the defense lawyers’ case hangs on how the Virginia judge who signed the mass-hack warrant did not have the seniority to greenlight searches outside of her district, meaning that any evidence the FBI’s malware collected should be thrown out. Crucially, the FBI would not have known where targets were based when the agency deployed the malware—indeed, that was the very problem the FBI was trying to solve: Who was visiting Playpen, and from where?
Although U.S. defense lawyers have solely focused on domestic cases, experts overseas have raised issues with the FBI breaking into computers internationally—particularly with suspects in countries like Russia and China.
“Those risks are especially potent in the hacking context because the identity of the attacker and the purpose of the hack may not be immediately clear,” Kim from Privacy International said. In other words, the FBI may deploy a piece of malware, hack into a foreign computer, and all the target sees is a piece of suspicious software connecting to a U.S. government facility—something that could easily ring alarm bells.
And as we’ve seen before, recipient countries may treat overseas law enforcement’s hacking operations as criminal acts.
In 2002, the FBI hacked into a Russian server that was part of a cybercrime spree in order to gather evidence. E.J. Hilbert, a former FBI special agent who worked on that case, told The Daily Beast, “we conducted the hack and collection and notified the Russian authorities; only to be notified that arrest warrants had been issued for the agents involved for hacking a Russian computer system.”
The circumstances around that case and Operation Pacifier are somewhat different, though. The hack Hilbert worked on centered around financially driven cybercrime, whereas Operation Pacifier concerned child pornography—a crime most countries would be happy to combat. But there is still a significant risk of unintended diplomatic consequences, legal experts say.
“Without the articulation of specific norms on when, how, and who law-enforcement actors should be permitted to hack, cross-border cyberoperations that are attributed to U.S. law enforcement may send unintended signals to other states,” Ahmed Ghappour, an associate professor at Boston University School of Law who has researched law-enforcement agencies’ use of malware on the dark web, told The Daily Beast.
Collin Anderson, a cybersecurity researcher with a focus on Iran, said, in practical terms, this sort of law-enforcement hacking operation probably would not antagonize the Iranians, however.
“It’s unlikely that FBI hacking, especially against an individual and where it doesn’t lead to destruction, would prompt further deterioration in U.S.-Iran relations,” he told The Daily Beast. “The true risk is how the FBI’s procedures and communications about their use of malware creates international norms that are adopted by countries where rule of law is weak.”
An FBI official who worked on Operation Pacifier has said that getting some countries to cooperate has been difficult when the Bureau tried to provide the collected intelligence.
“Some foreign countries are very slow to act on the information that they receive because it has to go through official diplomatic channels,” FBI Special Agent Daniel Alfin said during testimony in a related case, without specifying the countries.
The Permanent Mission of the Islamic Republic of Iran to the United Nations did not respond to a request for comment. Neither did Russian or Chinese law-enforcement bodies.