The Ethics and Morality Behind APT Reports

Investigating state-sponsored espionage and counterterrorism is one thing. Writing public reports about these activities is another.

DENVER—Investigations into state-sponsored APT campaigns are much more than black-and-white research into malware, exploits and zero-days. Behind the scenes, these can be geopolitical powder kegs that require moral examinations into the ethics of publishing public reports that could expose tools that may be used by nations to take down terrorism operations or large-scale criminal investigations.

Very few of these discussions are held in public, but on Thursday at Virus Bulletin during a brisk 30-minute panel, some of the high-level touchpoints were covered and some raw emotion exposed.

One of the few things that panelists Morgan Marquis-Boire, a researcher, journalist and director of security at First Look Media, and researcher Brian Bartholomew of Kaspersky Lab agreed upon was that it’s not enough to just report facts such as indicators of compromise and investigate malware and exploit behavior.

“If you do that, it means that you start capping your investigation to malware in a certain constraining box,” Marquis-Boire said, citing an analogy often used by Kaspersky Lab’s Costin Raiu, who talks about malware research as a form of archaeology. “You try to figure out what this animal was doing, what did it eat, where did it graze. When you investigate malware and you have a binary, by simply saying ‘Here’s what it does’ means that there is a whole stack of research related to this that you’re electing not to do.”

Bartholomew, a former U.S. government red-teamer, and Marquis-Boire, a researcher who has exposed numerous oppressive-government surveillance operations for Citizen Lab and the EFF, came at Thursday’s discussion with diverse experiences. As part of Kaspersky Lab’s Global Research and Analysis Team, Bartholomew is part of an organization that has disclosed the espionage activities of high-profile APTs, including the Equation Group, DarkHotel, Careto and many others. Most of these groups are government-backed, and the public reports exposing their activities put a number of zero-day vulnerabilities and exploits out of commission. But there are times, such as possibly outing counterterrorism operations, when the decision to publicize isn’t as clearcut as it has been in publishing cyberespionage reports.

“We may look at malware, crack it open and see the victimology and see that 99 percent of users are visiting extremist forums and this is how they’re getting infected and it seems to be a targeted campaign,” Bartholomew explained. “At what point are we as researchers in position to make that judgment as to whether visiting extremist forums is bad? It’s one thing to detect malware, but writing a report for the world to read is a completely different thing. To me, it’s a little irresponsible to dump things out there if there’s a high suspicion this may be targeting bad people.”

Marquis-Boire countered that some governments, however, don’t have the same standards for characterizing groups as terrorists. One unnamed government, he said, labeled a group of bloggers as a terror group because of their use of a particular phrase related to attaining freedom by any means necessary.

“It was enough for that particular government to decide they were terrorists,” he said. “Labeling a group as terrorists can be expedient for governments, especially if they don’t like a group.”

Much of the debate was hardly clear-cut. For example, most nations don’t have the equivalent of the First Amendment and dissent is likely illegal in these geographies.

“There are places where dissent is illegal and you could get painted as a terrorist. I don’t have a moral problem helping these people out because I think their laws are [crap],” Marquis-Boire said. “That’s a moral judgment I’m making. What we publish comes down to whether it’s in the public interest. We don’t make evaluations about whether we’re going to blow up legitimate government operations or not. It’s about what’s in the public interest.”

The fact remains that, as Marquis-Boire pointed out, the industry standard is that it’s acceptable to publish reports that expose cyberespionage, but the waters are murky when it comes to outing counterterrorism. Bartholomew said that governments’ habit of purchasing spyware from groups such as the Hacking Team or the NSO Group behind the Trident iOS vulnerabilities, are adding to the murk.

“Why do we accept publishing of a traditional cyberespionage collection operation?” Bartholomew asked. “Do we accept counterterrorism as well?”

Suggested articles