Paris (AFP)
Impromptu reporting, collaboration with the FBI, the luck that gets involved and a million computers cleaned without their owners realizing it: the French gendarmerie went into detail on its spectacular operation anti "botnet" ( network of hacked computers) and its legal framework.
During a debate organized by the FIC observatory on the Retadup botnet on Tuesday, the officers in charge of the investigation detailed their approach and their interpretation of the legal framework in which they acted to neutralize this virus.
- How did the gendarmerie proceed?
While operations against cybercrime most often require a stroke of luck to succeed, the investigators of the Center for combating digital crime (C3N) of the National Gendarmerie have this time benefited from a true "alignment of the planets".
Following a report from the Czech antivirus publisher Avast, the gendarmerie found that computers infected with a + botnet + - also called "zombie machines" - periodically interrogated a machine located in France to receive instructions to run, usually large-scale attacks or cryptocurrency mining operations. This master server was rented to a French technical service provider by a foreign host.
In the course of a preliminary investigation, the investigators conducted a search and - with the consent of the service provider - analyzed and then replaced the server with a modified version.
Technically, the gendarmes took advantage of a "flaw" in the "poor programming" of the hacker and could disable the botnet by sending an "empty command".
Meanwhile, and to prevent any attempt by the hacker to divert traffic to another machine, a collaboration with the FBI allowed to address about twenty domain names used by the virus to the French machine.
Since the server was installed on July 1, 2019, 1.3 million computers, mostly in Latin America, have tried to connect to the server, which is now controlled by the gendarmerie.
- Has the origin of the "botnet" been identified?
The source of the Retadup infection, which contaminates Windows systems that are generally not protected by an antivirus, remains unknown. It can be a website offering a malicious link or the attachment of an email spreading step by step. Offended infected computers are also likely to be reignited and reconnected.
As a result, 10,000 daily connections always reach the gendarmes' server and the pace does not falter. According to the gendarmes, the justice must decide the time before stopping the intervention.
In addition, the perpetrator (s) of the attack have not been identified. Generally, elucidation rates in cybercrime cases remain low.
- A case of extraterritoriality?
Unlike previous cases led by the authorities of the Netherlands or the United States, the gendarmerie has neutralized a virus on more than one million machines in the world without the prior consent of users. A "world first" that questions the legal framework to intervene outside the French territory.
"The question we asked ourselves was how do we stop the crime and neutralize the virus without touching the infected machines?" Said Lieutenant-Colonel Fabienne Lopez, who heads the Center for the Fight Against Crime. digital.
"There was no cleaning of the computers, we did not do the work of an antivirus company," she said as the disabled pirate software remained on the infected machines.
For Colonel Éric Freyssinet, head of the digital mission of the gendarmerie, "the risk was measured" because tests had made it possible to ensure the safety of the command returned to computers "zombies".
"I think there has been no violation of the sovereignty" of other states, said Karine Bannelier, Deputy Director of the Grenoble Alpes Cybersecurity Institute, interviewed by AFP. The operation took place "without intrusion or damage to our knowledge, nor intention to put pressure on a State".
For the researcher, "it is also the obligation of France to ensure that (malicious) operations conducted on its territory do not affect the security of another country."
© 2019 AFP