25 Jun Applying law to cyberattacks

Author: Helaine Leggat

I have consistently called for the application of existing national laws to cyberspace. The case discussed below is an excellent example of how this works. Apart from the more obvious causes of action under criminal law, spearfishing, facilitated through the unlawful use of Microsoft’s Intellectual Property, is dealt with as trademark infringement and passing off. There are other good examples, such as common law of trespass to chattels. This approach would work equally well in Australia and other countries.

In Microsoft Corporation (Plaintiff) vs John Doe 1-2 Controlling a Computer Network and thereby Injuring the Plaintiff and its Customers (Defendants),[1] the United States District Court for the Eastern District of Virginia held that evidence set forth in Microsoft’s Brief in Support of an Ex Parte Application for Temporary Restraining Order and Order to Show Cause Re Preliminary Injunction demonstrated that Microsoft was likely to prevail in its claim that the Defendants had engaged in violations of various laws.

The laws

Microsoft’s complaint for injunctive and other relief was filed pursuant to the:

1. 1. 1. Computer Fraud and Abuse Act, 18 U.S. Code § 1030.[2]
      2. Trademark Infringement under the Langham Act, 15 U.S. Code § 1114 et seq.
      3. False Designation of Origin under the Langham Act, 15 U.S.C. 1125(a).
      4. Trademark Dilution under the Lanham Act.
      5. Common Law of Trespass to Chattels.[3]
      6. Unjust Enrichment.[4]
      7. Conversion [5]

The attacks

The cyberattacks involved alleged activities by the Defendants, including:

• • • Intentionally accessing and sending malicious software, code, and instructions to the protected computers, operating systems, and computer networks of Microsoft and the customers of Microsoft, without authorization or exceeding authorization, in order to:
      1. 1. 1. steal and exfiltrate information from those computers and computer networks;
            2. infect those computers and computer networks with malicious code and thereby gain control over those computers and computer networks; and
            3. attack and compromise the security of those computers and computer networks by conducting remote reconnaissance, stealing authentication credentials, monitoring the activities of users, and using other “instrumentalities” of theft.

• • • Deploying computers, Internet domains and IP addresses to establish a command-and-control infrastructure by which the Defendants conducted illegal activities, including attacking computers and computer networks, monitoring the activities of users, and the theft of information;
    • Corrupting Microsoft’s applications on the victims’ computers and Microsoft’s servers using them to monitor the activities of users and steal information from them.

The facts

The Court held that there was good cause to believe the Defendants had:

• • • Operated their spearphishing campaigns through certain domains and domain registration facilities.
    • Engaged in illegal activity by using the domain registration facilities of the domain registries identified by Microsoft to register domains and violate the trademarks of Microsoft, deceive Microsoft customers, steal credentials, and deliver from those domains, the malicious code, content and commands that the Defendants used to access Microsoft’s services without authorisation and to receive information stolen from those accounts and computers.
    • Engaged in illegal activity by using deceptive and fraudulent methods to steal computer users’ account credentials and use such credentials for illegal purposes.
    • Engaged in illegal activity using the Internet domains identified by Microsoft to host malicious content used to compromise the servers Microsoft and Microsoft’s customers and to steal information from them.

The Court held that to immediately halt the injury caused by the Defendants, the Defendants must be prohibited from accessing Microsoft services without authorization, and be prohibited from sending malicious code, content, and commands from Internet domains identified by Microsoft to the computers of Microsoft’s customers or to Microsoft servers. Also, that each of the Defendants’ domains identified by Microsoft must be immediately transferred beyond the control of the Defendants.

The Court held that there was good cause to permit notice of the instant Order and the Preliminary Injunction hearing, and service of the Complaint by formal and alternative means, given the exigency of the circumstances and the need for prompt relief. Service was authorised by law to satisfy due process and to notify Defendants by email, fax, mail and or personal delivery to the contact information provided by the Defendants to the Defendant’s domain registrar (presuming the details provided were correct), or by publishing notice on a publicly available Internet website or through an international treaty process.

Decision and orders

In arriving at its decision to grant the relief, the court made the following findings of fact and conclusions of law:

• • • The court had jurisdiction and Microsoft was likely to succeed on the merits of the claims.
    • Microsoft owned the registered trademarks and unless the Defendants were restrained immediately, irreparable harm would result from the Defendant’s ongoing violations. If the conduct continued irreparable harm would occur to Microsoft, Microsoft customers, the public, and the Defendant would continue to engage in unlawful actions.
    • If the Defendant was not immediately restrained, the Court would not be able to grant temporary or final relief because the Defendants would sell, transfer, or conceal the command-and-control software that was hosted or otherwise operated through domains identified by Microsoft, or destroy, conceal or otherwise prevent discoverable evidence being available. The Defendants were likely to delete or relocate the command-and-control software and the malicious software disseminated through the Internet domains allowing them to continue their illegal acts and to warn associates if informed of the action.
    • The Court held that the Defendants’ activities had violated United States law, the rights of Microsoft, the public, Microsoft’s customers, and further that the Defendants continued their unlawful conduct despite clear injury. Microsoft request for emergency relief was not the result of any lack of diligence on Microsoft’s part.
    • Good cause in the interest of justice required the Order be granted without prior notice, and that the Defendants be temporarily restrained and enjoined from:
      1. 1. 1. intentionally accessing and sending malicious software, or code to Microsoft and the protected computers and operating systems of Microsoft, and Microsoft customers, without authorization, in order to compromise those computers;
            2. intentionally attacking and compromising computers or computer networks of Microsoft or Microsoft’s customers in order to monitor the activities of owners and users of computers or computer networks and steal information from those computers or networks;
            3. configuring, deploying, operating otherwise participating in or facilitating the command-and-control infrastructure, or the software hosted at and operating through the Internet domains identified by Microsoft;
            4. stealing information from Microsoft’s customers or misappropriating that which rightfully belonged to Microsoft and its customers;
            5. downloading malicious software onto computers of Microsoft customers, or undertaking similar activity inflicting harm on Microsoft, Microsoft customers, or the public;
            6. using and infringing Microsoft’s trademarks, product or services including any false or deceptive designation, representation or description of Defendants’ activities whether by symbols, words, designs, or statements which would damage or injure Microsoft or give the Defendants an unfair competitive advantage, or result in deception of consumers;
            7. acting in any manner which suggests that the Defendants’ activities, products or services come from, or are somehow sponsored by or affiliated with Microsoft; and
            8. passing off Defendants’ activities, products, or services as Microsoft’s.

• • • Regarding domain registrations, it was further ordered that any domain registries located in the US[6] shall unlock and change the register of record for the relevant domains to ensure that Microsoft has control over the hosting and administration of those domains to prevent further modification or deletion of the domains by the Defendants, or the transfer or control of those domains to the account of any party.

Conclusion

It is not necessary to promulgate a new law for each new form of cyberattack. In most cases we should rather rely on the laws and international agreement we already have.

[1] Alexandria Division. Case 1:22-cv-00607-AJT-WEF *SEALED* Document 16 Filed 05/27/22. https://news.microsoft.com/wp-content/uploads/prod/sites/358/2022/06/Doc.-No.-16-Ex-parte-TRO-SEALED.pdf

[2] Fraud and related activity in connection with computers. The US federal ‘anti-hacking’ law. Among other things, this law makes it illegal to intentionally access a computer without authorization or in excess of authorization.

[3] Trespass to chattels and conversion are both intentional torts that refer to a wrongful, intentional interference with the possession of someone’s personal property. The main difference between trespass to chattels and conversion is the degree of interference.

[4] The elements of a claim of unjust enrichment include receipt of a benefit and unjust retention of the benefit at the expense of another.

[5] Conversion occurs when a person uses or alters a piece of personal property belonging to someone else without the owner’s consent.

[6] Registries not in the US were asked to take similar steps.