What rights, privileges or courtesies can a U.K. researcher who helped stop a global malware outbreak expect to receive at the hands of the FBI? And what protections should he enjoy via British officials and institutions?
The answer appears to be "none at all," in the wake of a Sunday report that claims British intelligence agency GCHQ knew in advance that the FBI planned to arrest security researcher Marcus Hutchins when he visited the United States for the annual Black Hat and Def Con conferences last month.
"GCHQ wants the best and the brightest to work with them, but will sell them out to the U.S."
GCHQ and British government officials evidently did nothing to help resolve related questions in advance or avert the arrest.
"Our U.S. partners aren't impressed that some people who they believe to have cases against [them] for computer-related offences have managed to avoid extradition," an unnamed source told the Sunday Times, which reported that GCHQ was tipped off to the arrest in advance. "Hutchins's arrest freed the British government and intelligence agencies from yet another headache of an extradition battle," the source added.
What the Sunday Times source overlooks, of course, is that it's not up to Americans to decide if they think British extradition laws are too onerous, or British government officials to bypass laws designed to protect U.K. citizens, simply because they might create diplomatic headaches.
Rather, foreign governments should have to convince a U.K. judge that they have an ironclad case against a suspect for whom they're seeking extradition, and that a British suspect, tried in U.S. courts, will not face unduly harsh punishment. And the British government must safeguard those rights.
Mixed Extradition Success
To date, U.S. attempts to extradite British nationals for alleged cybercrime activities have had mixed success. Lauri Love, for example, has been charged with 2012 and 2013 hack attacks against U.S. government computers. But in April, Britain's high court ruled that he can challenge an extradition order signed last year by U.K. Home Secretary Amber Rudd (see 'Real People' Don't Want Crypto, UK Home Secretary Claims).
That followed the British government in 2012 blocking the extradition of Gary McKinnon on medical grounds. The Scottish man has been accused by U.S. prosecutors of executing "the biggest military computer hack of all time." A medical review board, however, had warned that the extradition of McKinnon, who has Asperger Syndrome and "suffers from depressive illness," would result in a "high risk" that he would commit suicide.
Hutchins, meanwhile, has no criminal history, and the 23-year-old pleaded not guilty last week in a Wisconsin federal court to a six-count indictment tied to his alleged development of Kronos banking Trojan from July 2014 to July 2015 (see WannaCry 'Hero' Pleads Not Guilty, Allowed Back Online).
He's been freed after posting a $30,000 bond, has had his British passport confiscated and must wear a GPS location-monitoring device. He's been allowed to travel to Los Angeles, however, where his employer Kryptos Logic is headquartered, and it appears he'll be based there pending the resolution of his trial.
Criticism for GCHQ
The suggestion that British authorities might have looked the other way on Hutchins' arrest to please their American law enforcement counterparts has triggered widespread condemnation from members of the information security community, on both sides of the pond.
"GCHQ wants the best and the brightest to work with them, but will sell them out to the U.S.," says Jake Williams, principal consultant at Rendition Infosec, who formerly served in the U.S. Army, via Twitter. "Good recruiting plan ..."
GCHQ wants the best and the brightest to work with them, but will sell them out to the US. Good recruiting plan... https://t.co/QyEBGnG0RY— Jake Williams (@MalwareJake) August 20, 2017
GCHQ declined to discuss Hutchins' arrest or the Sunday Times report. "This is a law enforcement matter and it would be inappropriate to comment further," an NCSC spokesman told me. As that suggests, GCHQ is an intelligence agency, and it would have been unlikely for it to have been tipped off by the FBI. Rather, the FBI's counterpart - the U.K. National Crime Agency - or the U.K.'s Home Office, which oversees justice matters, would have been the more likely recipient of related information.
Will Charges Hold Up?
Anyone who has committed a crime should be forced to defend themselves in court.
But based on the allegations that have so far been made public against Hutchins, the U.S. indictment looks thin. For example, he's been accused of developing the Kronos banking malware based on chat logs in which he allegedly claimed to have done so.
Some of the supposed evidence against Hutchins, however, appears to fail sniff tests. For starters, "good guy" researchers may pretend to be one of the "bad guys" to trick cybercrime syndicates into sharing their code, so they can take it apart and find better ways to defeat it.
Security firms have also reported that Kronos appears to be a product of the Russian cybercrime underground and has been advertised in multiple Russian-language forums. The malware appeared in 2014, but was seen - being distributed by the RIG exploit kit - as recently as last month.
Kronos Code: Sophisticated
Following Hutchins' arrest, security firms have begun taking a much closer look at Kronos. And security firm Malwarebytes reported Friday that Kronos appears to have been developed by an individual or group with extensive experience.
"An overall look at the tricks used by Kronos shows that the author has a prior knowledge in implementing malware solutions," according to a blog posted by independent Polish information security researcher known as Hasherezade on the Malwarebytes site. "The code is well obfuscated, and also uses various tricks that requires understanding of some low-level workings of the operating system. The author not only used interesting tricks, but also connected them together in a logical and fitting way."
Her takeaway is that it would have been highly unusual for a 21-year old to be able to write such a sophisticated piece of malware.
"The level of precision lead us to the hypothesis that Kronos is the work of a mature developer, rather than an experimenting youngster," she writes.
Did Hutchins Err?
Hasherezade had suspected that code in Kronos - a hooking engine - might trace to Hutchins, and a public GitHub repository that he maintained. Hutchins says his GitHub repository only contains code or techniques that he's found via his open-source research. "It might be worth noting that nothing on my github was invented by me, they are all PoCs [proof of concepts] of existing methods," Hutchins told Hasherezade Friday on Twitter.
In February 2015, Hutchins himself noted that he'd found code that he posted to the GitHub repository reused in a malware sample that he'd analyzed, although did not name Kronos. "This is why we can't have nice things," he said at the time.
But Hutchins may have erred in his assessment. In her Malwarebytes blog post on Monday, Hasherezade says she discovered that the code in Kronos predates Hutchins' GitHub post. "Looking at the hooking engine of Kronos we can see a big overlap, that made us suspect that this part of Kronos could be indeed based on his ideas," she says. "However, it turned out that this technique was described much earlier ... and both authors learned it from other sources rather than inventing it."
August 22: Story updated to note that Hasherzade authored the cited Malwarebytes blog post, and with additional research and commentary from both her and Hutchins, as well as comment from GCHQ.