Cyber Security Alert - Major Cyber Security Threat Affecting US Companies

You know that scene in the movies where two guys in uniform start up the drive to the young Army wife's front door, and she starts crying before they even tell her she's a widow?  Well, a lot of companies are feeling like a young Army wife these days. 

Many companies are certainly getting bad news from the Defense Department and other investigative agencies.  Defense investigators are letting companies know that hackers have uploaded malware onto their computers to collect data, potentially exposing the companies to legal liabilities and obligations. 

Earlier this year, a group named The SecDev Group published a report revealing an extensive malware-based cyber espionage network dubbed “Ghostnet.”  Ghostnet is a sophisticated network, not detectable by two-thirds of the antivirus programs on the market today, and believed to use targeted emails to deliver its malicious software, usually via an attachment in Microsoft Word.  Once a computer is infected, the malware “phones home” to control servers for instructions, most of which are located in Hainan Island, China.  The malware and control servers establish a two-channel communication system, one for command and control, and one for the exfiltration of data on the infected computer.  Finally the attacker takes administrative control of the infected computer and its network.

With administrative control, the attackers are able to log keystrokes, download files with sensitive, proprietary, and possibly even classified information, and turn on an infected computer’s microphone or webcam without awareness of the users.  Thus, a user can be sitting in an office having a face-to-face meeting, and the operators of the Ghostnet control servers can be watching, listening in, and recording the whole meeting.

Although the known companies and governments reported in the Ghostnet report have been predominantly located outside of the United States, some have been located within.  Companies such as Associated Press and Deloitte & Touche have been targeted, as have various embassies, including the Embassy of India in the United States.  United States government agencies have also been notifying companies – including defense contractors – that they have been hit, often to the surprise of the victim companies.

Victim companies could face significant legal risk.  If personal information was breached, companies could be obligated to notify affected individuals and state government officials under the 45 different state breach notification laws in the United States.  They could also find themselves facing investigation by, among others:  the FTC, financial industry regulators, state attorneys general, and European data protection authorities over their allegedly inadequate security and failure to safeguard personally identifiable information.  Lawsuits by an increasingly active plaintiffs’ bar are also a real possibility.  And defense contractors could find themselves at risk of losing their contracts or facing other penalties, pursuant to their contract terms and the Federal Acquisition Regulations.

Companies that find Ghostnet in their computer networks thus should be careful to consider the potential legal risks when they interact with government officials and conduct a forensic examination of their networks, and involve counsel as soon as they suspect they were attacked (both to anticipate legal issues and to extend the protection of attorney-client privilege to the findings of forensic investigators).  Because nowadays, fixing the security glitches that allowed the cyber attack to occur is only the first step in solving the problem.  For better or for worse, steps two, three and four are likely to involve lawyers as well as engineers.

For More Information

If you have any questions regarding these cyber attacks and how to handle them, please contact Stewart A. Baker (202.429.6402 or sbaker@steptoe.com).  Mr. Baker has recently returned to Steptoe & Johnson LLP following 3½ years at the Department of Homeland Security, where he oversaw policy issues relating to cyber security.  He had previously served as General Counsel for the National Security Agency.