Written by Chris Bing

Private sector cybersecurity companies are increasingly stuck with difficult decisions when it comes to publicizing research into malware. Over the past few years, nation-states have increasingly devoted time, money and man-hours to creating sophisticated weapons that wreak havoc once they are unleashed on the internet.

When private companies find these nation-state tools and break them apart for examination, the dynamic gets complicated very quickly: No longer are they just trying to figure out who is responsible — they have to tiptoe around the ramifications of how a public report could impact relationships with governments around the world.

Beyond merely attributing sophisticated malware, large-scale cybersecurity firms are often left with tough questions: Should those based in the United States avoid publicly releasing research on cyber-espionage campaigns if they look to be conducted by allied governments? What does a company owe its clients when handling homegrown digital threats? Do these companies have a plan of action for upending a government program if and when their research goes public?

Over the last several months, CyberScoop has individually spoken with some of the largest companies in the market to get answers.

The interviews reveal a complex and nuanced relationship between the cybersecurity industry and public sector, which has seen various confidential partnerships develop over time. In some cases, companies are quietly choosing to protect their clients from nation-state-linked hackers without publicly documenting the process. The dynamic raises questions about what motivates companies to act, especially in a climate where commercial cybersecurity reports are used to support Western foreign policy.

With governments around the world leaning on cyber-espionage techniques to obtain secrets, the stakes have risen when it comes to going public with sensitive malware research. The industry dynamic — a often-rotating mix between researchers, former spies and various high-ranking government officials — has led to discussions around the ethics of disclosing specific forms of malware.

A former U.S. intelligence official told CyberScoop that these types of “informal and unique” information sharing partnerships with the cybersecurity industry have proved invaluable in the past. The source said these arrangements are usually driven through “personal, one-on-one relationships” rather than a broad based agreement of some sort. These agreements help companies toe the line between playing nice with the government while letting the public know about the threat.

“You build relationships so you can get advanced warning [on significant research]. That absolutely happens. But what didn’t happen, at least from my understanding, is where someone would outright request they don’t publish something. That’s very drastic and maybe it could threaten the private sharing aspect to it,” the former official said. “Usually it was informal, like ‘Hey, we saw this, you should be aware.'”

The former intelligence official spoke on condition of anonymity in order to describe their own experience in government.

“There were times where [the partnership] meant we had more time to pull implants and take down infrastructure that was somehow affected, even if just tangentially,” the source said. “That was critical.”

No standard

CyberScoop reached out to multiple companies for this story, including CrowdStrike, Dell SecureWorks, FireEye, Kaspersky Lab, McAfee, Microsoft, Palo Alto Networks, Symantec, ThreatConnect, TrendMicro, F-Secure, Qihoo360 and others.

The vast majority did not want to participate. CrowdStrike and Symantec declined to comment. Palo Alto Networks did not respond to a request for comment.

For the companies that did respond, there was no standard for how to handle nation-state-linked investigations or their disclosures. But there were common practices, especially among the firms with heavy public sector contracts.

“Politically, for lack of a better word, there is no difference in how [U.S. government] tools are treated vs. Russian or Chinese,” said Sean Sullivan, a security advisor for F-Secure. “We at F-Secure know that nation states write and spread intrusion tools (aka threats) and engage in [computer network exploitation]. That’s fine with us. But we don’t help them engage in this activity.”

Dell SecureWorks, FireEye, McAfee, TrendMicro and ThreatConnect said they had previously notified government officials before publishing a consequential report on nation-state hacking.

A former security-focused Microsoft employee who spoke to CyberScoop on the condition of anonymity said the Redmond, Washington, tech giant has privately notified the U.S. government in the past. While not a common situation, the company would reach out if a case was causing damage to a U.S.-based entity.

According to the employee, these disclosures sometimes happened before anyone informed the victim. In many cases, the activity was never publicly detailed. Microsoft is a well-known partner of U.S. law enforcement.

In April, Microsoft launched a public initiative that sought to create norms for how private companies should interact with governments on cybersecurity matters, known as the “Cybersecurity Tech Accord.”

When CyberScoop asked Microsoft to elaborate on the tech accord, the company refused to respond. Instead, the company sent a series of unrelated links to Microsoft’s software vulnerability disclosure policy. The disclosure policy does not answer whether Microsoft has informed or currently informs the U.S. government about cyber-espionage operations that it doesn’t publicly document.

The accord does state, rather ambiguously, that technology firms should not assist government-backed hacking operations. Multiple cybersecurity firms have signed on since then, including Trend Micro, Tenable Network Security, BitDefender and F-Secure.

A Kaspersky Lab spokesperson responded to the same CyberScoop inquiry with the following statement: “Kaspersky Lab detects and remediates all forms of malicious programs, including APTs, regardless of their origin or purpose. It also does not matter which language the threat ‘speaks’ whether it’s Russian, Chinese, Spanish, German, or English; in addition, the use of these different languages doesn’t permit attribution to any specific country.”

When pressed to answer if Kaspersky Lab had ever given a government notice of threat research before it was published, the spokesperson declined to elaborate. The Moscow-based firm is currently fighting a lengthy legal battle with the U.S. government. While U.S. intelligence officials have told numerous companies and news outlets that Kaspersky is leveraged by Russian spies, the company denies any wrongdoing.

Sometimes yes, sometimes no

All the companies that responded to CyberScoop’s inquiry did commit to detecting and blocking cyberthreats whenever they become aware of them, regardless of origin or allegiance. But their answers about disclosure varied.

CyberScoop recently reported that FireEye had drawn a red line around exposing certain activities by so-called “friendlies.” The example provided to CyberScoop concerned possibly burning a U.S.-linked operation that used detected malware to spy on suspected terrorist.

Notably, FireEye did, however, blog about an exploit that later became associated with an entity known as “Black Lambert,” which is now commonly linked to the CIA. According to Kaspersky, FireEye’s outing seemed to push the hackers underground.

Conversely, turning a blind eye is not exactly a new phenomenon, although it’s taken on a different meaning as the internet grows into a battlefield for nation-states.

Ronald Prins, who founded Dutch security firm FoxIT, told Mashable in 2014 that his company chose not to publish details about a malware variant known as “Regin” because it might “interfere with NSA/GCHQ operations.” In the past, Prins worked for the Dutch government, a close ally and intelligence partner to the U.S. and Great Britain.

The incidents introduce another important concept: Often cybersecurity companies lack context when first documenting or sharing information about malware. In other words, they’re usually making a decision to publish or otherwise disclose evidence without entirely knowing where it came from or what it’s related to.

“Technical constraints (rather than political) determine how cases are handled,” Sullivan explained, based on his own experience.

“Regin was discovered in bits and pieces. One of the pieces analyzed by F-Secure was discovered after it conflicted with a monthly Microsoft security update on a customer’s server. And then it was many months later before it was thought to be connected to a particular APT platform,” added Sullivan. “Pieces like this can often be shared in the anti-malware industry as ‘regular’ malware during the knowledge gap because they look like advanced crimeware. In which case, they could very well end up on VirusTotal and if the nation state controller is paying attention … it’ll know what’s up.”

In early June, another CyberScoop story sparked a debate on social media about what it meant to be a contemporary security researcher in an era where global cyber norms are still a work in progress.

Is it even worth it?

Robert Lee, a former NSA official and the current CEO of Maryland-based Dragos Inc., said companies should feel comfortable reaching out to governments, but standards need to be in place in order to prevent a company from playing favorites.

“The origin of the threat should not influence the publishing of the intelligence, but each provider must make a consistent approach to publishing as it relates to targets,” Lee said. “If the targets are extremists, do you still publish? If your customers are violating international law, then maybe you have a position to publish. But have a policy that’s public and consistent, especially if you’re making choices versus just having a standard approach.”

A former CrowdStrike employee, who spoke on the condition of anonymity, said the company decided years ago that blogging about U.S. or allied-linked cyber-operations before anyone else was “not an advantageous thing to do.” At the time, there was a sense among staff that such research shouldn’t be pursued although the source said the was never “any explicit rules about it.”

Others, however, say that the cat-and-mouse game should be expected and even accepted by governments.

“Whether you are an intelligence agency conducting network intrusions, a law enforcement organization investigating threats or a security industry researcher — there is always a risk that your work could be disrupted or disturbed by the actions of the security industry,” said Don Smith, a technology director at SecureWorks. “On occasion, our relationships across the industry do give us visibility into some of the research and investigations other organizations are involved in. When we are aware of specific overlap … we would generally seek to give them a courtesy warning before we publish.”

While SecureWorks sometimes comes across what it suspects is U.S. government-linked malware, Smith said the company protects clients all the same.

It does not appear that SecureWorks has published any related information about a known U.S. or allied-linked hacking group. Dell, SecureWorks’ parent company, has multiple business contracts with governments around the world.

“When we see threat activity that is seeking to undermine national security interests or represents a significant criminal threat in those countries, it is important that we are able to relay those concerns to the government and law enforcement agencies,” Smith said.

Historical Precedent

Historically, the biggest outings of government-backed cyber-espionage operations arguably came at the hands of two firms: Kaspersky and Symantec.

Symantec was the first company to publicly disclose Stuxnet, the malware that devastated Iran’s Natanz nuclear facility in 2010. In their report, company researchers didn’t explicitly attribute the attack to a government, but pointed out that only a handful of actors could have created such a piece of malware.

“Stuxnet is of such great complexity—requiring significant resources to develop—that few attackers will be capable of producing a similar threat, to such an extent that we would not expect masses of threats of similar in sophistication to suddenly appear,” the company wrote in a public report.

Stuxnet’s creation is widely believed to be tied to a joint project between the U.S. and Israel, although neither country has ever publicly announced its involvement. It’s unknown if Symantec reached out to either government prior to the report’s release.

In 2o15, Kaspersky documented the tools, techniques and procedures (TTPs) behind a hacking group called “Equation Group.” That entity is now widely believed to be a carveout of the National Security Agency.

Symantec followed Kaspersky’s lead by publishing additional evidence and analysis of Equation Group’s tools, which were found on the networks of clients. The Silicon Valley-based security company boasts a large clientele base in the Middle East. It is unclear whether Symantec notified the U.S. government before posting its own Equation Group report; the company declined to comment for this story.

A former U.S. official who spoke on condition of anonymity told CyberScoop Kaspersky had provided the U.S. government with a heads-up prior to publishing its 2015 Equation Group report. But they did not do so with their more recent “Slingshot” report, which was tied to U.S. military operations that targeted al-Qaeda and ISIS operatives.

ThreatConnect, a startup that gained infamy for its research into the Russian-linked APT28 hacking group, said that it too had given the U.S. government a heads-up about some of its previous findings. APT28 is commonly linked to Russia’s Main Intelligence Directorate, or GRU, a domestic spy agency involved in both cyber and digital propaganda operations.

In the summer of 2015, director of research Toni Gidwani’s team created a confidential report for the White House to review. The report blew the lid off a network of Chinese hacking operations at an especially sensitive time.

Back then, “ThreatConnect [was preparing to release] Project CameraShy, an in-depth attribution analysis on China’s Naikon APT,” said Gidwani. The “report was featured on the front page of the Wall Street Journal on the day President Obama met with Chinese President Xi Jinping, prior to their signing the Rose Garden agreement. ThreatConnect pre-briefed our assessments to U.S. Government agencies to provide additional context and advance notice prior to the report’s public release.”

More often though, Gidwani explained, ThreatConnect will simply tip off a targeted private business, even if it isn’t a client.

“If we identify a domain that spoofs a legitimate organization’s domain and may be a part of cybercriminal or nation-state activity, we attempt to alert that organization to the domain’s existence and how we identified it,” Gidwani said. “Our decisions to publish blogs and report exploitation or attack activity publicly balances new insights about attacker techniques and research methodologies with the impacts of disclosure.”

Separately, Trend Micro also told CyberScoop about its practices, but stated upfront: “We have not seen any malware attributed specifically to Five Eyes intelligence agencies.”

Trend Micro follows a model that allows the pre-publication circulation of material between the Computer Emergency Response Teams (CERTs). CERTs are usually government-funded entities with a largely private sector-focused mission. Typically, each country’s CERT acts as an intermediary between industry and government.

“If unusual activity is found in a certain country, we engage the national or industry specific CERT to alert users and potential victims,” said Martin Roesler, senior director of threat research at Trend Micro. “The CERTS then lead outbound communications about the malware, and we follow their lead. In instances of potential public risk, we follow a standard responsible disclosure process, consulting with the impacted national authorities.”

“Our focus is never to release high visibility APT reports,” Roesler said. “We try to avoid letting geopolitics color our research or priorities.”

A cluttered cost-benefit tradeoff

There isn’t an easy answer to the question of how and what information should be publicized when it involves a nation-state-backed hacking group.

McAfee, while it has yet to publish a similar report that highlights allied activity, admits that it has benefited from those public disclosures.

Raj Samani, chief scientist of McAfee, said the company integrated the indicators of compromise (IoCs) from Kaspersky’s Equation Group and Slingshot reports into the McAfee antivirus engine. The inclusion allowed McAfee’s franchise product to detect and block associated malware variants without publicly signaling a change.

“We’re always going to take advantage of those free IoCs if we believe it could help [protect] clients,” said Samani. “That sort of stuff, where no one else has catalogued it, that’s important to look at.”

But in an era where small, resource-limited groups can cause massive damage through the internet, the need to get the word out is becoming more apparent.

“I think very few would argue that we shouldn’t detect certain types of malware. But what then,” questioned Martijn Grooten, an editor with VirusBulletin, in a corporate video interview for Kaspersky Lab that aired recently. “Should we just detect it and remove it as this company that you referenced does or do you write a report about it, do you publish it, do you warn the victims. That’s a choice. And it’s one I don’t think we can afford to say ‘we’ll publish everything.’ No company publishes everything. Everyone makes a choice.”