The U.S. Justice Department is looking to retaliate against North Korea-linked hackers who have built up a massive global network of infected computers.
The department announced on Wednesday that it would seek to map out the Joanap botnet, which has been built and controlled by North Korea-linked hackers since 2009, and eventually disrupt it by alerting impacted victims.
In order to map out Joanap, law enforcement has been operating servers that mimicked peers in the botnet. By pretending to be infected peers, these computers collected “limited identifying and technical information” about other infected systems with Joanap (such as IP addresses, port numbers and connection time-stamps).
This allows the government to build out a map of the infected systems and warn impacted victims – in the hopes of eventually eradicating the threat.
“Computers around the world remain infected by a botnet associated with the North Korean regime,” said Assistant Attorney General Demers, in a statement. “Through this operation, we are working to eradicate the threat that North Korea state hackers pose to the confidentiality, integrity and availability of data. This operation is another example of the Justice Department’s efforts to use every tool at our disposal to disrupt national security threat actors, including, but by no means limited to, prosecution.”
According to a 2018 US-CERT alert, the Joanap malware has been targeting multiple victims globally and in the United States since 2009 —including the media, aerospace, financial and critical infrastructure sectors.
Joanap has been targeting computers running the Microsoft Windows operating system. Once the hackers gain access to these infected computers, they can carry out other malicious activities from the impacted infrastructure.
Joanap, also known as “Hidden Cobra,” is a remote access tool that it is dropped on infected systems by the automated Brambul worm, which crawls from computer-to-computer and probes whether it can gain access using certain vulnerabilities.
Once installed on an infected computer, Joanap would allow the North Korean hackers to remotely access infected computers, gain root level (or near-total) access to infected computers and load additional malware onto infected computers, the government said.
“Like other botnets, Joanap was designed to operate automatically and undetected on victims’ computers,” the government said. “Joanap uses a decentralized peer-to-peer communication system, rather than a centralized mechanism to communicate with and control the peers, such as a command-and-control domain.”
Meanwhile, the Department of Homeland Security urges users and administrators to keep their operating systems and software up-to-date with the latest patches.
“Most attacks target vulnerable applications and operating systems,” said DHS. “Patching with the latest updates greatly reduces the number of exploitable entry points available to an attacker,.”
North Korean Impact
Joanap has been tied to the well-known Lazarus Group, (also known as Hidden Cobra) the APT actor behind several wide-scale and damaging cyber attacks including WannaCry and the 2014 Sony Pictures Entertainment hack.
The effort follows charges unsealed last year in which the United States charged a North Korean citizen, Park Jin Hyok, a member of a conspiracy backed by the North Korean government that carried out numerous computer intrusions.
In September, the DoJ charged Hyok and alleged in its 179-page complaint that he was involved in “a conspiracy to conduct multiple destructive cyberattacks around the world” as a member of the Lazarus Group,
Those “destructive cyberattacks” illustrate just the level of impact that the infamous APT has had globally and in the U.S. over the past few years.
They include robbing the Bangladeshi central bank of $81 million; hacking Sony Pictures Entertainment in retaliation for the film The Interview (which featured a parody of DPRK leader Kim Jon-Un); and creating the WannaCry ransomware that impacted victims in more than 150 countries.