The Justice Department today announced an extensive effort
to map and further disrupt, through victim notifications, the Joanap botnet – a
global network of numerous infected computers under the control of North Korean
hackers that was used to facilitate other malicious cyber activities. This effort targeting the Joanap botnet
follows charges unsealed last year in which the United States charged a North
Korean citizen, Park Jin Hyok, a member of a conspiracy backed by the North
Korean government that carried out numerous computer intrusions. Those charges alleged that the conspiracy
utilized a strain of malware, “Brambul,” which was also used to propagate the
Joanap botnet.
Assistant Attorney General for National Security John
Demers, United States Attorney Nicola T. Hanna, Assistant Director in Charge
(ADIC) Paul Delacourt of the FBI’s Los Angeles Field Office and the U.S. Air
Force Office of Special Investigations made the announcement.
“Computers around the world remain infected by a botnet
associated with the North Korean Regime,” said Assistant Attorney General
Demers. “Through this operation, we are
working to eradicate the threat that North Korea state hackers pose to the
confidentiality, integrity, and availability of data. This operation is another
example of the Justice Department’s efforts to use every tool at our disposal
to disrupt national security threat actors, including, but by no means limited
to, prosecution.”
“Our efforts have disrupted state-sponsored cybercriminals
who used malware to establish a computer network that gave them the ability to
hack into other computer systems,” said U.S. Attorney Hanna. “While the Joanap
botnet was identified years ago and can be defeated with antivirus software, we
identified numerous unprotected computers that hosted the malware underlying
the botnet. The search warrants and court orders announced today as part of our
efforts to eradicate this botnet are just one of the many tools we will use to
prevent cybercriminals from using botnets to stage damaging computer
intrusions.”
“Through technical means and legal process, the FBI
continually seeks to disrupt the malicious cyber activities of North Korean
cybercriminals, as in this case, and all cyber actors who pose a threat to the
United States and our international partners,” said ADIC Delacourt. “We urge computer users to take precautions,
such as updating their software and utilizing antivirus, in order to avoid
being victimized by this type of malware.”
Joanap malware targeted computers running the Microsoft
Windows operating system and is used to gain access to and maintain
infrastructure from which the hackers can carry out other malicious cyber
activities. Joanap is a “second stage”
malware, one that is often “dropped” by the automated Brambul “worm” that
crawls from computer to computer, probing whether it can gain access using
certain vulnerabilities. Once installed
on an infected computer, Joanap would allow the North Korean hackers to
remotely access infected computers, gain root level (or near-total) access to
infected computers, and load additional malware onto infected computers.
Computers infected with Joanap — known as “peers” or “bots”
— became part of a network of compromised computers known as a botnet. Like other botnets, Joanap was designed to
operate automatically and undetected on victims’ computers. Joanap uses a decentralized peer-to-peer
communication system, rather than a centralized mechanism to communicate with
and control the peers, such as a command-and-control domain.
In order to address that distinct feature, a court order and
search warrant was obtained pursuant to recent amendments to Rule 41 of the
Federal Rules of Criminal Procedure. The
search warrant allowed the FBI and AFOSI to operate servers that mimicked peers
in the botnet. By pretending to be
infected peers, the computers operated by the FBI and AFOSI under the authority
of the search warrant and order collected limited identifying and technical
information about other peers infected with Joanap (i.e., IP addresses, port
numbers, and connection timestamps).
This allowed the FBI and AFOSI to build a map of the current Joanap
botnet of infected computers. Copies of
the search warrants and orders and applications are available below.
Using the information obtained from the warrant, the
government is notifying victims in the United States of the presence of Joanap
on an infected computer. The FBI is both
notifying victims through their Internet Service Providers and providing
personal notification to victims whose computers are not behind a router or a
firewall. The U.S. government will
coordinate the notification of foreign victims by contacting the host country’s
government, including by utilizing the FBI’s Legal Attachés.
The second-stage Joanap botnet and the first-stage Brambul
worm have endured since 2009, even though they have been identified in the past
and a number of antivirus products defend against them. Many private cyber security research companies
have also published analytical reports about Brambul and Joanap. The FBI and the Department of Homeland
Security have published reports analyzing Joanap and Brambul as well, including
as recently as May 31, 2018.
(https://www.us-cert.gov/ncas/alerts/TA18-149A.) Moreover, a complaint was filed on June 8,
2018, charging Park Jin Hyok with a conspiracy to carry out numerous computer
intrusions backed by the North Korean government. That complaint alleged how co-conspirators
used Brambul to gain unauthorized access to computers, and then used those
computers to carry out the charged malicious cyber activities. The Brambul worm itself was recovered from
the computer networks of some victims of the conspiracy.
Joanap targets Microsoft Windows operating systems, but
running Windows Defender Antivirus and using Windows Update will remediate and
prevent infections by Joanap. A number
of free and paid antivirus programs are also already capable of detecting and
removing Joanap and Brambul, including the Microsoft Safety Scanner, a free
product.
This effort to map and disrupt the botnet was led by
Assistant United States Attorneys Anthony J. Lewis and Anil J. Antony of the
United States Attorney’s Office for the Central District of California, and DOJ
Trial Attorneys David Aaron and Scott Claffee of the National Security
Division’s Counterintelligence and Export Control Section. The Criminal
Division’s Computer Crime and Intellectual Property Section provided valuable
assistance.
The details contained in the application for the search
warrant and order and related pleadings are not charges and are merely
accusations.