Justice Department Announces Court-Authorized Efforts to Map and Disrupt Botnet Used by North Korean Hackers

The Justice Department today announced an extensive effort to map and further disrupt, through victim notifications, the Joanap botnet – a global network of numerous infected computers under the control of North Korean hackers that was used to facilitate other malicious cyber activities.  This effort targeting the Joanap botnet follows charges unsealed last year in which the United States charged a North Korean citizen, Park Jin Hyok, a member of a conspiracy backed by the North Korean government that carried out numerous computer intrusions.  Those charges alleged that the conspiracy utilized a strain of malware, “Brambul,” which was also used to propagate the Joanap botnet.

Assistant Attorney General for National Security John Demers, United States Attorney Nicola T. Hanna, Assistant Director in Charge (ADIC) Paul Delacourt of the FBI’s Los Angeles Field Office and the U.S. Air Force Office of Special Investigations made the announcement.

“Computers around the world remain infected by a botnet associated with the North Korean Regime,” said Assistant Attorney General Demers.  “Through this operation, we are working to eradicate the threat that North Korea state hackers pose to the confidentiality, integrity, and availability of data. This operation is another example of the Justice Department’s efforts to use every tool at our disposal to disrupt national security threat actors, including, but by no means limited to, prosecution.”

“Our efforts have disrupted state-sponsored cybercriminals who used malware to establish a computer network that gave them the ability to hack into other computer systems,” said U.S. Attorney Hanna. “While the Joanap botnet was identified years ago and can be defeated with antivirus software, we identified numerous unprotected computers that hosted the malware underlying the botnet. The search warrants and court orders announced today as part of our efforts to eradicate this botnet are just one of the many tools we will use to prevent cybercriminals from using botnets to stage damaging computer intrusions.”

“Through technical means and legal process, the FBI continually seeks to disrupt the malicious cyber activities of North Korean cybercriminals, as in this case, and all cyber actors who pose a threat to the United States and our international partners,” said ADIC Delacourt.  “We urge computer users to take precautions, such as updating their software and utilizing antivirus, in order to avoid being victimized by this type of malware.”

Joanap malware targeted computers running the Microsoft Windows operating system and is used to gain access to and maintain infrastructure from which the hackers can carry out other malicious cyber activities.  Joanap is a “second stage” malware, one that is often “dropped” by the automated Brambul “worm” that crawls from computer to computer, probing whether it can gain access using certain vulnerabilities.  Once installed on an infected computer, Joanap would allow the North Korean hackers to remotely access infected computers, gain root level (or near-total) access to infected computers, and load additional malware onto infected computers.

Computers infected with Joanap — known as “peers” or “bots” — became part of a network of compromised computers known as a botnet.  Like other botnets, Joanap was designed to operate automatically and undetected on victims’ computers.  Joanap uses a decentralized peer-to-peer communication system, rather than a centralized mechanism to communicate with and control the peers, such as a command-and-control domain.

In order to address that distinct feature, a court order and search warrant was obtained pursuant to recent amendments to Rule 41 of the Federal Rules of Criminal Procedure.  The search warrant allowed the FBI and AFOSI to operate servers that mimicked peers in the botnet.  By pretending to be infected peers, the computers operated by the FBI and AFOSI under the authority of the search warrant and order collected limited identifying and technical information about other peers infected with Joanap (i.e., IP addresses, port numbers, and connection timestamps).  This allowed the FBI and AFOSI to build a map of the current Joanap botnet of infected computers.  Copies of the search warrants and orders and applications are available below.   

Using the information obtained from the warrant, the government is notifying victims in the United States of the presence of Joanap on an infected computer.  The FBI is both notifying victims through their Internet Service Providers and providing personal notification to victims whose computers are not behind a router or a firewall.  The U.S. government will coordinate the notification of foreign victims by contacting the host country’s government, including by utilizing the FBI’s Legal Attachés.

The second-stage Joanap botnet and the first-stage Brambul worm have endured since 2009, even though they have been identified in the past and a number of antivirus products defend against them.  Many private cyber security research companies have also published analytical reports about Brambul and Joanap.  The FBI and the Department of Homeland Security have published reports analyzing Joanap and Brambul as well, including as recently as May 31, 2018.  (https://www.us-cert.gov/ncas/alerts/TA18-149A.)  Moreover, a complaint was filed on June 8, 2018, charging Park Jin Hyok with a conspiracy to carry out numerous computer intrusions backed by the North Korean government.  That complaint alleged how co-conspirators used Brambul to gain unauthorized access to computers, and then used those computers to carry out the charged malicious cyber activities.  The Brambul worm itself was recovered from the computer networks of some victims of the conspiracy.

Joanap targets Microsoft Windows operating systems, but running Windows Defender Antivirus and using Windows Update will remediate and prevent infections by Joanap.  A number of free and paid antivirus programs are also already capable of detecting and removing Joanap and Brambul, including the Microsoft Safety Scanner, a free product.

This effort to map and disrupt the botnet was led by Assistant United States Attorneys Anthony J. Lewis and Anil J. Antony of the United States Attorney’s Office for the Central District of California, and DOJ Trial Attorneys David Aaron and Scott Claffee of the National Security Division’s Counterintelligence and Export Control Section. The Criminal Division’s Computer Crime and Intellectual Property Section provided valuable assistance.

The details contained in the application for the search warrant and order and related pleadings are not charges and are merely accusations.

Chinese Telecommunications Device Manufacturer and its U.S. Affiliate Indicted for Theft of Trade Secrets, Wire Fraud, and Obstruction Of Justice

Huawei Corporate Entities Conspired to Steal Trade Secret Technology and Offered Bonus to Workers who Stole Confidential Information from Companies Around the World

A 10-count indictment unsealed today in the Western District of Washington State charges Huawei Device Co., Ltd. and Huawei Device Co. USA with theft of trade secrets conspiracy, attempted theft of trade secrets, seven counts of wire fraud, and one count of obstruction of justice.  The indictment, returned by a grand jury on January 16, details Huawei’s efforts to steal trade secrets from Bellevue, Washington based T-Mobile USA and then obstruct justice when T-Mobile threatened to sue Huawei in U.S. District Court in Seattle.  The alleged conduct described in the indictment occurred from 2012 to 2014, and includes an internal Huawei announcement that the company was offering bonuses to employees who succeeded in stealing confidential information from other companies.

“Today we are announcing that we are bringing criminal charges against telecommunications giant Huawei and its associates for nearly two dozen alleged crimes” Acting Attorney General Matthew G. Whitaker said.  “As I told Chinese officials in August, China must hold its citizens and Chinese companies accountable for complying with the law.  I’d like to thank the many dedicated criminal investigators from several different federal agencies who contributed to this investigation and the Department of Justice attorneys who are moving the prosecution efforts forward. They are helping us uphold the rule of law with integrity.”

“The charges unsealed today clearly allege that Huawei intentionally conspired to steal the intellectual property of an American company in an attempt to undermine the free and fair global marketplace,” said FBI Director Wray. “To the detriment of American ingenuity, Huawei continually disregarded the laws of the United States in the hopes of gaining an unfair economic advantage. As the volume of these charges prove, the FBI will not tolerate corrupt businesses that violate the laws that allow American companies and the United States to thrive.”

“This indictment shines a bright light on Huawei’s flagrant abuse of the law – especially its efforts to steal valuable intellectual property from T-Mobile to gain unfair advantage in the global marketplace,” said First Assistant U.S. Attorney Annette L. Hayes of the Western District of Washington.  “We look forward to presenting the evidence of Huawei’s crimes in a court of law, and proving our case beyond a reasonable doubt.  Fair competition and respect for the rule of law is essential to the functioning of our international economic system.”

According to the indictment, in 2012 Huawei began a concerted effort to steal information on a T-Mobile phone-testing robot dubbed “Tappy.”  In an effort to build their own robot to test phones before they were shipped to T-Mobile and other wireless carriers, Huawei engineers violated confidentiality and non-disclosure agreements with T-Mobile by secretly taking photos of “Tappy,” taking measurements of parts of the robot, and in one instance, stealing a piece of the robot so that the Huawei engineers in China could try to replicate it.  After T-Mobile discovered and interrupted these criminal activities, and then threatened to sue, Huawei produced a report falsely claiming that the theft was the work of rogue actors within the company and not a concerted effort by Huawei corporate entities in the United States and China.  As emails obtained in the course of the investigation reveal, the conspiracy to steal secrets from T-Mobile was a company-wide effort involving many engineers and employees within the two charged companies.

As part of its investigation, FBI obtained emails revealing that in July 2013, Huawei offered bonuses to employees based on the value of information they stole from other companies around the world, and provided to Huawei via an encrypted email address.

Under the maximum sentencing provisions applicable to corporate entities, Conspiracy and Attempt to Commit Trade Secret Theft are punishable by a fine of up to $5,000,000 or three times the value of the stolen trade secret, whichever is greater.  Wire Fraud and Obstruction of Justice are punishable by a fine of up to $500,000.

The charges contained in the indictment are only allegations.  A defendant is presumed innocent unless and until proven guilty beyond a reasonable doubt in a court of law.  The maximum statutory sentence is prescribed by Congress and is provided here for informational purposes.  If convicted of any offense, the sentencing of the defendants will be determined by the court based on the advisory Sentencing Guidelines and other statutory factors.

The case is being investigated by the FBI.  The case is being prosecuted by Assistant U.S. Attorneys Todd Greenberg and Thomas Woods of the Western District of Washington, with assistance from the Department of Justice’s National Security Division’s Counterintelligence and Export Control Section.

U.S. Attorney Brian T. Moran has been recused from this matter because of legal representations he undertook before he joined the Department of Justice.  Per direction from ethics officials in the Department of Justice, First Assistant U.S. Attorney Annette L. Hayes will act as U.S. Attorney with respect to this matter pursuant to the authority conferred by 28 U.S.C. § 515.

Internet Stalker Sentenced to More than 14 Years in Federal Prison

DENVER – Eric Ronald Bolduan of Rochester, Minnesota was sentenced to 171 months in federal prison for stalking and making interstate threats against college students, U.S. Attorney Jason R. Dunn and FBI Denver Special Agent in Charge Dean Phillips announced.  United States District Court Judge Christine Arguello entered the sentence against Bolduan on January 24, 2019.  Bolduan was remanded into the custody of the United States Marshals.  After serving his sentence, Bolduan is required to register as a sex offender.

Bolduan pled guilty without a plea agreement on September 6, 2018, to stalking and making interstate threats.  According to facts relied upon during sentencing, including a statement of facts filed with the Court, Bolduan sent emails and text messages to a female student at the University of Colorado, threatening to kill her and her sister.  He then posted pictures of the victim’s face on pornography websites, listing her actual contact information.  His posts included pornographic pictures of women that were not the victim, but resembled her.  Bolduan then sent messages to the victim, stating his intent to spend his free time “hunting you!”  He wrote:  “I will find you and watch you – sticking to the shadows, learning your patterns.  When the time is right I will strike…”

The investigation revealed that Bolduan sent similar emails, text messages, and posts to a total of four victims in Colorado, but also to other victims at universities and high schools across the country.  The defendant used an “anonymizer” which prevented his victims from learning his actual name or from knowing from where the threatening emails, text messages, or posts were coming.  The messages were sent not only to female victims, but also to other students, friends, and family members.

“The victims in this case experienced real and profound suffering because of the acts of this defendant,” said United States Attorney Jason Dunn.  “It’s possible that more young women have been victimized but just haven’t been able to identify their assailant.  We encourage anyone who has experienced this kind of threat to call the FBI.”

“Eric Bolduan’s sentence illustrates the FBI’s commitment to protecting our communities,” said FBI Denver Special Agent in Charge Dean Phillips. “The FBI will continue to work diligently with our law enforcement partners and the United States Attorney’s Office to investigate and prosecute cases involving online threats and attempts to victimize innocent citizens through the Internet.”

Individuals who believe they may be victims are encouraged to contact the FBI at the following number: (303) 629-7171 (Option 1)

This case was investigated by the Denver Division of the Federal Bureau of Investigation together with the University of Colorado and Boulder Police Departments.  Assistant United States Attorney Valeria Spencer is handling this prosecution.