It is no secret that the US faces many cybersecurity threats to national and business interests. With government workers returning to jobs after a lengthy government shutdown over President Trump’s planned border wall the true cost of how the shutdown impacted cybersecurity can be calculated. However, not all government bodies were completely hamstrung. In a combined operation between the US Department of Justice (DOJ), the FBI's Los Angeles Field Office and, the US Air Force Office of Special Investigations (AFOSI) announced that operations were underway to take down Joanap, a botnet operated by North Korean hacker groups. On January 30, 2018, the US Department of Justice announced its efforts about the operation which had been active since October 2018. The DOJ provided court documents which included a court order and a search warrant to provide the public with more information.
Based on the documents provided, readers will be provided with a unique insight into how the operation was made possible and conducted. The operation started with the authorities operating servers which mimicked infected computers part of the botnet, and silently mapped other infected hosts. This was made possible purely because of the way the botnet had been constructed. The botnet relies upon peer-to-peer (P2P) communications system where infected hosts relay commands introduced in the botnet's network from one to another, instead of reporting to one central command-and-control server. In its simplest form P2P communication relies on creating a network architecture that partitions tasks or workloads between peers. Peers have equal privileges, it is this fact that was the botnet’s Achilles heel.
After months of mapping the entire botnet the authorities plan to notify victims, directly and through their internet service providers, in an effort to have these systems disinfected, and indirectly disrupt one of North Korea's oldest cyber-weapons. Assistant Attorney General for National Security John Demers summarised the reason and ultimate aim of the operation as follows,
“Through this operation, we are working to eradicate the threat that North Korea state hackers pose to the confidentiality, integrity, and availability of data. This operation is another example of the Justice Department's efforts to use every tool at our disposal to disrupt national security threat actors.”
Above the Joanap botnet was referred to as one of North Korea’s oldest cyber-weapons. Based on a security alert issued by the Department of Homeland Security the botnet has been active since 2009 and relies on two malware strains to infect other computers. The first strain the botnet is reliant on has been called Brambul a worm which uses brute force attacks to compromise Windows Server Message Block (SMB) services to pass through multiple passwords from a list of common passwords to gain access to the system.
If a correct password is found, the malware now has a foothold on the infected computer. It then deploys the second piece of malware, called Joanap as well but is essentially a backdoor to allow the malware to spread to more victims. The backdoor is capable of downloading and uploading files and other malware. Added to this a particularly feature-rich piece of malware can execute files manage local processes, and start a proxy to relay malicious traffic through the infected host. It is of little doubt that the DOJ operation will help further illuminate the shady operations of North Korean groups like Hidden Cobra and further combat future operations. Recent events illustrate US authorities’ dedication to tightening the screws on North Korean hackers but privacy concerns have been raised.
Andrew Crocker, a senior staff attorney at the digital privacy advocacy group Electronic Frontier Foundation, noted that,
“The operation appears fairly sophisticated, describing the technical steps the government will take to ensure the computers it's accessing are actually infected and trying to limit the type of data it collects in order to shut down the botnet and ultimately notify US users who are affected. With that said, these techniques are inherently invasive, both because of the possibility of unintended consequences and because the government is executing searches on many computers whose owners are not accused of any wrongdoing, but which have become infected,”
A Victory for US Authorities?
Even with privacy concerns been raised authorities will undoubtedly feel the operation was a job well done. It will also be felt that this is the result of hard work, starting with the indictment of the person believed to be responsible for the WannaCry ransomware outbreak. According to the 179-page indictment the US believes that Park Jin Hyok, a 34-year-old North Korean, is one of the many individuals behind a long string of malware attacks and intrusions, such as:
- The WannaCry ransomware outbreak of 2017
- Attempts of hacking US defense contractor Lockheed Martin in 2016
- The 2016 Bangladesh Central Bank cyber-heist
- The breach at Sony Pictures Entertainment in 2014
- Breaches at US movie theatre chains AMC Theatres and Mammoth Screen in 2014
- A long string of hacks of South Korean news media organizations, banks, and military entities across several years
- Hacks of banks all over the world from 2015 through 2018
All of this was announced by the DOJ at the start of September 2018 and represented a significant stepping up of pressure been applied to North Korea. Announcements made recently may just be an indication of greater momentum on the side of the US authorities. This by no means can be seen as the end of Hidden Cobra, they are incredibly resourceful and well versed in the dark arts of cybercrime and espionage. This is not the last time we will hear from the group.