Atlanta Lawyer, Investigator Offer Lessons from the FBI's Disruption of North Korea's Botnet
Much like your company's IT team uses command-and-control software to fix your computer remotely, a botnet can give a single actor the power to control an army of infected computers. But the Joanap botnet comes with a unique twist.
February 20, 2019 at 12:00 PM
5 minute read
On Jan. 30, the U.S. Department of Justice revealed a secret operation to disrupt and uncover the Joanap botnet—one of North Korea's tools for inflicting technological mayhem around the world. The FBI's strategy, which in part turns on notifying users infected with the malware, underscores critical lessons about how cybersecurity awareness can serve U.S. national security goals and protect companies from damaging cyberattacks.
For at least a decade, the Joanap botnet, which North Korean actors propagated using a malware strain referred to as “Brambul,” has wreaked havoc around the world and in the United States. In 2018, US-CERT, a Department of Homeland Security entity responsible for disseminating cyberthreat information, warned that the malware combination had been targeting numerous industries, “including the media, aerospace, financial, and critical infrastructure sectors.” What's more, in a detailed criminal complaint filed against North Korean citizen Park Jin Hyok, U.S. authorities linked the Brambul malware to North Korean actors dubbed “Lazarus Group”—the same group associated with the hack of Sony, the WannaCry ransomware and massive financial thefts.
Generally, botnets are powerful tools in the hands of cybercriminals, and Joanap is no exception. Much like your company's IT team uses command-and-control software to fix your computer remotely, a botnet can give a single actor the power to control an army of infected computers. But the Joanap botnet comes with a unique twist. That is, according to affidavits submitted in support of the operation, instead of controlling infected computers through one centralized command and control server, North Korean threat actors can use infected computers to control other infected computers in the same network. So a victim computer ensnared by Joanap doesn't just risk having its information stolen by North Korean attackers, it risks becoming a part of the infrastructure that attackers can use to victimize other computer users around the world.
How the FBI Began to Identify Infected Computers
In 2018, the FBI obtained court approval to conduct a technical operation designed to identify and pinpoint infected computers that comprised the Joanap botnet. Using a relatively new change to Federal Rule of Criminal Procedure 41 that authorizes “remote access to search electronic storage media” outside of a particular district in certain narrow circumstances, the FBI operated servers that acted like computers infected with Joanap; it then collected metadata sent by other infected computers trying to communicate with the FBI-controlled servers. That data flow gave the FBI critical insight into the location and identity of infected computers around the world. Using that information, the FBI intends to notify computer users about the North Korean malware sitting on their computers.
Historically, the FBI has proactively reached out to victims to notify them of them of infections, known data breaches and other malicious activity on corporate networks. But waiting for the FBI to notify you of a cyber incident is a poor strategy for reducing your company's cyberrisk. Companies should be taking a number of steps to proactively assess their cybersecurity posture before any FBI notice. Regular cybersecurity assessments by third parties can go a long way toward identifying existing vulnerabilities, quantifying cyberrisks and helping organizations determine whether they have blind spots that allow pernicious cyberthreats such as Joanap to go unnoticed. And, depending on the circumstances, working with outside counsel to obtain such assessments as part of a comprehensive legal strategy may help to ensure that certain aspects of the assessments remain confidential. Fortunately, according to the Department of Justice, infected users can take steps to mitigate and contain the Joanap malware. There are a number of programs capable of removing the malware and remediating infections and maintaining up-to-date anti-virus can prevent reinfection.
Of course, the FBI's notice campaign may put organizations in a precarious position with customers, shareholders and other third parties. The mere receipt of the notice may raise questions about a company's existing cybersecurity measures and invite skepticism about a company's ability to unilaterally address problems hosted on its own network. But the best way to avoid being notified about a persistent threat on your network is to proactively prevent such infections from flourishing in the first place. Although there's no such thing as perfect security, organizations that take proactive measures such as assessments, cybersecurity awareness campaigns and the deployment of security solutions will greatly reduce the risk and impact of cyberthreats like Joanap and Brambul.
Kamal Ghali is a former deputy chief of the cybercrime section at the U.S. Attorney's Office in Atlanta and leads the cybersecurity and privacy practice at Bondurant, Mixson & Elmore, an Atlanta-based litigation and investigations firm.
Mark Ray is a former FBI special agent and the global head of digital investigations and cyber defense at Nardello & Co.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllNavigating the Mass Arbitration Minefield: Costs, Challenges and Strategic Shifts
15 minute readTrending Stories
Who Got The Work
Dechert partners Andrew J. Levander, Angela M. Liu and Neil A. Steiner have stepped in to defend Arbor Realty Trust and certain executives in a pending securities class action. The complaint, filed July 31 in New York Eastern District Court by Levi & Korsinsky, contends that the defendants concealed a 'toxic' mobile home portfolio, vastly overstated collateral in regards to the company's loans and failed to disclose an investigation of the company by the FBI. The case, assigned to U.S. District Judge Pamela K. Chen, is 1:24-cv-05347, Martin v. Arbor Realty Trust, Inc. et al.
Who Got The Work
Arthur G. Jakoby, Ryan Feeney and Maxim M.L. Nowak from Herrick Feinstein have stepped in to defend Charles Dilluvio and Seacor Capital in a pending securities lawsuit. The complaint, filed Sept. 30 in New York Southern District Court by the Securities and Exchange Commission, accuses the defendants of using consulting agreements, attorney opinion letters and other mechanisms to skirt regulations limiting stock sales by affiliate companies and allowing the defendants to unlawfully profit from sales of Enzolytics stock. The case, assigned to U.S. District Judge Andrew L. Carter Jr., is 1:24-cv-07362, Securities and Exchange Commission v. Zhabilov et al.
Who Got The Work
Clark Hill members Vincent Roskovensky and Kevin B. Watson have entered appearances for Architectural Steel and Associated Products in a pending environmental lawsuit. The complaint, filed Aug. 27 in Pennsylvania Eastern District Court by Brodsky & Smith on behalf of Hung Trinh, accuses the defendant of discharging polluted stormwater from its steel facility without a permit in violation of the Clean Water Act. The case, assigned to U.S. District Judge Gerald J. Pappert, is 2:24-cv-04490, Trinh v. Architectural Steel And Associated Products, Inc.
Who Got The Work
Michael R. Yellin of Cole Schotz has entered an appearance for S2 d/b/a the Shoe Surgeon, Dominic Chambrone a/k/a Dominic Ciambrone and other defendants in a pending trademark infringement lawsuit. The case, filed July 15 in New York Southern District Court by DLA Piper on behalf of Nike, seeks to enjoin Ciambrone and the other defendants in their attempts to build an 'entire multifaceted' retail empire through their unauthorized use of Nike’s trademark rights. The case, assigned to U.S. District Judge Naomi Reice Buchwald, is 1:24-cv-05307, Nike Inc. v. S2, Inc. et al.
Who Got The Work
Sullivan & Cromwell partner Adam S. Paris has entered an appearance for Orthofix Medical in a pending securities class action arising from a proposed acquisition of SeaSpine by Orthofix. The suit, filed Sept. 6 in California Southern District Court, by Girard Sharp and the Hall Firm, contends that the offering materials and related oral communications contained untrue statements of material fact. According to the complaint, the defendants made a series of misrepresentations about Orthofix’s disclosure controls and internal controls over financial reporting and ethical compliance. The case, assigned to U.S. District Judge Linda Lopez, is 3:24-cv-01593, O'Hara v. Orthofix Medical Inc. et al.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250