What We Can Learn from the FBI's Disruption of North Korea's Botnet
Much like your company's IT team uses command-and-control software to fix your computer remotely, a botnet can give a single actor the power to control an army of infected computers. But the Joanap botnet comes with a unique twist.
February 20, 2019 at 12:00 PM
5 minute read
The original version of this story was published on Daily Report
On Jan. 30, the U.S. Department of Justice revealed a secret operation to disrupt and uncover the Joanap botnet—one of North Korea's tools for inflicting technological mayhem around the world. The FBI's strategy, which in part turns on notifying users infected with the malware, underscores critical lessons about how cybersecurity awareness can serve U.S. national security goals and protect companies from damaging cyberattacks.
For at least a decade, the Joanap botnet, which North Korean actors propagated using a malware strain referred to as “Brambul,” has wreaked havoc around the world and in the United States. In 2018, US-CERT, a Department of Homeland Security entity responsible for disseminating cyberthreat information, warned that the malware combination had been targeting numerous industries, “including the media, aerospace, financial, and critical infrastructure sectors.” What's more, in a detailed criminal complaint filed against North Korean citizen Park Jin Hyok, U.S. authorities linked the Brambul malware to North Korean actors dubbed “Lazarus Group”—the same group associated with the hack of Sony, the WannaCry ransomware and massive financial thefts.
Generally, botnets are powerful tools in the hands of cybercriminals, and Joanap is no exception. Much like your company's IT team uses command-and-control software to fix your computer remotely, a botnet can give a single actor the power to control an army of infected computers. But the Joanap botnet comes with a unique twist. That is, according to affidavits submitted in support of the operation, instead of controlling infected computers through one centralized command and control server, North Korean threat actors can use infected computers to control other infected computers in the same network. So a victim computer ensnared by Joanap doesn't just risk having its information stolen by North Korean attackers, it risks becoming a part of the infrastructure that attackers can use to victimize other computer users around the world.
|How the FBI Began to Identify Infected Computers
In 2018, the FBI obtained court approval to conduct a technical operation designed to identify and pinpoint infected computers that comprised the Joanap botnet. Using a relatively new change to Federal Rule of Criminal Procedure 41 that authorizes “remote access to search electronic storage media” outside of a particular district in certain narrow circumstances, the FBI operated servers that acted like computers infected with Joanap; it then collected metadata sent by other infected computers trying to communicate with the FBI-controlled servers. That data flow gave the FBI critical insight into the location and identity of infected computers around the world. Using that information, the FBI intends to notify computer users about the North Korean malware sitting on their computers.
Historically, the FBI has proactively reached out to victims to notify them of them of infections, known data breaches and other malicious activity on corporate networks. But waiting for the FBI to notify you of a cyber incident is a poor strategy for reducing your company's cyberrisk. Companies should be taking a number of steps to proactively assess their cybersecurity posture before any FBI notice. Regular cybersecurity assessments by third parties can go a long way toward identifying existing vulnerabilities, quantifying cyberrisks and helping organizations determine whether they have blind spots that allow pernicious cyberthreats such as Joanap to go unnoticed. And, depending on the circumstances, working with outside counsel to obtain such assessments as part of a comprehensive legal strategy may help to ensure that certain aspects of the assessments remain confidential. Fortunately, according to the Department of Justice, infected users can take steps to mitigate and contain the Joanap malware. There are a number of programs capable of removing the malware and remediating infections and maintaining up-to-date anti-virus can prevent reinfection.
Of course, the FBI's notice campaign may put organizations in a precarious position with customers, shareholders and other third parties. The mere receipt of the notice may raise questions about a company's existing cybersecurity measures and invite skepticism about a company's ability to unilaterally address problems hosted on its own network. But the best way to avoid being notified about a persistent threat on your network is to proactively prevent such infections from flourishing in the first place. Although there's no such thing as perfect security, organizations that take proactive measures such as assessments, cybersecurity awareness campaigns and the deployment of security solutions will greatly reduce the risk and impact of cyberthreats like Joanap and Brambul.
Kamal Ghali is a former deputy chief of the cybercrime section at the U.S. Attorney's Office in Atlanta and leads the cybersecurity and privacy practice at Bondurant, Mixson & Elmore, an Atlanta-based litigation and investigations firm. Mark Ray is a former FBI special agent and the global head of digital investigations and cyber defense at Nardello & Co.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250