News & Events - News

What We Can Learn from the FBI’s Disruption of North Korea’s Botnet

February 20, 2019
By Kamal Ghali and Mark Ray
Atlanta, GA

Much like your company’s IT team uses command-and-control software to fix your computer remotely, a botnet can give a single actor the power to control an army of infected computers. But the Joanap botnet comes with a unique twist.

On Jan. 30, the U.S. Department of Justice revealed a secret operation to disrupt and uncover the Joanap botnet—one of North Korea’s tools for inflicting technological mayhem around the world. The FBI’s strategy, which in part turns on notifying users infected with the malware, underscores critical lessons about how cybersecurity awareness can serve U.S. national security goals and protect companies from damaging cyberattacks.

For at least a decade, the Joanap botnet, which North Korean actors propagated using a malware strain referred to as “Brambul,” has wreaked havoc around the world and in the United States. In 2018, US-CERT, a Department of Homeland Security entity responsible for disseminating cyberthreat information, warned that the malware combination had been targeting numerous industries, “including the media, aerospace, financial, and critical infrastructure sectors.” What’s more, in a detailed criminal complaint filed against North Korean citizen Park Jin Hyok, U.S. authorities linked the Brambul malware to North Korean actors dubbed “Lazarus Group”—the same group associated with the hack of Sony, the WannaCry ransomware and massive financial thefts.

Generally, botnets are powerful tools in the hands of cybercriminals, and Joanap is no exception. Much like your company’s IT team uses command-and-control software to fix your computer remotely, a botnet can give a single actor the power to control an army of infected computers. But the Joanap botnet comes with a unique twist. That is, according to affidavits submitted in support of the operation, instead of controlling infected computers through one centralized command and control server, North Korean threat actors can use infected computers to control other infected computers in the same network. So a victim computer ensnared by Joanap doesn’t just risk having its information stolen by North Korean attackers, it risks becoming a part of the infrastructure that attackers can use to victimize other computer users around the world.

How the FBI Began to Identify Infected Computers

In 2018, the FBI obtained court approval to conduct a technical operation designed to identify and pinpoint infected computers that comprised the Joanap botnet. Using a relatively new change to Federal Rule of Criminal Procedure 41 that authorizes “remote access to search electronic storage media” outside of a particular district in certain narrow circumstances, the FBI operated servers that acted like computers infected with Joanap; it then collected metadata sent by other infected computers trying to communicate with the FBI-controlled servers. That data flow gave the FBI critical insight into the location and identity of infected computers around the world. Using that information, the FBI intends to notify computer users about the North Korean malware sitting on their computers.

Historically, the FBI has proactively reached out to victims to notify them of them of infections, known data breaches and other malicious activity on corporate networks. But waiting for the FBI to notify you of a cyber incident is a poor strategy for reducing your company’s cyberrisk. Companies should be taking a number of steps to proactively assess their cybersecurity posture before any FBI notice. Regular cybersecurity assessments by third parties can go a long way toward identifying existing vulnerabilities, quantifying cyberrisks and helping organizations determine whether they have blind spots that allow pernicious cyberthreats such as Joanap to go unnoticed. And, depending on the circumstances, working with outside counsel to obtain such assessments as part of a comprehensive legal strategy may help to ensure that certain aspects of the assessments remain confidential. Fortunately, according to the Department of Justice, infected users can take steps to mitigate and contain the Joanap malware. There are a number of programs capable of removing the malware and remediating infections and maintaining up-to-date anti-virus can prevent reinfection.

Of course, the FBI’s notice campaign may put organizations in a precarious position with customers, shareholders and other third parties. The mere receipt of the notice may raise questions about a company’s existing cybersecurity measures and invite skepticism about a company’s ability to unilaterally address problems hosted on its own network. But the best way to avoid being notified about a persistent threat on your network is to proactively prevent such infections from flourishing in the first place. Although there’s no such thing as perfect security, organizations that take proactive measures such as assessments, cybersecurity awareness campaigns and the deployment of security solutions will greatly reduce the risk and impact of cyberthreats like Joanap and Brambul.

Kamal Ghali is a former deputy chief of the cybercrime section at the U.S. Attorney’s Office in Atlanta and leads the cybersecurity and privacy practice at Bondurant, Mixson & Elmore, an Atlanta-based litigation and investigations firm.

Mark Ray is a former FBI special agent and the global head of digital investigations and cyber defense at Nardello & Co.

Press Inquiries

Practice Areas