The U.S. Justice Department has Microsoft's and millions of Windows users' backs when it comes to botnets. Law enforcement has disclosed an in-progress campaign to neutralize the Joanap botnet built by North Korean hackers that has for years infected Microsoft Windows machines worldwide.
Joanap is brought to us by the same advanced persistent threat nation-state bad actors Hidden Cobra linked to the destructive WannaCry ransomware assault in 2017, the $81 million heist from the Bangladesh Central Bank in 2016, attacks on the SWIFT banking system, and the Sony Pictures heist in 2014. Operations to “map and further disrupt” the botnet have been running since last October, when law enforcement secured a court order and search warrant.
The campaign to take down Joanap comes following Justice’s charges against Park Jin Hyok, a North Korean citizen, for conspiring in numerous hacks allegedly backed by the North Korean government. U.S. authorities claim that the hackers use an automated worm called Brambul, which moves from one computer to another peer-to-peer style to propagate the Joanap botnet. Ultimately, Joanap gives the bad actors remote access and control of a network of compromised Windows systems.
Because the second-stage Joanap and the first-stage Brambul worm have been around since 2009, the botnet scheme stood out as a likely target for U.S. authorities to pursue, even considering that a number of anti-virus platforms, including Windows Defender can identify and nullify it.
Key to the takedown effort is a court order and search warrant U.S. law enforcement authorities were able to obtain. It enabled the Federal Bureau of Investigation (FBI) and the U.S. Air Force Office of Special Investigations (AFOSI) to set up an operation to imitate infected peers and collect certain identifying and technical information about other contaminated machines, including IP addresses, port numbers, and connection timestamps.
Ultimately, it enabled the FBI and AFOSI to map the current Joanap botnet of infected computers.
“Computers around the world remain infected by a botnet associated with the North Korean Regime,” said John Demers, Assistant Attorney General for National Security. “Through this operation, we are working to eradicate the threat that North Korea state hackers pose to the confidentiality, integrity, and availability of data. This operation is another example of the Justice Department’s efforts to use every tool at our disposal to disrupt national security threat actors, including, but by no means limited to, prosecution.”
Using information collected from the search warrant, the government is notifying victims in the U.S. through their Internet service provider and/or personal computer (if available) of Joanap on an infected computer. U.S. officials said they will collaborate with foreign victims through the host country’s government.