Why did Cyber Command back off its recent plans to call out North Korean hacking?
U.S. Cyber Command was on the verge of again publicly calling out North Korean hackers for targeting the financial sector in late September, but ultimately backed off the plan by early October, multiple sources familiar with the decision tell CyberScoop.
The announcement was to be part of a Cyber Command effort to publicly share malware samples on VirusTotal, a web platform dedicated to tracking malware. Led by Cyber Command’s Cyber National Mission Force, those postings are intended to call out adversary-linked hacking in the hopes that it will deter groups from similar efforts in the future.
It wasn’t clear why the decision was made to refrain from publicly posting malware samples this time around, despite the fact that Cyber Command has done so numerous times in recent months. It didn’t appear to be an issue of accuracy — the Pentagon outfit still decided to share private advisories with threat intelligence companies and the financial sector.
A number of experts who saw the malware analysis report told CyberScoop it can be attributed to Lazarus Group, a nation-state hacking group with ties to North Korea.
FASTCash redux
It’s unclear whether the available information about the malware’s makeup and targets provide any clarity about why Cyber Command pulled its punches.
Neil Jenkins, the Cyber Threat Alliance’s chief analytic officer, told CyberScoop the samples resemble malware exposed in a 2018 announcement from the U.S. government that detailed a Lazarus Group campaign in which it allegedly stole tens of millions of dollars from ATMs in Africa and Asia, dubbed FASTCash.
Adam Kujawa, Director of Malwarebytes Labs, told CyberScoop that one of the samples is likely related to Lazarus Group because it uses the same certificate as malware found on the Chilean interbank network Redbanc last year. Those same certificates were also used in targeting in Pakistan‘s banking sector around the same time.
FireEye, which also attributes the samples to Lazarus Group, told CyberScoop the malware is designed to alter ATM requests.
The Cyber Threat Alliance, whose member companies share threat information among themselves, received advanced warning on Sept. 30 from the Department of Homeland Security about Cyber Command’s intention to post the malware to VirusTotal, Jenkins told CyberScoop.
But that same day, someone posted the samples to VirusTotal and the Pentagon‘s plan was called off. It’s unknown exactly who was responsible for the VirusTotal upload.
Hours later, Pyongyang and Washington agreed to resume denuclearization talks, which would be the first time North Korea and the U.S. had discussed the matter since February.
Cyber Command declined to comment on why they decided not to post the malware publicly.
VirusTotal: Foreign policy tool or defense enhancement?
The behind-the-scenes reversal by Cyber Command appears to affirm that the VirusTotal sharing program may serve a dual purpose.
Over the course of the last year, Cyber Command has been using the Virus Total posts as a way to keep the security community guarded against adversarial threats. In at least one case, a Cyber Command announcement exposed an active attack from Russian-linked hackers.
But the agency also has been calling out malware that the security community already had on its radar, in what appears to be an attempt to change adversaries’ behavior.
The past two times Cyber Command uploaded North Korean-linked malware to VirusTotal, the security community was already aware of the code’s existence.
Even with those announcements, Cyber Command’s VirusTotal use is not yet a full-blown foreign policy tool, says Dave Weinstein, Claroty‘s Chief Security Officer and a former employee at Cyber Command.
“The cost to [North Korea] of [Cyber Command] posting the malware just isn’t that high at this point,” said Weinstein. “Don’t get me wrong, I think [Cyber Command] is doing a great job with posting malware samples. But right now it’s all about empowering cyber defenders, not non-proliferation [efforts of] diplomats.”
Cyber Command’s attention to North Korean malware first cropped up in August, days after North Korea claims to have launched a short-range ballistic missile. It also came a month after a promise between the U.S. and North Korea to hold further denuclearization talks had stalled.
In September, Cyber Command posted its largest-ever set of malware to VirusTotal, which security researchers linked with North Korea. That same day, U.S. Secretary of State Mike Pompeo said the administration hoped to resume talks with Pyongyang. The U.S. Treasury Department that week followed up by sanctioning three hacking groups working at the behest of North Korea, including Lazarus Group.