U.S. announces disruption of ‘Joanap’ botnet linked with North Korea

Joanap's disruption comes after U.S. charges against a North Korean linked with the Sony Pictures hack.
North Korea flag
The North Korean flag. (Getty Images)

The Justice Department on Wednesday announced a wide-ranging operation to map and disrupt a botnet linked to North Korea that has infected numerous computers across the globe over the last decade.

Through a search warrant and court order, the department inflicted a potentially damaging blow to the so-called Joanap botnet, which U.S. officials attributed to the North Korean government. The search warrant allowed the FBI to control servers that mimicked computers within the botnet, giving the bureau a clearer picture of the zombie computer army and the ability to alert victims.

Joanap is malware that targets Microsoft Windows. It works in tandem with a worm dubbed Brambul that stalks computers, looking for a vulnerable way in, the Justice Department said in a press release.

“Once installed on an infected computer, Joanap would allow the North Korean hackers to remotely access infected computers,” giving them root-level access and the chance to load more malicious code, the department said.


The groundwork for the disruption of Joanap was laid in a parallel investigation of a North Korean computer programmer named Park Jin Hyok. U.S. prosecutors last September unsealed charges against Park for his alleged role in the digital dismemberment of Sony Pictures Entertainment, among other North Korea-linked hacks. That alleged conspiracy used a strain of the Brambul malware, U.S. officials said.

The FBI is notifying Joanap’s victims through their internet service providers, but also contacting individuals whose computers aren’t behind a firewall or router. But plenty more work remains.

“Computers around the world remain infected by a botnet associated with the North Korean regime,” Assistant Attorney General John Demers said in a statement. He described the Justice Department initiative as an ambitious effort to “eradicate the threat that North Korea state hackers pose to the confidentiality, integrity, and availability of data.”

A Department of Homeland Security assessment published last May said that, since at least 2009, North Korean hackers had likely used Joanap and Brambul to target victims in “the media, aerospace, financial, and critical infrastructure sectors.”

The United States has struggled to deter North Korean hackers, whose targeting has shown few constraints. In an October advisory obtained by CyberScoop, the FBI told U.S. companies that North Korean computer operatives would continue to target financial institutions despite U.S. attribution of such activity to Pyongyang.


The longevity of Joanap, which can be detected by antivirus products, is testament to the enduring vulnerability of unpatched systems.

“While the Joanap botnet was identified years ago and can be defeated with antivirus software, we identified numerous unprotected computers that hosted the malware underlying the botnet,” said U.S. Attorney Nicola Hanna.

The search warrant for Joanap was based on a controversial amendment to Rule 41 of the Federal Rules of Criminal Procedure that the Supreme Court approved in 2016. The amendment lets U.S. judges issue warrants for computers outside of their jurisdictions. Critics have warned that the amendment would significantly broaden the FBI’s authorities in cyberspace, while backers have said the amendment is a necessary tool for tracking down cybercriminals.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts