On Wednesday, the Department of Justice (DOJ) revealed an ongoing effort to disrupt a North Korean botnet, or “global network of numerous infected computers under the control of North Korean hackers.” DOJ’s action serves as a reminder that North Korea poses a threat to the U.S. and its allies not only with its nuclear and conventional weapons, but also with a wide range of asymmetric capabilities including cyber operations.
DOJ’s target is the Joanap botnet, which it described as a second-stage malware spread by a virus called Brambul. Joanap and Brambul have persisted since 2009 despite the availability of antivirus software capable of defending against or remediating infections. Last May, the U.S. Computer Emergency Readiness Team (US- CERT) issued a technical alert on both Joanap and Brambul, which reportedly has compromised 87 network nodes across 17 different countries. This latest action follows DOJ’s charges against Pak Jin Hyok, a North Korean computer programmer involved in several North Korean cyberattacks.
To confront and disable North Korea’s cyber intruders, the FBI and the U.S. Air Force Office of Special Investigations (AFOSI) obtained search warrants permitting them to operate servers that imitated parts of the botnet. This allowed the FBI and AFOSI to collect technical evidence – primarily IP addresses, port numbers, and connection time stamps – to build a clearer map of the entire Joanap botnet and the infected computers.
North Korea’s cyber operations have continued throughout the last year despite Kim Jong Un’s April 2018 pledge “to completely cease all hostile acts against [South Korea] in every domain.” Yet, the South Korean government reported intrusions against a myriad of financial and political targets as early as last May. Additionally, in December, Seoul’s Ministry of Unification disclosed that hackers stole the personal data of 997 North Korean defectors. While attribution remains unconfirmed, the leading culprit is North Korea.
While DOJ’s latest action is a step in the right direction to confront the North Korean cyber threat, the U.S. should consider sanctioning private companies and individuals affiliated with North Korea’s Reconnaissance General Bureau (RGB) that oversees nearly all of North Korea’s cyber operations. Specifically, both the UN Panel of Experts and news media have highlighted how the Malaysian company Global Communications (Glocom) continues serving as a key RGB funding source in clear breach of UN and U.S. sanctions. Although Glocom is not directly affiliated with RGB cyber operations, targeting the company could cut off a key financial lifeline for Pyongyang’s hackers.
As a second Trump-Kim summit approaches, the Trump administration cannot forget that North Korea poses a threat not only with its nuclear weapons, but also with cyber and other asymmetric capabilities. President Trump should press Kim to stop these incessant cyberattacks during their upcoming meeting.
Mathew Ha is a research associate focused on North Korea at the Foundation for the Defense of Democracies, where he also contributes to FDD’s Center on Cyber and Technology Innovation (CCTI) and Center on Economic and Financial Power (CEFP). Follow Mat on Twitter @MatJunsuk.