— USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) September 8, 2019
Several of the malware samples have been tied to hackers from the so-called Lazarus Group, which the U.S. government has linked with the North Korean government. Specifically, the samples look to be what’s known as “HOPLIGHT,” a trojan that has been used to gather information on victims’ operating systems and uses a public SSL certificate for secure communications with attackers.
Cyber Command uploaded 11 malware samples in all.
FireEye Managing Principal Threat Analyst Andrew Thompson said the upload signals to North Korea‘s government that it can’t remain anonymous in cyberspace.
“Will this deter intelligence activities? Of course not. That’s foolish. What it does do is articulate [North Koreans] aren’t operating free from attribution, which limits the range of activities they should see as being of acceptable risk. That is one of the reasons attribution matters,” Thompson tweeted, adding the post could possibly change North Korean behavior. “The signal to [North Korea] that their activities are attributable does matter. The significance is [North Korea] can’t just do whatever they want to do with anonymity. That’s behavior shaping.”
This announcement comes weeks after the United Nations warned that North Korea has used dozens of cyberattacks to fund its nuclear weapons program. Hours before Cyber Command posted the North Korean-linked samples online, U.S. Secretary of State Mike Pompeo said the administration hopes to return to talks with Pyongyang in the coming days or weeks.
“We’re hopeful that, in the coming days or perhaps weeks, we will be back at the negotiating table with them,” Pompeo said Sunday while speaking on ABC’s “This Week.”
Private sector relationship
This VirusTotal upload comes as Cyber Command works to enhance its relationship with the private sector — it has only been sharing samples since last year — but some cybersecurity researchers are taking issue with the upload’s timing and are concerned it may weaken the budding relationship.
Cyber Command, through DHS, sent a warning to the private sector about the malware samples approximately 48 hours in advance, according to Neil Jenkins, chief analytic officer for the Cyber Threat Alliance, a consortium of companies that shares threat intelligence. The forewarning is part of a practice Cyber Command has been following since earlier this July.
Sergio Caltagirone, vice president of threat intelligence at industrial control systems cybersecurity firm Dragos, indicated he thought uploading malware samples the security community was already aware of — especially on a Sunday morning — not be the most fruitful pursuit.
Cyber doesn’t sleep…except when you’re dropping old and known malware like it’s hot 🔥 on a Sunday. I guess the years-long equities and declass process finally finished. 🤷🏼♂️ #CNMF #infosec #malware #cybersecurity https://t.co/DY8HdfdTbS
— Sergio Caltagirone (@cnoanalysis) September 8, 2019
“The question they should be asking is whether the effect on [North Korea] is worth the loss of confidence from the infosec community,” one private sector cybersecurity source told CyberScoop.
The U.S. government, through the FBI and Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, had already warned about HOPLIGHT this April in a joint alert that was to “enable network defense and reduce exposure to North Korean government malicious cyber activity.”
The timing of the release from Cyber Command comes during, the Day of the Foundation of the Republic, a national holiday celebrated on Sept. 9. But it’s unclear if that would upset Pyongyang more than if it had been released on any other day, Mintaro Oba, a former State Department official who used to advise senior U.S. officials on North Korea, told CyberScoop.
“It’s always possible they could reference the holiday in their response, but Pyongyang’s reactions generally have a lot more to do with the nature of the action than the symbolism of when it happened,” Oba said.