Federal prosecutors in Los Angeles have obtained search warrants and court orders as part of their efforts to map the Joanap botnet — a global network of numerous infected computers under the control of North Korean hackers, the U.S. Attorney’s Office announced Wednesday.
The effort follows charges unsealed last year in which the United States charged Park Jin Hyok, a North Korean national who allegedly led a government-sponsored 2014 hacking attack on Sony Pictures Entertainment that led to the release of thousands of studio emails and financial documents.
The charges against Hyok allege that the conspiracy utilized a strain of malware, Brambul, which was also used to propagate the Joanap botnet.
“Our efforts have disrupted state-sponsored cybercriminals who used malware to establish a computer network that gave them the ability to hack into other computer systems,” U.S. Attorney Nick Hanna said in a statement.
“While the Joanap botnet was identified years ago and can be defeated with antivirus software, we identified numerous unprotected computers that hosted the malware underlying the botnet,” he said. “The search warrants and court orders announced as part of our efforts to eradicate this botnet are just one of the many tools we will use to prevent cybercriminals from using botnets to stage damaging computer intrusions.”
Joanap malware targeted computers running the Microsoft Windows operating system and is used to gain access to and maintain infrastructure from which the hackers can carry out other malicious cyber activities. Brambul is a “worm” that crawls from computer to computer, probing whether it can gain access using certain vulnerabilities. Once installed on an infected computer, Joanap would allow the North Korean hackers to remotely access infected computers, gain near-total access and load additional malware onto infected computers.
As a result of their investigation, the FBI is both notifying victims through their Internet Service Providers and providing personal notification to victims whose computers are not behind a router or a firewall. The U.S. government said it will coordinate the notification of foreign victims by contacting the host country’s government.
The criminal complaint filed in Los Angeles federal court last year charges Park with being a member of a conspiracy backed by the North Korean government that carried out numerous computer intrusions. That complaint alleged how co-conspirators used Brambul to gain unauthorized access to computers, and then used those computers to carry out their malicious cyber activities.
The Brambul worm itself was recovered from the computer networks of some victims of the conspiracy. Joanap targets Microsoft Windows operating systems, but running Windows Defender Antivirus and using Windows Update will remediate and prevent infections by Joanap. A number of free and paid antivirus programs are also already capable of detecting and removing Joanap and Brambul, including the Microsoft Safety Scanner, a free product, prosecutors said.