DOJ moves to take down Joanap botnet operated by North Korean state hackers

The DOJ, FBI, and US Air Force to contact victims infected with the Joanap malware.
Written by Catalin Cimpanu, Contributor

The US Department of Justice announced today an effort to take down Joanap, a botnet built and operated by North Korea's elite hacker units.

Efforts to disrupt the botnet have been underway for several months already, based on a court order and search warrant that the DOJ obtained in October 2018.

Based on these court documents, the FBI's Los Angeles Field Office and the US Air Force Office of Special Investigations (AFOSI) have been operating servers mimicking infected computers part of the botnet, and silently mapping other infected hosts.

This was possible because of the way the Joanap botnet was built, relying on a peer-to-peer (P2P) communications system where infected hosts relay commands introduced in the botnet's network from one to another, instead of reporting to one central command-and-control server.

Now, after months of mapping fellow infected hosts, the DOJ says it plans to notify victims, directly and through their internet service providers, in an effort to have these systems disinfected, and indirectly disrupt one of North Korea's oldest cyber-weapons.

The DOJ's effort today is a natural step in its process of countering the North Korean cyber threat after last fall US authorities charged a man they believed was part of North Korea's hacking units.

The Joanap botnet is one of the tools North Korean hackers used many times in the past, which made it a prime target for the DOJ's takedown efforts.

According to a Department of Homeland Security alert published in May 2018, and according to reports from cyber-security vendors, the Joanap botnet has been around since 2009, and has been built using a combination of two malware strains.

The first is the Brambul malware, a SMB worm that spreads from Windows PC to other Windows PCs by brute-forcing Server Message Block (SMB) services running on remote computers using a list of common passwords.

Once on an infected host, the Brambul worm downloads another malware strain, the Joanap backdoor, and then moves on to scan for other computes to infect.

The Joanap backdoor trojan can download, upload, or execute files, manage local processes, and start a proxy to relay malicious traffic through the infected host.

The Joanap botnet is the network of computers infected with this very potent and feature-rich backdoor.

"Through this operation, we are working to eradicate the threat that North Korea state hackers pose to the confidentiality, integrity, and availability of data," said Assistant Attorney General for National Security John Demers. "This operation is another example of the Justice Department's efforts to use every tool at our disposal to disrupt national security threat actors."

North Korea's history of bold cyber attacks

More security coverage:

Editorial standards