Internal Docs Show Why the US Military Publishes North Korean and Russian Malware (vice.com) 22
An anonymous reader quotes a report from Motherboard: Newly released and previously secret documents explain in greater detail how, and why, a section of the U.S. military decides to publicly release a steady stream of adversarial countries' malware, including hacking tools from North Korea and Russia. Cyber Command, or CYBERCOM, publishes the malware samples onto VirusTotal, a semi-public repository that researchers and defenders can then pore over to make systems more secure. The document provides more insight into how the U.S. military is engaged in an unusually public-facing campaign, and in particular highlights one of the reasons CYBERCOM wants to release other nation's hacking tools: to make it harder for enemy hackers to remain undetected.
A previously secret section of one of the CYBERCOM documents reads "Posting malware to VT [VirusTotal] and Tweeting to bring attention and awareness supports this strategy by putting pressure on malicious cyber actors, disrupting their efforts." Motherboard obtained the redacted documents through a Freedom of Information Act (FOIA) request to CYBERCOM. CYBERCOM started publishing malware in 2018, with one sample coming from Russian-linked hacking group APT28. It has since released malware from North Korean hackers. CYBERCOM also has a dedicated Twitter account for distributing news of the samples. Some tweets even include memes such as "DPRK MALWARE" written onto conversation candy hearts to coincide with a release on Valentines Day. When it originally announced the campaign, CYBERCOM said it "initiated an effort to share unclassified malware samples it has discovered that it believes will have the greatest impact on improving global cybersecurity." But the documents show how the effort has a more offensive slant, too. In a statement a CYBERCOM spokesperson reiterated some of the agency's earlier public comments, writing, "We plan to continue to publicly disclose malware samples, which we believe will have the greatest impact on improving global security."
You can read the documents here.
A previously secret section of one of the CYBERCOM documents reads "Posting malware to VT [VirusTotal] and Tweeting to bring attention and awareness supports this strategy by putting pressure on malicious cyber actors, disrupting their efforts." Motherboard obtained the redacted documents through a Freedom of Information Act (FOIA) request to CYBERCOM. CYBERCOM started publishing malware in 2018, with one sample coming from Russian-linked hacking group APT28. It has since released malware from North Korean hackers. CYBERCOM also has a dedicated Twitter account for distributing news of the samples. Some tweets even include memes such as "DPRK MALWARE" written onto conversation candy hearts to coincide with a release on Valentines Day. When it originally announced the campaign, CYBERCOM said it "initiated an effort to share unclassified malware samples it has discovered that it believes will have the greatest impact on improving global cybersecurity." But the documents show how the effort has a more offensive slant, too. In a statement a CYBERCOM spokesperson reiterated some of the agency's earlier public comments, writing, "We plan to continue to publicly disclose malware samples, which we believe will have the greatest impact on improving global security."
You can read the documents here.
Any statistics on that? (Score:1)
Does 97% of the malware run on Windows, 2% on macOS and 1% on Linux? And that malware on macOS and Linux, is it simply trojans and adware?
Re: (Score:3)
Does 97% of the malware run on Windows, 2% on macOS and 1% on Linux? And that malware on macOS and Linux, is it simply trojans and adware?
Head still stuck in the 90s? Modern malware run in browsers. Oh, the payload may be a rootkit for every OS, but that's not how it travels. And, yes, with a government budget there's always a rootkit for every OS, even yours.
Re: (Score:2)
And, yes, with a government budget there's always a rootkit for every OS, even yours.
Speak for yourself you insensitive clod, I use GNU Hurd!
Re: (Score:2)
OK, I laughed.
dishonest (Score:1, Troll)
I am sure it is more than just Russian and North Korean but why a focus on just these? Is it so that everyone knows to implicate them during a black flag operation?
Malware can come from anyone and made to look like it came from certain places or people. That is just how computers are... they are so easy to fool and trick that forensic evidence from a computer needs to be seriously scrutinized in all cases because right now... it is just too easy to infect systems with trash and illegal content for evidenc
Re: (Score:2)
Re: (Score:1)
Would be interesting to know how much of this malware uses exploits stolen from the NSA, and if the use of stolen code or exploits that the NSA is still using is a criteria for not publishing.
Re: (Score:1)
Something about the politics around the security of the NSA changed.
How is code floating around that is 'stolen code" from the NSA?
Mission use fails and other nations detect the server/origin/method the NSA used per mission? Again and again?
That would point to a human factor. Contractors? Staff? Outside experts? Working with other nations staff?
The NSA ran its missions, used method for deca
Re: dishonest (Score:1)
"Something about the politics around the security of the NSA changed."
Perhaps related to NSA's shift in focus, from gathering intelligence on foreign adversaries, to Nazi police state surveillance of the American people? It surely must be difficult for an agency perceived as villainous to recruit honest workers.
Re: (Score:1)
Re "foreign adversaries" the eternal budget problems with the CIA?
Re "shift in focus" was more about who got to work and the relaxing of security to allow them to work. Like another mil/gov job.
So the once totally hidden NSA would be feel like the rest of the gov, USA. The need to prove security was relaxed to ensure more jobs opened for more people.
That not having the needed security would not hold a person back.
The tool use
Re: dishonest (Score:1)
I think you underestimate the impact of mission change on recruitment and retention. When the mission was fighting totalitarianism around the world, they attracted a certain quality and character of personnel. Now that the mission is implementing totalitarianism at home, they attract personnel of a wholly different quality and character.
Re: (Score:1)
That name again... (Score:2)
I'm totally OK with this.. (Score:1)
Be it a White Flag or Black Flag operation they could just hold onto this stuff, call it top-secret, and be done with it. Are they releasing everything they know? Of course not? Is it a part of some sort of psyops? Definitely.
The one I'm waiting for is CYBERCOM releases a hack, which appears to come from NK, Russia, etc. and was actually a virus planted by the CIA/NSA that NK/Russia didn't know about. OOPS!
There are times to break the piggy bank and let it all come out (Indiscriminate US surveillance of
Re: (Score:1)
NSA finds it and tells the world how its protecting the USA given the ip range, time zone and hints at language use in the code.
NATO and the CIA get more funding.
More Russian and NK code is found.
More good news about code detection.
Helping the enemy to fight them ... Riiight... (Score:3)
No, this is just one mundane thing: Job security.
Gotta have an enemy if you wanna have a budget.
They always say they are soo much better than Russia or China, yet somehow at the same time they say Russia and China are super-scary huge monsters.
How does that fit together?
Simple. It's the US military helping the enemy look all scary.
It's far from the first time either, nor in any way limited to the US. From the US agencies arming Iran against Russia, Iraq against Iran, the IS against Iraq etc, over Soviet and Nazi propaganday, to Cesar telling tales of far away horrors to justify his campaigns, it has always been part of warfare. I don't even blame them or anything. It can be a working military strategy. It's just a strategy of winnig even if it destroys everything.
Which is stupid if the enemy isn't actually that big of a threat.
Re: (Score:2)
Now check how many members of Congress have security clearances, and how the NSA's budgeting process in Congress works, and see if your hypothesis is even feasible; are there any appearances that they have to maintain?
Re: (Score:2)
"They always say they are soo much better than Russia or China, yet somehow at the same time they say Russia and China are super-scary huge monsters." Depends on what weapon system you're talking about, and what you want to do with it. Just to take one example: the US Navy's subs are all nukes; Iran and North Korea, to take two countries (rather than Russia or China), have only diesel subs (last I heard). If you need to stay under for the entire patrol, then nuke boats are the only way to go. But if you
Who cares. It's still a good thing. (Score:3)
If you want to hate on the US military and counter-intelligence, I'm sure you can find more valid reasons than that they're uploading ma
So, by deduction... (Score:2)
If I post a piece of malware to virustotal and it disappears, does that imply or prove that it's USA goods?
Re: (Score:2)
Hmm... I suppose it could always be labeled as benign... move along... these aren't the droids you're looking for (Jedi hand wave)