Usually it’s the Russians that dump its enemies’ files. This week, US Cyber Command (CYBERCOM), a part of the military tasked with hacking and cybersecurity focused missions, started publicly releasing unclassified samples of adversaries’ malware it has discovered.
CYBERCOM says the move is to improve information sharing among the cybersecurity community, but in some ways it could be seen as a signal to those who hack US systems: we may release your tools to the wider world.
“This is intended to be an enduring and ongoing information sharing effort, and it is not focused on any particular adversary,” Joseph R. Holstead, acting director of public affairs at CYBERCOM told Motherboard in an email.
On Friday, CYBERCOM uploaded multiple files to VirusTotal, a Chronicle-owned search engine and repository for malware. Once uploaded, VirusTotal users can download the malware, see which anti-virus or cybersecurity products likely detect it, and see links to other pieces of malicious code.
Got a tip? You can contact Joseph Cox securely on Signal on +44 20 8133 5190, OTR chat on email@example.com, or email firstname.lastname@example.org.
One of the two samples CYBERCOM distributed on Friday is marked as coming from APT28, a Russian government-linked hacking group, by several different cybersecurity firms, according to VirusTotal. Those include Kaspersky Lab, Symantec, and Crowdstrike, among others. APT28 is also known as Sofacy and Fancy Bear.
Adam Meyers, vice president of intelligence at CrowdStrike said that the sample did appear new, but the company’s tools detected it as malicious upon first contact. Kurt Baumgartner, principal security researcher at Kaspersky Lab, told Motherboard in an email that the sample “was known to Kaspersky Lab in late 2017,” and was used in attacks in Central Asia and Southeastern Europe at the time.
“When reporting on it, Kaspersky Lab researchers noted it seemed interesting that these organizations shared overlap as previous Turla [another Russian hacking group] targets. Overall, it is not ‘new’ but rather newly available to the VirusTotal public.”
The malware itself does not appear to still be active. A spokesperson for Symantec told Motherboard in an email that the command and control servers—the computers that tell the malware what commands to run or store stolen data—are no longer operational. The spokesperson added that Symantec detected the sample when the company updated its detection tools a couple of months ago.
CYBERCOM announced its new initiative on Monday, and uploaded its first two samples on the same day.
Update: This piece has been updated to correct that Chronicle owns Virus Total, not Google.