Internal Docs Show Why the U.S. Military Publishes North Korean and Russian Malware

A previously secret document obtained by Motherboard shows how, and why, CYBERCOM is publicly releasing malware from adversaries.
February 25, 2020, 1:00pm
General Paul Nakasone
Image: Chip Somodevilla/Getty Images

Newly released and previously secret documents explain in greater detail how, and why, a section of the U.S. military decides to publicly release a steady stream of adversarial countries' malware, including hacking tools from North Korea and Russia. Cyber Command, or CYBERCOM, publishes the malware samples onto VirusTotal, a semi-public repository that researchers and defenders can then pore over to make systems more secure.

The document provides more insight into how the U.S. military is engaged in an unusually public-facing campaign, and in particular highlights one of the reasons CYBERCOM wants to release other nation's hacking tools: to make it harder for enemy hackers to remain undetected.

A previously secret section of one of the CYBERCOM documents reads "Posting malware to VT [VirusTotal] and Tweeting to bring attention and awareness supports this strategy by putting pressure on malicious cyber actors, disrupting their efforts.” Motherboard obtained the redacted documents through a Freedom of Information Act (FOIA) request to CYBERCOM.

Do you work on government hacking operations? Have you in the past? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

CYBERCOM started publishing malware in 2018, with one sample coming from Russian-linked hacking group APT28. It has since released malware from North Korean hackers.

CYBERCOM also has a dedicated Twitter account for distributing news of the samples. Some tweets even include memes such as "DPRK MALWARE" written onto conversation candy hearts to coincide with a release on Valentines Day.

When it originally announced the campaign, CYBERCOM said it "initiated an effort to share unclassified malware samples it has discovered that it believes will have the greatest impact on improving global cybersecurity." But the documents show how the effort has a more offensive slant, too.

A previously secret section of a CYBERCOM document obtained by Motherboard. Image: Motherboard

Thomas Rid, professor of strategic studies at Johns Hopkins School of Advanced International Studies, said that the "remarkable" release confirms several things many observers long suspected. One being “that Cyber Command deploys VirusTotal uploads for both offensive and defensive purposes at the same time—to ‘impose costs on nation state malicious cyber actors’ and to ‘enhance our shared global cybersecurity,'" Rid said.

Another redacted document lays out some of CYBERCOM's step-by-step process for releasing adversaries' malware onto VirusTotal. Analysts from CYBERCOM's Cyber National Mission Force (CNMF) look at malware samples, determine their "uniqueness and suitability for release;" the nominating task force must have the malware physically in their possession prior to nomination, the document reads. If declassification of the sample is necessary, that is then handled through the ordinary process, the document adds.

Information on the sample is provided to CYBERCOM's Joint Operations Center. Samples are then provided to a number of other redacted entities, and a CYBERCOM public affairs officer is notified. After more back and forth, there is "public notification to amplify public awareness."

Once CYBERCOM releases malware, members of the information security community can then access it, analyze it, and attribute it themselves to suspected government hacking campaigns. Cybersecurity companies can potentially use the information to find more information on previous hacking campaigns or update their products to detect the malware, perhaps making the hackers' operations less effective or harder to carry out.

Under the heading "Desired Effects," another document reads "Impose cost [redacted] by highlighting malware to the cybersecurity community for rapid integration into antivirus software, increasing attrition to continued [redacted]."

"Public researchers will attribute malware [redacted]," the document adds.

"Cyber Command apparently is counting on ‘rapid attribution’ of the malicious tools it reveals, meaning follow-on attribution by commercial cybersecurity companies and independent researchers is part of ‘imposing costs’ on adversary states," Rid said.

"The Department of Defense is thus using a Google-owned company and third-party researchers for offensive purposes—and practically asking for its adversaries to reciprocate in kind,” Rid said. (VirusTotal is owned by Chronicle, a cybersecurity company that was born out of Google's "X" research and development program).

In a statement a CYBERCOM spokesperson reiterated some of the agency's earlier public comments, writing, "We plan to continue to publicly disclose malware samples, which we believe will have the greatest impact on improving global security."

While sections of the documents that describe the results of the campaign are redacted, one section of the "Results to Date" section was included: that the CYBERCOM notification Twitter account achieved 11.5k Twitter followers.

You can read the documents here and below.

Subscribe to our cybersecurity podcast, CYBER.