Stories

U.S. attributes malware to North Korea

North Korean soldiers
Korean People's Army soldiers leave after paying their respects before the statues of late North Korean leaders. Photo: Ed Jones / AFP via Getty

The Homeland Security Department's Computer Emergency Readiness Team warned industry stakeholders about two types of malware Tuesday. The warning attributed the Joanap and Brambul malware to the North Korean government.

Why it matters: It is uncommon for the U.S. to make any public attribution for a cyberattack. Generally, that only happens when there is both definitive evidence for the attack and a strategic reason to name who was responsible for it. While the potential strategic aspects of the attribution may raise some eyebrows — it comes out as a former North Korean official travels to New York to meet with the administration — there may be a more mundane explanation.

Be smart: The U.S. has attributed a campaign of attacks it calls Hidden Cobra (which most others call Lazarus) to North Korea in the past. The Joanap and Brambul tools are a component of the Lazarus campaign, meaning the attribution might be more about linking this report to prior reports than embarrassing Pyongyang.

The details: Joanap and Brambul appear to have been in use since at least 2009.

  • Targets in the U.S. and beyond include the media, aerospace, financial, and critical infrastructure sectors, according to the report.
  • Joanap offers North Korea a to run a variety of commands on computers it infects, including stealing information, modifying files and directories, controlling botnets and installing more malware.
  • Brambul is a worm that travels through networks to find credentials North Korea can use in later attacks, as well as provide Lazarus with other recon on infected systems.