FBI and Air Force investigators modified computer servers to collect information about a network of devices infected with a malware spread by North Korean hackers, the Justice Department announced Wednesday.
The operation, backed up by court orders and search warrants that enable the so-called government hacking, allowed law enforcement to map out the breadth of the network of infected devices, known as the Joanap botnet, and to notify victims in the US of the alleged North Korean cyberattack.
“This operation is another example of the Justice Department’s efforts to use every tool at our disposal to disrupt national security threat actors, including, but by no means limited to, prosecution,” said John Demers, the assistant attorney general in charge of the Justice Department’s National Security Division, in a statement. “Through this operation, we are working to eradicate the threat that North Korea state hackers pose to the confidentiality, integrity, and availability of data.”
Prosecutors have said that the North Korean hackers that propagated the malware were also behind the 2014 hack of Sony Pictures Entertainment.
Investigators first obtained search warrants and orders from a federal judge in June that allowed them to use FBI computers in California to mimic a server infected with the malware and communicate with real infected devices, known as peers.
“Computers within the network of computers infected by this North Korean malware … will be prompted to communicate with FBI IPs, disclose their own lists of other known Peers, and pass addresses of the FBI IPs to other Peers in the network. This will allow the FBI to learn the Internet Protocol (‘IP’) addresses of the other Peers in the botnet, thus generating a map of the botnet,” prosecutors explained in an application for a court order last year.
An amendment to the federal rule outlining the use of warrants passed in 2016 allows law enforcement to access information like this from remote servers that are associated with malicious conduct and whose locations are hidden.
Andrew Crocker, a senior staff attorney at the digital privacy advocacy group Electronic Frontier Foundation, said the Justice Department has used the new warrant rule to take down a botnet in the past, but said the techniques described in the warrant application appeared to be unique and “fairly sophisticated.”
“The operation appears fairly sophisticated, describing the technical steps the government will take to ensure the computers it’s accessing are actually infected, and trying to limit the type of data it collects in order to shut down the botnet and ultimately notify US users who are affected,” Crocker said.
“With that said, these techniques are inherently invasive, both because of the possibility of unintended consequences and because the government is executing searches on many computers whose owners are not accused of any wrongdoing, but which have become infected,” he said.