US Launches Major Effort to Disrupt North Korean Botnet

The US authorities have begun notifying victims of a notorious botnet run by North Korean state-sponsored hackers, as their efforts to disrupt the hermit nation's malicious activity increase. A court order allowed the FBI and officers from the US Air Force Office of Special Investigations (AFOSI) to operate servers mimicking other peers in the Joanap botnet. This enabled them to map the extent of the botnet and where infected machines are. The next stage is to notify the owners of those machines, most of whom will have no idea they’re unwittingly aiding a foreign power’s hacking campaigns. The FBI is coordinating this process via ISPs and in some cases direct communications with the individuals, as well as communicating with foreign governments in cases where victims live abroad. The Joanap botnet has been in operation since 2009, enabled by the first-stage Brambul worm which targets poorly secured Windows machines. The latter spreads via a list of hard-coded log-in credentials, which it uses to brute-force its way into SMB shares. Once Joanap is dropped it goes on to scan for other potential victims.