LOS ANGELES (CN) – Federal agents have begun to untangle a network of infected computers playing host to a virus that allowed North Korean hackers to infect more devices in a cascading series of global cyberattacks, according to a search warrant unsealed Wednesday.
Authorities describe the Joanap botnet as a global network of infected computers running the Windows Microsoft operating system unwittingly part of a conspiracy backed by the North Korean government, according to charges against Pyongyang operative Park Jin Hyok unsealed this past September.
Since 2009, Park used a strain of malware to infect computers that would then automatically infect other computers, allowing him to commit wire fraud and other acts of computer intrusion according to the U.S. Department of Justice.
Investigators believe Park is connected with the Lazarus Group, which has been blamed for a number of cyberattacks within the last decade. These include the theft of $81 million from the Bangladesh Bank – part of an attempt in 2016 to steal $1 billion – and the 2015 thefts of $12 million and $1 million, respectively, from the Banco del Austro in Ecuador and the Tien Phong Bank in Vietnam.
Prosecutors say Park hacked Sony Pictures in 2014 on behalf of North Korea’s Reconnaissance General Bureau, which controls most of the country’s cyberattack capabilities. The 2014 attack is believed to have emanated from a pressure campaign by North Korea to have Sony cancel its planned release of “The Interview,” a comedy starring James Franco, Seth Rogen and Randall Park depicting a satirical assassination of North Korea’s leader Kim Jong-Un.
Investigators used servers that mimicked the infected computers to map the scope of the bot network. As the computer virus attempted to take over these faux infected computers, agents were able to collect data on the network of infected computers, according to a 94-page search warrant application filed October 2018 and unsealed Wednesday.
In short, the FBI and U.S. Air Force Office of Special Investigations disrupted the connections between infected computers and this provided investigators a wider look at who was infected.
The government will now notify victims in the United States by contacting their internet providers, while those infected in other countries will be contacted by their respective governments.
Investigators said most anti-virus software can detect and remove the malware.
Park remains a fugitive wanted by the FBI, and the Democratic People’s Republic of Korea does not have an extradition treaty with the United States.