The Pentagon began to declassify other people's malware
The US Cyber Command (US Cyber Command) announced an unusual initiative. It promises to regularly upload samples of “declassified malware” into the VirusTotal database.
It is easy to guess that we are talking about cyber weapons, which are used by foreign special services in ongoing operations (cyber intelligence units operate in all countries with advanced intelligence services, including Russia). In other words, American intelligence is going to put the enemy's tools on public display. Once they appear in the public VirusTotal databases, these tools will fall into all anti-virus databases and, in fact, will become ineffective.
“This is similar to the example of a new US strategy aimed at actively pursuing foreign state actors. By publishing malware, the US is forcing them to constantly find and exploit new vulnerabilities, ”said security expert and cryptographer Bruce Schneier , commenting on the situation.
The cyber command of the United States is going to act as publicly as possible, widely informing the public about the malicious adversaries. A new USCYBERCOM Malware Alert twitter account has been opened specifically for messages about new malware samples that have been sent to the VirusTotal database.
To date, two samples have been sent there.
Of course, the secret services declassify the enemy’s tools only after they are no longer interested in maintaining their secrecy, that is, after carrying out appropriate counter-intelligence activities and collecting information about foreign actors, their goals, methods of work, etc. After this, the foreign tools are declassified and merged into the VirusTotal database.
The first images of such programs were published by the Cyber National Mission Force (CNMF) division, which is subordinate to the US Cyber Command. Interestingly, the opening of a twitter account and the publication of samples was not accompanied by the usual initiative of public institutions for the new initiative, notesedition of ThreatPost, which specializes in information security. This was done without warning.
“Recognizing the value of working with the public sector, CNMF has initiated efforts to share declassified malware samples that we believe will have the greatest impact on improving global cybersecurity,” said a brief statement from CNMF.
The first two declassified samples are the rpcnetp.dll and rpcnetp.exe files . These droppers are also used for the Computrace backdoor of the hacker group APT28 / Fancy Bear , which is associated with the execution of orders for the Russian Federation.
“A particular pair of samples, Computrace / LoJack / Lojax, is in fact a trojanized version of the legal software LoJack from a company that used to be called Computrace (now called Absolute). The Trojan version of the legitimate LoJack software is called LoJax or DoubleAgent, ”explained a spokesman for the US intelligence.
The release of such samples is a bold step for the Ministry of Defense, which for a long time kept its cyber activity and knowledge gained secret, commentsIndependent expert, director of cyber security at Carbon Black: “This is a huge step forward for the cyber security community. It enables the cybersecurity community to mobilize and respond to threats in real time, thereby helping the government to protect and ensure the security of American cyberspace. ”
John Hultqvist, director of intelligence analysis at FireEye, noted that malware disclosure takes place “in a vacuum”, without mentioning specific enemy intelligence operations and counterintelligence operations: “There will undoubtedly be a strategy behind these disclosures for intelligence operations, but their simplicity may allow for simpler and faster actions, which the government has historically fought against, ”said Hultquist. Although in reality, the lack of context can reduce the effectiveness of protective measures, because it is necessary to clearly understand how and for what the adversary used these tools to build a reliable defense.