The U.S. government has taken another step in its strategy of outing the offensive tools and operations used by foreign governments in cyberspace: U.S. Cyber Command’s National Cyber Mission Force is now contributing unclassified malware samples to the VirusTotal portal.
CNMF comprises several separate teams inside U.S. Cyber Command, some of which are defensive and others of which have offensive missions. The teams are responsible both for detecting attacks against U.S. networks and for running supportive and disruptive operations of their own. As such, the CNMF, and Cyber Command as a whole, get a rather unique view of the tools used by foreign adversaries, especially APT groups and other state-sponsored teams. Much of what they collect is classified, but some of the samples that aren’t will be appearing on VirusTotal now.
“Recognizing the value of collaboration with the public sector, the CNMF has initiated an effort to share unclassified malware samples it has discovered that it believes will have the greatest impact on improving global cybersecurity,” the CNMF said in a statement.
Interestingly, the first two files that the CNMF uploaded after announcing the initiative this week were samples of the LoJax malware, a sophisticated UEFI rootkit that has been attributed to Russia’s Fancy Bear attack group. The malware has the ability to modify a machine’s low-level firmware during the boot process and create a persistent foothold on the computer for the attacker. Researchers at ESET published a detailed analysis of the LoJax malware earlier this year.
“Our investigation has determined that this malicious actor was successful at least once in writing a malicious UEFI module into a system’s SPI flash memory. This module is able to drop and execute malware on disk during the boot process. This persistence method is particularly invasive as it will not only survive an OS reinstall, but also a hard disk replacement,” ESET wrote in a white paper analyzing the LoJax malware.
"The CNMF has initiated an effort to share unclassified malware samples it has discovered that it believes will have the greatest impact on improving global cybersecurity."
Security researchers have known about the LoJax malware for a few years and it has gone through a few different incarnations. And it’s likely that a good portion of the samples that CNMF will share in the future will already be known to the private research community, but that doesn’t mean that there’s no value in sharing them. The simple act of a U.S. government agency publicly sharing a sample of a specific malware tool sends a message, both to the research community and to foreign adversaries.
Experts said the move by CNMF to share samples would be a benefit to the entire community.
“I’m very pleased to see the CNMF take this step as they move to increase their outreach and partnerships with the private sector. I expect that the research community, both in the United States and abroad, will find that Cyber Command is highly capable of contributing to collective defense in cyberspace," said David Weinstein, vice president of threat research at Claroty and a former Senior Operations Planner at U.S. Cyber Command.
The move to share malware samples with the wider security community comes at a time when the U.S. government is putting an increasing amount of pressure on foreign attackers through a number of different avenues. Last week, the Department of Justice unsealed an indictment against a Chinese government-owned company, a Taiwanese company, and several people in connection with a cyberespionage campaign that allegedly aimed to steal trade secrets from memory manufacturer Micron Technology.
"The Chinese government is determined to acquire American technology, and they’re willing use a variety of means to do that – from foreign investments, corporate acquisitions, and cyber intrusions to obtaining the services of current or former company employees to get inside information,” FBI Director Chris Wray said in a statement.
The Department of Homeland Security also has issued several separate detailed technical alerts in the last few months describing various attack campaigns aimed at U.S. public and private networks and have explicitly identified Russian and North Korean groups as being responsible.