U.S. Cyber Command, the sister division of the National Security Agency focused on offensive hacking and security operations, has released a set of new samples of malware linked to North Korean hackers.
The military unit tweeted Wednesday that it had uploaded the malware to VirusTotal, a widely used database for malware and security research. It’s not the first time the unit has uploaded malware to the server — it has its own Twitter account to tell followers what malware it uploads. On one hand the disclosure helps security teams fight threats from nation states, but it also gives a rare glimpse inside the nation-state backed hacking groups that Cyber Command is focused on. The uploaded malware sample is named Electric Fish by the U.S. government, Electric Fish is a tunneling tool, designed to exfiltrate data from one system to another over the internet once a backdoor has been placed. Electric Fish is linked to linked to the APT36 hacking group. FireEye says APT36 has distinctly different motivations from other North Korean-backed hacking groups like Lazarus, which was blamed for the Sony hack in 2016 and the WannaCry ransomware attack in 2017. APT36 is focused on financial crimes, such as stealing millions of dollars from banks across the world, the cybersecurity firm said. Electric Fish was first discovered in May, according to Homeland Security’s cybersecurity division CISA, but APT36 has been active for several years. A recently leaked United Nations report said the North Korean regime has stolen more than $2 billion through dozens of cyberattacks to fund its various weapons programs. APT36 has amassed more than $100 million in stolen funds since its inception.