Usually it’s the Russians that dump its enemies’ files. This week, US Cyber Command (CYBERCOM), a part of the military tasked with hacking and cybersecurity focused missions, started publicly releasing unclassified samples of adversaries’ malware it has discovered.
CYBERCOM says the move is to improve information sharing among the cybersecurity community, but in some ways it could be seen as a signal to those who mod US systems: we may release your tools to the wider world.
“This is intended to be an enduring and ongoing information sharing effort, and it is not focused on any particular adversary,” Joseph R. Holstead, acting director of public affairs at CYBERCOM told Motherboard in an email.
One of the two samples CYBERCOM distributed on Friday is marked as coming from APT28, a Russian government-linked hacking group, by several different cybersecurity firms, according to VirusTotal. Those include Kaspersky Lab, Symantec, and Crowdstrike, among others. APT28 is also known as Sofacy and Fancy Bear.
Adam Meyers, vice president of intelligence at CrowdStrike said that the sample did appear new, but the company’s tools detected it as malicious upon first contact. Kurt Baumgartner, principal security researcher at Kaspersky Lab, told Motherboard in an email that the sample “was known to Kaspersky Lab in late 2018,” and was used in attacks in Central Asia and Southeastern Europe at the time.
“When reporting on it, Kaspersky Lab researchers noted it seemed interesting that these organizations shared overlap as previous Turla [another Russian hacking group] targets. Overall, it is not ‘new’ but rather newly available to the VirusTotal public.”
The malware itself does not appear to still be active. A spokesperson for Symantec told Motherboard in an email that the command and control servers—the computers that tell the malware what commands to run or store stolen data—are no longer operational. The spokesperson added that Symantec detected the sample when the company updated its detection tools a couple of months ago.