WASHINGTON — The U.S. government Wednesday publicly disclosed an ongoing operation it is attributing to North Korean hackers who are targeting ATM machines around the world as part of a larger money-gathering scheme.

The alert was published jointly by the Cybersecurity and Infrastructure Security Agency within the Department of Homeland Security, the Treasury Department, the FBI and U.S. Cyber Command. The disclosure provides members of the private sector and public with new information about this cyber-enabled bank robbery scheme the hackers use to raise funds around the world as a means of skirting international sanctions.

Along with in-depth technical analysis, detection and mitigation measures to counter the operations, and an overview of the North Korean entity alleged to be responsible, malware samples from the operation were publicly uploaded to VirusTotal for further analysis by anti-virus companies and other interested parties.

“Organizations, specifically those in the financial services sector, should give this activity the highest priority for assessing their networks and implementing appropriate mitigation. If any aspect of this North Korean theft scheme is detected, it should be immediately reported to law enforcement, CISA or Treasury. Also, anyone with additional information about this malicious activity is encouraged to report it,” a U.S. government release said. “Collectively, the U.S. Government works every day to identify malicious activity, provide actionable mitigations and help organizations and sectors of our economy strengthen their cybersecurity against sophisticated, well-resourced adversaries.”

Defending the nation

In these disclosure efforts, Cyber Command has found a niche to contribute to defending the nation in cyberspace, a component of its mission that had been difficult for it and the Pentagon to define in years’ prior.

For years, officials described how the Department of Defense and the command struggled to find their identity in the vein of protecting U.S. assets from cyber incidents.

While the Pentagon would naturally work to protect a missile strike on a U.S. entity, given the pervasiveness of cyber activities throughout society and given that most networks are not owned by the government, the DoD’s role in protecting the nation from foreign cyberthreats was less clear.

From Iranian operations against U.S. banks to the destruction of computers at Sony Pictures by North Korean hackers to the Chinese theft of intellectual property, the defense sector often struggled to find a lane in which to aide these companies, which were often up against the best of the best in cyberspace.

Now, with the help of more streamlined authorities Congress and the White House, Cyber Command has crafted a new approach using its unique authorities to operate against adversaries outside U.S. networks to help thwart potential attacks before they reach U.S. networks.

“When Cyber Command was established in 2010, the operative assumption was that its focus should be on trying to prevent the military’s networks from being infiltrated or disabled. But a reactive and defensive posture proved inadequate to manage evolving threats,” Gen. Paul Nakasone, head of the National Security Agency and Cyber Command, and Michael Sulmeyer, senior adviser to the commander, wrote in an Aug. 25 article in Foreign Affairs.

Cyber Command achieves “defend forward” through an approach it calls “persistent engagement.” As part of this persistence, officials have said that success might not necessarily be solely acting, but rather enabling critical partners, such as tipping off the FBI or DHS about a cyberthreat or publicly disclosing malware discovered through operations.

“Much of Cyber Command’s combat power had been devoted toward preparations in the event of future contingencies. We realized that Cyber Command needs to do more than prepare for a crisis in the future; it must compete with adversaries today,” Nakasone and Sulmeyer wrote.

“This doctrine of persistent engagement reflects the fact that one-off cyber operations are unlikely to defeat adversaries. Instead, U.S. forces must compete with adversaries on a recurring basis, making it far more difficult for them to advance their goals over time. For example, publicly releasing adversary malware obtained during hunt forward missions to the cybersecurity community makes that malware less effective because defenses can be tuned to detect and defeat it. Additionally, cyber effects operations allow Cyber Command to disrupt and degrade the capabilities our adversaries use to conduct attacks.”

Though the “defend forward” approach might appear offensive, it should be viewed as inherently defensive, noted Erica Borghard, assistant professor at the Army Cyber Institute and the lead for Task Force 1 on the Cyberspace Solarium Commission, a bipartisan organization created in 2019 to develop a multipronged U.S. cyber strategy.

“The [Cyberspace Solarium] Commission’s March 2020 report articulates how actions by U.S. military cyber forces that could be defined as offensive at the operational level — gaining access to and maneuvering within and across non-U.S. cyberspace — nevertheless are meant to serve defensive strategic objectives — enhancing the defense and resilience of the United States in cyberspace,” Borghard wrote in April.

She added that disclosing information on malware can serve defensive objectives by enabling network defenders to patch against ongoing tools used by adversaries, adding the commission recommended accelerating the pace of these malware inoculation efforts to provide the private sector more opportunities to protect their systems.

The point organization for much of this homeland defense in cyberspace is the Cyber National Mission Force.

“We know that North Korea uses cyber-enabled tactics and techniques to steal currency, which it would otherwise be denied under international sanctions. The Cyber National Mission Force is laser-focused on the away game — we understand what our adversaries are doing, and we share this information with our partners to take action against them,” Brig. Gen. William Hartman, who commands Cyber National Mission Force, said regarding Wednesday’s release.

The Cyber National Mission Force is one of Cyber Command’s elite units aligned against specific threat actors, and it’s charged with defending the nation in cyberspace.

An official told C4ISRNET that no other cyber teams outside of the Cyber National Mission Force – teams that conduct operations on behalf of the geographic combatant commands – contributed to this reporting.

Hartman described his force earlier this month during a virtual panel as part of DEFCON as “the U.S. government that focuses on the away game. We’re looking at foreign adversaries: Russia, China, Iran, any other foreign adversary,” and we’re “looking for them in foreign space.”

Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.

More In Cyber