Documents Reveal Why U.S. Military Publishes Malware Used by North Korean and Russian Hackers

CYBERCOM has created a Twitter account with thousands of followers to publicize malware samples it shares with cybersecurity companies. Internal documents explain that it’s part of a defensive (and offensive) strategy.

• By Haley Samsel
• Feb 27, 2020

Ever wonder why the U.S. military has decided to consistently publish the malware and hacking methods used by countries like North Korea and Russia? Documents obtained by VICE News describes the strategy behind Cyber Command’s decision to publish samples of malware.

The government started publishing samples of malware on VirusTotal, a semi-public website for researchers and cybersecurity experts, in 2018. The site allows researchers to closely examine how the malware works and how companies and institutions might combat it.

In addition, CYBERCOM also created a Twitter account, which has earned 11,500 followers, that they use to publicize and share news of the malware samples uploaded to VirusTotal. Most of the published malware samples rare related to Russian or North Korean-linked operations.

Now, there is more insight into why CYBERCOM made the choice to start publicly sharing the knowledge it has collected on countries it considers dangerous to national security. One document states that CYBERCOM hopes publication of the hacking tools will “bring attention and awareness” by “putting pressure on malicious cyber actors, disrupting their efforts.”

Cybersecurity experts say that the documents obtained by VICE show that the release of these malware samples show that CYBERCOM is going beyond a defensive public relations campaign.

“Cyber Command deploys VirusTotal uploads for both offensive and defensive purposes at the same time—to ‘impose costs on nation state malicious cyber actors’ and to ‘enhance our shared global cybersecurity,’” Thomas Rid, a professor of strategic studies at Johns Hopkins University, told VICE.

Once CYBERCOM decides to release the malware sample, cybersecurity companies have the ability to analyze it and update their own products to detect that specific malware strain. In addition, the military wants to “impose costs” on hacking operations by “highlighting malware to the cybersecurity community for rapid integration into antivirus software.”

Rid added that this policy means that the military is hoping for the cybersecurity community to rapidly attribute the malware to a specific actor or country. That would mean that “follow-on attribution by commercial cybersecurity companies and independent researchers is part of ‘imposing costs’ on adversary states,” Rid said.

The agency did not elaborate on its strategy, but noted that its public disclosures would continue.

"We plan to continue to publicly disclose malware samples, which we believe will have the greatest impact on improving global security,” a CYBERCOM spokesperson said in a statement to VICE.