The US military has started publicly dumping Russian government malware

  • The US Cyber Command has begun publicly dumping unclassified malware samples developed and deployed by America’s adversaries.
  • The move is aimed at boosting information sharing within the infosec community.

The US Cyber Command (CYBERCOM), which is a part of the US military, charged with cybersecurity-focused missions, has reportedly begun publicly releasing unclassified malware samples developed and deployed by America’s adversaries, including malware variants belonging to the Russian government.

The move is reportedly aimed at boosting information sharing within the infosec community. “This is intended to be an enduring and ongoing information sharing effort, and it is not focused on any particular adversary,” Joseph R. Holstead, acting director of public affairs at CYBERCOM told Motherboard.

CYBERCOM began uploading numerous malware samples on VirusTotal on November 9 - these samples can now be downloaded and analyzed by other VirusTotal users. Motherboard reported that one of the two malware samples uploaded by CYBERCOM to VirusTotal belongs to the Russian government-backed hacker group APT28, aka Fancy Bear.

APT28 is believed to have been responsible for orchestrating the cyberattacks against the Democratic National Committee (DNC) during the 2016 US presidential election. The hacker group is also believed to have conducted multiple cyberespionage campaigns against various governments.

According to Kurt Baumgartner, a security researcher at Kaspersky Lab, the malware sample was detected by Kaspersky in late 2017, and was used in attacks against targets located in Central Asia and Southeastern Europe, Motherboard reported.

“When reporting on it, Kaspersky Lab researchers noted it seemed interesting that these organizations shared overlap as previous Turla [another Russian hacking group] targets. Overall, it is not ‘new’ but rather newly available to the VirusTotal public,” Baumgartner told Motherboard.

Motherboard reported that Symantec observed that the malware’s C2 servers are not operational any longer, indicating that APT28 has abandoned the malware. However, CYBERCOM’s move to publicly release adversaries’ malware could also act as a warning shot to cyberespionage groups and governments intending on engaging in cyberwarfare against the US. It remains to be seen whether the move will work effectively as a deterrent to emerging and potential threats.