U.S. Cyber Command, the sister division of the National Security Agency focused on offensive hacking and security operations, has released a set of new samples of malware linked to North Korean hackers.
The military unit tweeted Wednesday that it had uploaded the malware to VirusTotal, a widely used database for malware and security research.
It’s not the first time the unit has uploaded malware to the server — it has its own Twitter account to tell followers which malware it uploads. On one hand the disclosure helps security teams fight threats from nation states, but it also gives a rare glimpse inside the nation state-backed hacking groups on which Cyber Command is focused.
The uploaded malware sample is named Electric Fish by the U.S. government. Electric Fish is a tunneling tool designed to exfiltrate data from one system to another over the internet once a backdoor has been placed.
Electric Fish is linked to the APT38 hacking group.
FireEye says APT38 has distinctly different motivations from other North Korean-backed hacking groups like Lazarus, which was blamed for the Sony hack in 2016 and the WannaCry ransomware attack in 2017. APT38 is focused on financial crimes, such as stealing millions of dollars from banks across the world, the cybersecurity firm said.
Electric Fish was first discovered in May, according to Homeland Security’s cybersecurity division CISA, but APT38 has been active for several years.
A recently leaked United Nations report said the North Korean regime has stolen more than $2 billion through dozens of cyberattacks to fund its various weapons programs.
APT38 has amassed more than $100 million in stolen funds since its inception.
An earlier version of this article misidentified the North Korean threat group as APT36. The group is APT38.