(b)(l) Sec. 1.4(a, g) SECRH// Rfb TO US,r\, P/f¥ EXECUTIVE SUMMARY CNMF VirusTotallnformation Sharing and Communications (S//REL TO USA, FVEY) Bottom line Up Front: [ Cyber National Mission Force identified multiple, unique or novel malware to impose cost on our adversaries, as well samples and previously unseen malware variants. [ as part of an enduring plan to share information, some of the malware was posted at VirusTotal (VT). Again, sharing such information will continue as part of the command's overall Persistent Engagement Strategy. Posting malware to VT and Tweeting to bring attention and awareness supports this strategy by putting pressure on malicious cyber actors, disrupting their efforts while supporting the National Defense and Department of Defense Cyber strategies to strengthen partnerships. =:J (U/ /FBOO) Background. On 5 November, the Cyber National Mission Force began sharing malware it finds in the course of its missions to VT, a Google-owned website that allows individuals or organizations to upload samples of malware to check against dozens of anti-virus vendors . These vendors can ingest the malware sample, and use that to provide updates in their own widely-used software suites, both free and paid . The intent is to ultimately make the internet safer for the global community, as CNMF has exquisite information and knowl edge from their persistent engagement with malicious cyber actors. (U) Public Affairs Support. To enable public awareness of the effort without attributing actors or sharing any SIGINT or TIPs, USCYBEROCM PAO posted a short description of the effort to the USCYBERCOM public website and established a Twitter account (@CNMF _Viru sAiert) to act as an alerting mechanism . The Twitter account will be used for the foreseeable future to highlight when new malware has been uploaded . Otherwise , the pub lic stance at this time is passive, response to qu ery only . (U) Narrative: • (U) Th e DOD recognizes the value of collaboration with our priv at e and publi c sector partn ers and continues to seek new ways to share information . • (U) Making this malware available to the cybersecurity community is part of a larger effort to enhance our shared global cybersecurity. • (U) This is a critical piece of our cyberspa ce strategy that requires persistent engagement of the adversary in order to deter future malicious actors and disrupt existing efforts through broader awareness and greater security measures . (U) Dat e of M ateria l: 07 NOV 201 8 Origi nator: [_ _ _ _ _ _-=--=::] USCYB ER COM PAO, L --] 969 -2946s CAO CNMF (b) (3) 10 u.s.c. § 130b I [_______________ _____ _ . I I SE"CRH/1 RH TO (b) ( 1 ) (b) (3) Sec. 1.4 (a, g) 10 U.S.C. § 130e SECR.H//R.El TO USA, PiE¥ INFORMATION PAPER CNMF VirusTotal Public Disclosure (U) Purpose: Provide background and path forward for exposing adversary capability via VirusTotal. (U/f+.GW) Background: The Cyber National Mission Force (CNMF) has uploaded multiple samples of nation state Malicious Cyber Actor (MCA) malware to the public research crowdsourcing website, VirusTotal. VirusTotal is used becau se of its credibility and influence within the cybersecurity research community, as well as the wide dissemination it provides . This reach enables valuable public engagement and crowdsourcing that results in rapid attribution of malware, increases resilience of vulnerable networks and systems, and impose costs on nation state malicious cyber actors . (S//RH FVEY) Operational Summary: CNMF obtained malware samples through C ] In clo se coordination with all samples are internally assesse d as viable candidate s for public releas e and Malware is then uploaded to Viru sTotal with synchronized twee t s pushed from USCYBERCOM 's PAO office. CNMF c= c=· :-=J I c - - - - -·- ----- (U/WOO) Viru sTotal upload s enable anti -viru s companies (e.g., McAfee) to develop associated signature s to update their engine s and products . Additionally,VirusTotal provides public researchers a forum for collaboration that enables the identification of previously unknown variants and activity, as well as rapid attribution to MCAs. (S//REL FVEY) Desired Effects: The objective s of Viru sTotal upload s are to impo se co st on adversary nation state MCAs and increa se the re siliency of vulnerable networks . [ _--==:1___ LL---.--- (S//REL FVEY) Results to Date: Effects include I ------] - - -] have been uploaded . !and a growing followin g of USCYBERCOM online within the cybersecurity industry. (S/IREL FVEY) Way Forward: CNMF is C L public disclosures of malware further enhance the effectiveness and impose even greater costs on MCAs. ____ _j I II ] will I 1 \ (b) (1) Sec . (b) (3) 10 U.S.C. 1.4(a, § g) 130e SECRH//RH TO USA, FVE¥ PUBLIC DISCLOSURE PROCESS c=-_-_·___ 1. (U//f-G-00) Malware samples are analyzed by CNMF TF malware analysts uniqueness and suitability fo r release . 2. (5HRft) Samples are vetted for nomination by the respective CNMF Ta sk Force using the following criteria: Malware is a. b. Variant is[ = = = = = = = = = = = = = = = = = -- - - - - - - - - - , c. (WHft) CNMF L.___ _) to determine ______] _________ ---""1 ....] 3. (U) If declassification is necessary, it is requested under established processes. 4. (U) Samples are nominated to CNMF for quality control and oversight. Nominating TF must ha ve malware physically in th eir possession prior to nomination. 0 I __ 5. metadata is submitted to USCYBERCOM JOC for ,____ request contains: ==:J a. b. (U) Commercial names for actor and malware (U) Malware sample fil e name and hashes: MD5, SHA1, and SHA256 d. Link to C ___ if applicable e. of suspense _l and intended release c. =:=J L _______ c=__] 6. (WR-ft) Th e following actions are executed a. [/,'FOOG) C-==.J prior to release : Sample; are prov;ded to [ • b . (U) Notification to USCYBERCOM PAO c. Notification to USCYBERCOM __ L.---- (WHft) Nominating TF will submit necessary requests to 7. I L _________ I 8. I 9. (U//-FGOO) CNMF Upon upload , TF operators will notify CNMF c= CJ will call USCYBERCOM PAO to request public notification (tweets, press release, etc.) LJ 10. (U//-FGOO) CNMF will call CNMF c:::=:-_""J to initiate notification to make signatures public. 11. L ______ c= 1'-----------'1 public notification to amplify public awareness . 12 . SECRET//REL TO USA, PJE¥ (b) (1) Sec. (b) (3) 10 U.S.C. C 1.4 (a, § g) 130e SEGRETHREL TO USA, FVE¥ •• Release of Malware to VirusTotal (VT) Operation Summary: CNMF released [ I o o Uploaded by the USCYBERCOM VT account A useYBEReOM Twitter account w as created to notify the community and to point to the VT page Alert A ,.' ! t'us '!: "' ")hlr.1h! o Desired Effects: Impose cost by highlighting malware to the cybersecurity community for rapid integration into antivirus software, increasing attrition to continue_d Public researchers will attribute malware Tweets USCYBERCOM Malware nn ale-r t,o;J wl"\.0'.,-< to ·.· "' \\? ; rc ( <'!I :.:, ' "' ·: '" l'f > !( •U ' :-.! ··-!.: 1(.' •' " J·, h·l_r . 1\/ It ou• v:.lr ""<1.:J'01lltl cyt)o•""'ur · :, '',,. , ,, ,.,.,.,., @ I o USCV BERCO M M;.lwarc Alert flhl l'o'.:lr " Tot.;, •. & T n total 1 '' ' ir) h , uXJ ' r ., . .. rl'l" _C. tll t." l ., 0 ut ""' u ·o .- 0 0 o 13 @0 ':l''' 10.2K Twitter Followers, more than usee has had over 8 years r ·o:. :t:c (5-ftRH:) Way Ahead: o o Upload malware related to L_r==========:!, Increase scope of cooperation '----------------___...j Better communicate and cooperate with cybersecurity community t ,,,_n :r, .> l)<.t !1 t _..,t\Nwl a: f a n e.- £3.-;u T H 0 11 A P"f Sr-ttnn er ,..,- z,. f1 nli.· -:;ot ,H:y .l.t nl i"'l I Tlu t:l .l1 G •o upt. nl,tlwaru fro nt S otacv D e sC TIPITCill Ml :-iP Fv ttr ll 996 1 SEGRETl-IREL TO USA, FVEY i\uthOI f lon;tn •.,,·o r..- / 0 (b)(l) S ec . (b ) (3) 10 U . S . C. 1.4( a , g ) § 1 30e SECRET//REl TO bJS,1,, F'/EY • Public Disclosure Operational Summary: Cyber National Force (CNMll_releases malw::..:a:..:.r..::. e_---. obtained through L r I • Malware uploaded to the public VirusTotal malware analysis service through USCYBERCOM account • Community notification on CNMF Twitter account USCYBERCOM Malwa re Alert fofl .tC• ount IS an Desired Effects: • Impose cost on malicious cyber actors by providin ee=] malware • to the community for rapid integration into antivirus software, increasing attrition of actor's access • Public researchers have been attributing malware I ., .A \VI sam vl eo; 10 fot.1L USCYBERCOM Matwau: Alert ,T,:;:,.: ' ' . · · . ;:J;l; ur•lv.Jt!' r ·'" t :o:o lul}r:d ll!q h!o gh t wn"' n -<' NI'.·•! po<;!S m.:tlwan: I c= mel !l ., I '. ' · ,..·''.t"l•'•'"'•'' v·f!l•1,>f,ll• "1>\f••f> ' "··It:•-:\ r,,' total <' eo 8r 13 Results to Date: ---- 0 n,,. ,,,.•ultl,\l':''l • I 11 •. _j • ll.SK Twitter Followers r:,.... ..,J·· ··r· ·-····... #'. j'> " ' - - .. q.,t,• j',P l '\o'iW/\>1< J,wl i1 1 4ull!t.V1 f(tJV>Idll !tuv..c\ ' .>I (IULJ'!> l.l.,·.t ••t•b t.l> Way Ahead: • Upload malware related to . • Increase scope of cooperation • Partner with lnfoSec/cybersecurity commun ity I !l ,.:, .... ,>( o: I lt ()U\ '\of.tl.f ll·.. hl't'l:, · Au•ltu< l!.)u .o nH t,ll\ ' •fO f+' il l I {h·h:<.lfcu ! ''"'"' ''''" I ;, v .'0 1!3· 11 -0'r ,..., 1 '• '1 • ! 0 .".' .\VDf'TF <:JtO"' SECRET//REL TO USA, FVE¥ 1 (b ) (1) Sec . (b) (3) 10 U.S . C . 1.4 (a , § gJ 130e SECRET//REL TO USA, PJEY Public Disclosure Operational Summary: CNMF released I • Made available through the USCYBERCOM VirusTotal (VT) account • Community notification on CNMF Twitter account J l USCYBERCOM Malware Alert 7!1' • , •r· .._, . ThiS ••ao um ic> "''' hrghhg "'! Ia\ Twt-L'ts & USCY B£RCOM Ma lware Alert Jrw; ." Jw rt ! N .:.• r mJr1 1 '· PQHS . ... · · •.olr•rv l•l prr;.··O•· nO;',"< to trw to A (I t {Ju J \OpJO-, .,lll >< t·,\1'-il': I fl,lt •i!•1 I{Oi h 10 Lh:: t,.( too n lUJ!u-.t,l!lliJ .'0111· 11 .{)'1 11, 1 ';> ! O.'V·A,VI)f Tff"fl{JN 1 hi O:o i!Ctour:. SECRET/IREL TO USA, F'JEY 1