• watchofficermanager

$12M to Universities to Prevent Cyberattacks Targeting Energy and APT37 Malware Goldbackdoor

April 21-27, 2022 | Issue 5 - Counterintelligence/Cyber (CICYBER)

Keanna Grelicha, Emma Hoskins, Marina Tovar, CICYBER Team

Hannah Norton, Editor; Jennifer Loy

Cyber Security Hacker Security[1]

Date: April 22, 2022

Location: Washington DC, USA

Parties involved: US Department of Energy (DOE); US DOE Office of Cybersecurity, Energy Security, and Emergency Response (CESER); Florida International University (FIU); Iowa State University (I-State); New York University (NYU); Texas A&M Engineering Experiment Station (TEES); University of Illinois at Chicago (UIC); Virginia Polytechnic Institute and State University (VT); US Cybersecurity and Infrastructure Security Agency (CISA); US Federal Bureau of Investigation (FBI); US National Security Agency (NSA); US Department of Justice (DOJ)

The event: The DOE's CESER announced it will fund $12 million for six university teams to develop defensive tools to protect and mitigate cyberattacks targeting energy systems. The teams include groups from FIU, I-State, NYU, TEES, UIC and VT. The defense tools will develop from research, development, and demonstrations (RD&D) cybersecurity projects that focus on US power grid security to detect, block, and mitigate cyberattacks. Each university has different concentrations focused on artificial intelligence (AI), machine learning, and cyber-defense capabilities to generate different approaches to produce cybersecurity for the DOE and US power grid. The government funding for the RD&D projects also requires the teams to develop technology to enhance energy delivery systems recovery from cyberattacks. This funding announcement follows CISA, FBI, NSA, and DOE warnings of increased state-sponsored and Russian-backed hacking groups' use of malware to access Critical Information Infrastructure (CII) in the ongoing Ukraine-Russian conflict.[2]

Analysis & Implications:

  • Russian-backed cyberattacks very likely indicate increased threats to US CII if they possess the capabilities to access systems and shut down operations within infrastructure like the US power grid. The increased threat perceptions of US agencies like CISA, NSA, and the FBI very likely led the DOE to establish these research projects to outsource collaboration to improve US energy sector CII security. The partnership will very likely increase detection and mitigation efforts to secure DOE systems due to the extensive focus on defensive measures with AI and machine learning. AI and machine learning will very likely lead to faster system recovery from malicious attempts, almost certainly decreasing the impact of the cyberattack.

  • The DOE’s university programs very likely exemplify the need for collaborative research projects between the government and third parties to decrease the vulnerabilities within US CII systems. These collaborations will likely increase mitigation efforts, like establishing risk retention plans, to secure US CII, as the private sector will likely provide the US government with modern technological measures like AI and system firewall defense. The universities will almost certainly increase DOE systems’ security with the AI detection and damage response plans, very likely leading other US government departments like the DOJ to fund similar programs to enhance overall US cybersecurity.

Date: April 25, 2022

Location: North Korea

Parties involved: North Korea; North Korean government; North Korean citizens; journalists specializing in North Korea; APT37

The event: APT37, a North Korean state-sponsored cyber group, has targeted journalists specializing in North Korea with phishing attacks containing a new malware named “Goldbackdoor”[3] to identify the journalists’ sources. APT37 previously targeted journalists with phishing emails titled “Kang Min-chol Edits” that when opened, Goldbackdoor malware was released.[4]

Analysis & Implications:

  • The North Korean government will very likely use detailed information on targeted journalists’ sources to prosecute North Korean citizens who speak and share information with journalists. This will very likely minimize the number of citizens willing to speak with journalists. Reducing sources available to journalists will very likely limit the availability of information, very likely impacting published article volume on North Korean affairs. This will very likely impact North Korean citizens’ ability to contrast information from North Korean government-approved news channels.

  • APT37 will very likely conduct phishing attacks targeting journalists, likely with information extracted from the recent attacks. APT37 will very likely use data like names and email addresses to impersonate the targeted journalists and appear as a legitimate source when distributing phishing emails. Fake emails appearing to be legitimate will likely result in journalists downloading the Goldbackdoor malware from the corrupt files in the phishing emails, likely allowing APT37 to gather more sensitive data. Antivirus and firewalls will unlikely detect Goldbackdoor due to its ability to camouflage and surpass the antivirus detection systems, very likely making it very effective in performing attacks.

________________________________________________________________________ The Counterterrorism Group (CTG)

[1]Cyber Security Hacker Security” by Tumisu licensed under Pixabay License

[2] US govt grants academics $12M to develop cyberattack defense tools, Bleeping Computer, April 2022,

[3] “Golbackdoor malware allows hackers to export sensitive data and uninstall from the victims’ device due to its remote commands”, North Korean hackers targeting journalists with novel malware, Bleeping Computer, April 2022,

[4] North Korean hackers targeting journalists with novel malware, Bleeping Computer, April 2022,