US indicts North Korea for host of cyberattacks, expects more to come

A North Korean entity called Hidden Cobra was behind a series of cyberattacks in the US using sophisticated tools and targeting a diverse group of entities.

Video: North Korean hacking group has been hitting the US since 2009

A North Korean government hacking group known as Hidden Cobra is behind a slew of cyber attacks in the US dating back to 2009, according to a joint report from the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) released Tuesday. And more attacks are likely to happen in the future, the report said.

In the Technical Alert (TA17-164A) report, the authors noted that Hidden Cobra used cyber tools to target critical US infrastructure and the media, aerospace, and financial industries. The group also targeted entities globally, the report said.

A piece of malware known as DeltaCharlie was cited in the report as the tool used by North Korea to manage its DDoS botnet infrastructure. According to the report, the DHS and FBI were able to identify IP addresses used with DeltaCharlie.

SEE: Computer Hacker Professional Certification Package (TechRepublic Academy)

The report said that DeltaCharlie can launch NTP and DNS attacks, as well as character generation protocol attacks. "The malware operates on victims' systems as a svchost-based service and is capable of downloading executables, changing its own configuration, updating its own binaries, terminating its own processes, and activating and terminating denial-of-service attacks," the report said.

In addition to DeltaCharlie, Hidden Cobra is known to have used other botnets, keyloggers, remote access tools (RATs), and wiper malware. The report also mentioned that Hidden Cobra could be the same actors that are often cited as the Lazarus Group or Guardians of Peace. The Lazarus Group is commonly blamed for the Sony Pictures hack and the WannaCry ransomware.

Typically, Hidden Cobra goes after older versions of Windows that aren't supported, but the group has been known to target vulnerabilities in the Adobe Flash player as well. Here are some known vulnerabilities, mentioned in the report, that have been exploited by Hidden Cobra:

  • CVE-2015-6585: Hangul Word Processor Vulnerability
  • CVE-2015-8651: Adobe Flash Player and 19.x Vulnerability
  • CVE-2016-0034: Microsoft Silverlight 5.1.41212.0 Vulnerability
  • CVE-2016-1019: Adobe Flash Player Vulnerability
  • CVE-2016-4117: Adobe Flash Player Vulnerability

Microsoft and Adobe Flash systems should be patched or updated to help protect against potential threats. However, there are many more steps that can be taken to further protect an enterprise network against an attack from Hidden Cobra.

In the full report, the DHS and FBI give more detailed descriptions of the malware at play, along with network signatures and indicators of compromise (IOCs). The report also details additional mitigation strategies, logging practices, and methods for detection and response.

"If users or administrators detect the custom tools indicative of HIDDEN COBRA, these tools should be immediately flagged, reported to the DHS National Cybersecurity Communications and Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and given highest priority for enhanced mitigation," the report said.

The 3 big takeaways for TechRepublic readers

  1. A new report from the FBI and DHS claims that a North Korean government hacking group known as Hidden Cobra has been behind many US cyber attacks since 2009.
  2. A piece of malware known as DeltaCharlie was used heavily by Hidden Cobra, along with other tools like keyloggers, remote access tools (RATs), and wiper malware.
  3. Older, unsupported versions of Windows and the Adobe Flash player are the primary targets of Hidden Cobra.

Also see

Image: iStockphoto/creisinger