DHS and FBI issue alert about North Korean ‘Hidden Cobra’ hackers

Watch out for attacks by Hidden Cobra, aka North Korean government hackers, the DHS and the FBI warned in a joint technical alert. The US government didn’t tiptoe around the issue, instead pointing the finger of blame at North Korea for a series of cyberattacks dating back to 2009.

Who the heck is Hidden Cobra? You probably already know about these cyber actors who are usually referred to as the Lazarus Group. Back in 2014 when the hackers targeted Sony Pictures Entertainment, the group was publicly referring to itself as Guardians of the Peace.

In the alert published by US-CERT yesterday, Homeland Security and the FBI released technical details about the tools which “cyber actors of the North Korean government” have used “to target the media, aerospace, financial, and critical infrastructure sectors in the United States and globally.”

The Hidden Cobra group has been busy targeting victims for the last eight years. Malicious tools in their arsenal include DDoS botnets, keyloggers, RATs (remote access tools) and wiper malware.

The group tends to target machines running old, unsupported versions of Microsoft Windows. It has also exploited Adobe Flash Player vulnerabilities and Microsoft Silverlight to get a toehold in environments. Organizations are advised to update to the newest version and patch level; if Flash and Silverlight are no longer needed, then kick them to the curb and get those apps off of systems.

In the alert, the US government released indicators of compromise (IOC) associated with the malware DeltaCharlie that North Korean government hackers use to manage its DDoS (distributed denial-of-service) botnet infrastructure. DHS and FBI expect Hidden Cobra to “continue to use cyber operations to advance their government’s military and strategic objectives.”

DeltaCharlie is a DDoS tool capable of launching Domain Name System (DNS) attacks, Network Time Protocol (NTP) attacks, and Character Generation Protocol attacks. The malware operates on victims’ systems as a svchost-based service and is capable of downloading executables, changing its own configuration, updating its own binaries, terminating its own processes, and activating and terminating denial-of-service attacks.

The FBI has “high confidence” that the 633 IP addresses listed in the IOC are being used by Hidden Cobra for network exploitation. DHS and FBI want network administrators to add those source and destination IPs to their watchlists to determine if there has been malicious activity within their organizations. The alert also includes YARA rules and network signatures created via a “comprehensive vetting process.”

The joint alert explained:

DHS and FBI recommend that network administrators review the IP addresses, file hashes, network signatures, and YARA rules provided, and add the IPs to their watchlist to determine whether malicious activity has been observed within their organization.

When reviewing network perimeter logs for the IP addresses, organizations may find numerous instances of these IP addresses attempting to connect to their systems. Upon reviewing the traffic from these IP addresses, system owners may find that some traffic corresponds to malicious activity and some to legitimate activity. System owners are also advised to run the YARA tool on any system they suspect to have been targeted by HIDDEN COBRA actors. Additionally, the appendices of this report provide network signatures to aid in the detection and mitigation of HIDDEN COBRA activity.

If you detect any of the North Korean hacking tools described in the alert, then you are to report it to the DHS National Cybersecurity Communications and Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch).

Primarily, the joint report raises awareness about the North Korean group’s cyberweapons and capabilities so defenders can detect and disrupt attacks. An unnamed DHS official told Reuters, “The US government seeks to arm network defenders with the tools they need to identify, detect and disrupt North Korean government malicious cyber activity that is targeting our country’s and our allies’ networks.”