The FBI and Department of Homeland Security (DHS) issued a notice warning the North Korean government is using malware to target and launch large-scale cyberattacks on the media, aerospace, financial and critical infrastructure sectors in the US and globally.
The malware identified in the North Korean hacking is called DeltaCharlie, which DHS’s Computer Emergency Readiness Team stated is employed to manage “North Korea’s distributed denial-of-service (DDoS) botnet infrastructure.”
The government refers to the malicious cyber hacking by the North Koreans as “Hidden Cobra.”
DHS and the FBI strongly recommend cyber users and administrators who Hidden Cobra cyber-presence, whether its malware, network signatures or other indicators, flag and report it to the DHS and FBI. The two agencies have special units to address the cyberattacks: the DHS National Cybersecurity Communications and Integration Center and the FBI Cyber Watch program. The notice also suggests organizations enforce their security incident response and business continuity plan.
The notice described the history of North Korean hacking efforts.
“Since 2009, Hidden Cobra actors have leveraged their capabilities to target and compromise a range of victims; some intrusions have resulted in the exfiltration of data while other have been disruptive in nature,” the notice stated. “Tools and capabilities used by Hidden Cobra actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. Variants and tools used by Hidden Cobra actors include Destover, Wild Positron/Duuzer, and Hangman.”
While the notice makes suggestions for how organizations can avoid and respond to hacking incidents, it also stresses the need for greater research to pinpoint the cyber actors’ extent of impact.
“Further research is needed to understand the full breadth of this group’s cyber capabilities,” the notice indicated. “In particular, DHS recommends that more research should be conducted on the North Korean cyber activity that has been reported by cybersecurity and threat research firms.”
The notice indicates that Hidden Cobra actors typically target systems that run on older, unsupported versions of Microsoft operating systems. The actors have allegedly used Adobe Flash player vulnerabilities to also “gain initial entry into users’ environments.” To evade hacking by Hidden Cobra, DHS and the FBI recommend organizations upgrade the respective software to the latest versions.
Further mitigation strategies that the notice outlines include patching applications and operating systems; using application whitelisting to only allow only “specified programs to run while blocking all others, including malicious software;” restricting administrative privileges; segmenting networks and segregating them into security zones; validating input to prevent untrusted input from users of web applications; using “stringent file reputation settings;” and understanding firewalls. According the notice, these prevention methods can “prevent as many as 85 percent of targets cyber intrusions.”
If network intrusion occurs, the notice warns that severe impacts can occur. These include temporary or permanent loss of digital information, disruption to operations, financial losses incurred in restoring systems and files and potential reputational harm.