This story was updated to include comments from Adobe
The US-CERT this week formally identified the North Korean government as being behind a distributed denial of service (DDoS) botnet infrastructure that has been used to target media, financial, aerospace, and critical infrastructure organizations in the US and elsewhere.
In an advisory, the US-CERT provided indicators of compromise, malware descriptions, and network signatures associated with the malicious North Korean cyber operation, dubbed Hidden Cobra by the US government. Included in the alert were IP addresses of systems infected with DeltaCharlie, the malware used to manage the North Korean botnet.
Organizations that detect any of the tools associated with Hidden Cobra on their networks should immediately mitigate the threat and report their discovery to the DHS National Cybersecurity Communications and Integration Center (NCIC) or to the FBI, US-CERT said.
"DHS and FBI are distributing these IP addresses to enable network defense activities and reduce exposure to the DDoS command-and-control network," US-CERT said. "FBI has high confidence that HIDDEN COBRA actors are using the IP addresses for further network exploitation," it noted.
The alert definitively ties the North Korean government to attacks that have been previously attributed more generally to threat actors based in the country. Even so, a lot of the information in the US-CERT alert is previously known so the timing of the release was not entirely clear.
As US-CERT itself noted, security researchers have previously linked the malicious activity referenced in the report to the Lazarus Group and Guardians of Peace. Only earlier this year for instance, Symantec fingered Lazarus Group as the likely actor behind a string of attacks on banks in 31 different countries.
Similarly, Guardians of Peace, which is another name that security vendors have used in connection with the North Korean activity, was associated with the devastating cyberattack on Sony back in 2015. And DeltaCharlie, the botnet malware in the report, was thoroughly chronicled in a Novetta report last year.
"Since the vulnerabilities cited in the alert are over a year old, we can only assume US-CERT has seen a rise in systems infected by the DeltaCharlie malware," says Tim Matthews, vice president of marketing at Imperva. "It is also possible that in the wake of last month’s WannaCry ransomware outbreak – also attributed to Lazarus Group – US-CERT was spurred to proactively warn users about the need to patch older applications that could be vulnerable," he says. Ensuring there are fewer vulnerable systems would limit the growth of the Hidden Cobra botnet infrastructure, Matthews says.
Security researchers from multiple vendors, including Google, Kaspersky Lab, and Symantec, found a possible connection between WannaCry and the Lazarus Group: common code elements.
The actors behind Hidden Cobra have a tendency to go after systems running older and unsupported versions of Microsoft Windows, which have multiple vulnerabilities in them, US-CERT said. Also a favorite for the threat actors are vulnerabilities in Adobe Flash player.
An Adobe spokesman said that patches have been available for more than a year for the vulnerabilities listed in the DHS alert. "Users are strongly encouraged to apply all available security updates to Adobe Flash Player to ensure they are receiving the latest features and security protections. The latest version with most up-to-date patches can be accessed at https://get.adobe.com/flashplayer/," the company said.
In addition to DeltaCharlie, other tools used by DeltaCharlie include keyloggers, wiper malware, and remote access tools. Examples include Destover, wiper malware used in the Sony attacks, Wild Positron a backdoor Trojan, and Hangman, US-CERT said this week.
In a statement responding to the US-CERT release, security vendor Kaspersky Lab said that it could confirm all the code referenced in the report has been associated with the Lazarus Group. Some of the code has been publicly known and discussed sine 2014 while some of the more recent samples were compiled in 2016, Kaspersky Lab said. The malware tools mentioned in the advisory have been observed in use in 26 countries including USA, France, Brazil and Russia, the security vendor added.
Regardless of the timing, the alert is a reminder for organizations to be paying attention to the threat posed by Hidden Cobra aka Lazarus aka Guardians of Peace. "IT workers in the media, aerospace, financial services, and critical infrastructure sectors should heed the US-CERT warning, as they are apparently the top targets of Hidden Cobra," Matthews says. "Organizations should always patch and update software to prevent any type of malware infestation. In the case of DeltaCharlie, not patching could perversely grow a botnet that could then be used against their own company.”