The US government has issued a rare alert squarely blaming the North Korean government for a raft of cyber attacks stretching back to 2009 and warning that more were likely.
The joint warning from the US Department of Homeland Security and the Federal Bureau of Investigation said that 'cyber actors of the North Korean government', referred to in the report as 'Hidden Cobra', had targeted the media, aerospace and financial sectors, as well as critical infrastructure, in the United States and globally.
The level of detail about the US government's analysis of suspected North Korean hacking activity coincides with increasing tensions between Washington and Pyongyang because of North Korea's missile tests. The alert warned that North Korea would continue to rely on cyber operations to advance its military and strategic objectives.
North Korea has routinely denied involvement in cyber attacks against other countries.
Hidden Cobra has been previously referred to by private sector experts as Lazarus Group and Guardians of the Peace, which have been linked to attacks such as the 2014 intrusion into Sony Corp's Sony Pictures Entertainment.
Symantec Corp and Kaspersky Lab both said last month it was 'highly likely' that Lazarus was behind the WannaCry ransomware attack that infected more than 300,000 computers worldwide, disrupting operations at hospitals, banks and schools.
The alert did not identify specific Hidden Cobra victims. It said the group had compromised a range of victims and that some intrusions had resulted in thefts of data while others were disruptive. The group's capabilities include denial of service attacks, which send reams of junk traffic to a server to knock it offline, keystroke logging, remote access tools and several variants of malware, the alert said.
John Hultquist, a cyber intelligence analyst with FireEye, said that his firm was concerned about increasingly aggressive cyber attacks from North Korea.
The hacks include cyber espionage at South Korean finance, energy and transportation firms that appears to be reconnaissance ahead of other attacks that would be disruptive or destructive, he said: "It suggests they are preparing for something fairly significant".
Hidden Cobra commonly targets systems that run older versions of Microsoft Corp operating systems that are no longer patched, the alert said, and also used vulnerabilities in Adobe Systems Flash software to gain access into targeted computers.
The report urged organisations to upgrade to current versions of Adobe Flash and Microsoft Silverlight or, when possible, uninstall those applications altogether.Microsoft said it an emailed statement that it had 'addressed' the Silverlight issue in a January 2016 software update. Adobe said via email that it patched the vulnerabilities in June 2016.
North Korean hacking activity has grown increasingly hostile in recent years, according to Western officials and cyber security experts.
The alert arrived on the same day that North Korea released an American university student who had been held captive by Pyongyang for 17 months.
Otto Warmbier, 22, was on his way back to the United States on Tuesday but in a coma and in urgent need of medical care, according to Bill Richardson, a veteran former diplomat and politician who has played a role in past negotiations with North Korea.
"The US government seeks to arm network defenders with the tools they need to identify, detect and disrupt North Korean government malicious cyber activity that is targeting our country's and our allies’ networks," a DHS official said about the alert. The official was not authorised to speak publicly.
Below are some frequently asked questions put together by Imperva Incapsula.
Q. What is Hidden Cobra?
A. The US Government refers to the malicious cyber activity by the North Korean government as Hidden Cobra.
Activities now identified as Hidden Cobra began in 2009. These activities include exploits by threat actors on victims in the public and private sector, theft of data and disruption of website availability.
Q. What is DeltaCharlie and how does it differ from Hidden Cobra?
A. According to the US-CERT report, DeltaCharlie is the malware used to infect machines converting them to 'zombie' bots. Infected bots collectively become a botnet that is controlled by threat actors.
The DeltaCharlie malware was discovered by Novetta in its 2016 Operation Blockbuster Malware Report. There is evidence that the malware may have been present on victims’ networks for a significant period.
Q. What are the capabilities of Hidden Cobra and DeltaCharlie?
A. According to Novetta’s report, threat actors use Hidden Cobra tools and capabilities such as DDoS botnets, keyloggers, Remote Access Tools (RATs), and wiper malware.
Hidden Cobra threat actors use DeltaCharlie as a DDoS tool. DeltaCharlie has been used in several exploits since it was first reported.
Q. How does DeltaCharlie launch DDoS attacks?
A. DeltaCharlie can launch DNS, NTP and character generation protocol DDoS attacks by operating on victims’ systems as a svchost-based service (a system that hosts multiple Windows services in Windows NT). It can download executable files, change its configuration, update its own binaries, terminate its own processes, and activate and terminate denial of service attacks.
Q. How do the Lazarus Group and Guardians of Peace relate to all this?
A. According to the US-CERT report, Hidden Cobra has been previously reported as the Lazarus Group and Guardians of Peace.
The Lazarus Group was first reported in Operation Blockbuster by Novetta. It has been active since 2007 and has been conducting attacks as recently as May 2017. It is most well-known for its high profile attack on Sony Pictures Entertainment in 2014.