PINDROP BLOG

DHS Points Finger at North Korea for Long Cyberattack Campaign

The United States government has issued a warning about an ongoing series of DDoS attacks and other cyber operations that it says began in 2009, and is pointing the finger squarely at North Korea.

On Tuesday, the US-CERT, which is part of the Department of Homeland Security, published a technical alert in conjunction with the FBI that describes the attack campaign as well as the “tools and infrastructure used by cyber actors of the North Korean government to target the media, aerospace, financial, and critical infrastructure sectors in the United States and globally.” The alert ties the attacks back to the Lazarus group, a well-known attack team that security researchers have identified as being a state-sponsored North Korean group. That team is believed to be responsible for a number of high-profile campaigns and researchers also have linked the Lazarus group to the WannaCry ransomware.

In the alert, US-CERT says that the North Korean campaign, which it calls Hidden Cobra, has been going on for eight years and includes a sophisticated DDoS botnet and uses a number of different pieces of high-level malware, including Destover. That particular piece of malware was used in the destructive attack on Sony Pictures Entertainment several years ago and has the ability to destroy data and completely wipe the memory of infected computers. The Hidden Cobra campaign uses a DDoS tool known as DeltaCharlie that can run a number of different kinds of DDoS attacks, including DNS, and NTP (Network Time Protocol) attacks.

“Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. Variants of malware and tools used by HIDDEN COBRA actors include Destover, Wild Positron/Duuzer, and Hangman,” the US-CERT warning says.

“HIDDEN COBRA actors commonly target systems running older, unsupported versions of Microsoft operating systems. The multiple vulnerabilities in these older systems provide cyber actors many targets for exploitation.”

The group also has been seen exploiting several different Adobe Flash vulnerabilities, all of which have been patched since last June.

Interestingly, the advisory from US-CERT comes on the same day that Microsoft issued patches for several older vulnerabilities in Windows XP and warned that nation-state attackers are targeting those flaws. Microsoft didn’t identify any specific attack groups in its advisory, but said it was taking the unusual step of patching unsupported Windows platforms because of the heightened risk of attack.

“Today, as part of our regular Update Tuesday schedule, we have taken action to provide additional critical security updates to address vulnerabilities that are at heighted risk of exploitation due to past nation-state activity and disclosures,” Eric Doerr, general manager of the Microsoft Security Response Center, said.

CC By-sa image by Stephan

Webinar: Call Center Fraud Vectors & Fraudsters Analyzed