US Accuses North Korean Government Of Cyber Attacks Since 2009

Step aside Russia: there is a new global cyber villian in the house – North Korea.

On Tuesday, the U.S. government via the US Computer Emergency Readiness Team (US-CERT) issued a rare alert on the activities of a hacking group called “Hidden Cobra,” saying the group was part of the North Korean government and that more attacks were likely. The joint alert from DHS and the FBI said that “cyber actors of the North Korean government” had targeted the media, aerospace and financial sectors, as well as critical infrastructure, in the United States and globally. Hidden Cobra has reportedly compromised a range of victims since 2009 and that some intrusions had resulted in thefts of data while others were disruptive.

The alert said Hidden Cobra targeted systems that run older versions of Microsoft Corp operating systems that are no longer patched.

The group’s capabilities include denial of service attacks, which send reams of junk traffic to a server to knock it offline, keyloggers, remote access tools and several variants of malware, the alert said.

From the report’s description:

Since 2009, HIDDEN COBRA actors have leveraged their capabilities to target and compromise a range of victims; some intrusions have resulted in the exfiltration of data while others have been disruptive in nature. Commercial reporting has referred to this activity as Lazarus Group (link is external) and Guardians of Peace. (link is external) DHS and FBI assess that HIDDEN COBRA actors will continue to use cyber operations to advance their government’s military and strategic objectives. Cyber analysts are encouraged to review the information provided in this alert to detect signs of malicious network activity.

Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. Variants of malware and tools used by HIDDEN COBRA actors include Destover, (link is external) Wild Positron/Duuzer, (link is external) and Hangman.[5] (link is external) DHS has previously released Alert TA14-353A, which contains additional details on the use of a server message block (SMB) worm tool employed by these actors. Further research is needed to understand the full breadth of this group’s cyber capabilities. In particular, DHS recommends that more research should be conducted on the North Korean cyber activity that has been reported by cybersecurity and threat research firms.

North Korea, which previously had been accused of hacking Sony only for the story to fade when it emerged that it was a former worker who was responsible for the cyber breach, has routinely denied involvement in cyber attacks against other countries. The North Korean mission to the United Nations was not immediately available for comment.

Meanwhile, alongside the great Russian hacking menace, Western officials have increasingly accused North Korean hacking activity of becoming progressively more hostile in recent years; most recently North Korea was also blamed for the global WannaCry ransomware attack, before that report too was buried after it emerged that the attack had emerged from China, not North Korea (or Russia).

Tuesday’s alert said Hidden Cobra’s cyber attacks have been previously referred to by private sector experts as Lazarus Group and Guardians of the Peace, which have been linked to attacks such as the 2014 intrusion into Sony Corp’s Sony Pictures Entertainment. 

While it is unlikely that today’s hacking allegation will be sufficient to merit a military response against North Korea, the “cyber” pressure against both North Korea and Russia is rapidly building, with some eventual “outlet” looking increasingly more probable.