The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) has released a pair of Joint Technical Alerts which provide details on tools and infrastructure used by North Korea to target the media, aerospace, financial, and critical infrastructure sectors in the United States and globally.
The North Korean government malicious cyber activity noted in these alerts is part of a long-term campaign of cyber-enabled operations that impact the U.S. Government and its citizens.
This joint Technical Alert (TA) is the result of analytic efforts between DHS and the FBI working with U.S. government partners, identified Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with a malicious cyber activity by the North Korean government, designated by the U.S. Government as ‘HIDDEN COBRA.’
Alert (TA17-318A) HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL
Alert (TA17-318B) HIDDEN COBRA – North Korean Trojan: Volgmer
Working closely with interagency, industry and international partners, DHS is constantly working to arm network defenders with the tools they need to identify, detect and disrupt state and non-state actors targeting the networks and systems of our country and our allies.
(North Korea has been launching missiles and issuing threats against the Unites States for years. But in addition to nukes, Kim Jong Un’s regime has also likely been working on the cyber front to design attacks against America. Hear from Ang Cui, founder of Red Balloon Security, about what types of attacks North Korea might be able to pull off based on what we have seen elsewhere in the world. Courtesy of Business Insider and YouTube. Posted on Nov 11, 2017)
Earlier this summer, DHS and FBI released a technical alert and malware analysis report (MAR) of a malware variant, known as DeltaCharlie, used to manage North Korea’s distributed denial-of-service (DDoS) botnet infrastructure.
Alert (TA17-164A) HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure
The U.S. Government refers to all of this North Korean malicious cyber activity as ‘HIDDEN COBRA’ and it is published on the National Cybersecurity and Communications Integration Center’s (NCCIC) U.S. Computer Emergency Readiness Team’s (US-CERT) website.
(Cybersecurity experts say North Korea may be to blame for the unprecedented global “ransomware” attack. The hacking crippled computer systems in more than 150 countries in May. Courtesy of Fox Business and YouTube. Posted on May 16, 2017)
On a daily basis, they share information about cyber threats, vulnerabilities, and other risks and the NCCIC is their primary hub for these important activities.
Specifically, it occurs through the automated sharing of cyber threat indicators; the production of analytic reports and alerts containing threat and vulnerability mitigation information; and direct exchanges with analysts in the network defense community.
With their industry and government partners, they are looking to enhance collaboration and partnerships across the globe to counter North Korea and another state or non-state actor’s malicious cyber activity, and hope that, over time, public information sharing – such as the report today – will become a routine component of cooperation to address shared cyber threat.
Entities that find signs of this malicious cyber activity should report it to DHS’s National Cybersecurity and Communications Integration Center (NCCIC) (888) 282-0870 or firstname.lastname@example.org.
Or to the FBI through CyWatch or its local field offices (855) 292-3937 or email@example.com.
Cyber Watch (CyWatch) is the FBI’s 24-hour command center for cyber intrusion prevention and response operations.
CyWatch receives threat and incident reporting, assesses it for action, and engages with the appropriate components within Cyber Division, the field, and other intelligence and law enforcement agencies for action.