The Department of Homeland Security has issued a warning against cyberattacks launched by the North Korean government sponsored hackers and has said that the North Korean developed malware is still lurking in the government networks. Referring to it as "Hidden Cobra", the alert has been published by the United States CERT team and is a work of both the DHS and the Federal Bureau of Investigation (FBI).
"Working with U.S. government partners, DHS and FBI identified Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with a remote administration tool (RAT) used by the North Korean government - commonly known as FALLCHILL," the alert reads. "The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA."
The alert adds that the Bureau has "high confidence" that the North Korean threat actors are using the IP addresses (listed here) to maintain their presence on target networks. The agencies are sharing these IP addresses to "enable network defense and reduce exposure to any North Korean government malicious cyber activity".
Hidden Cobra - Pyongyang's secret weapon (according to the US gov)
The US government has said that Hidden Cobra (also known as the "Lazarus Group" and "Guardians of Peace" by security groups) has been "likely" using the FALLCHILL malware since 2016 to target critical infrastructure, including aerospace, telecommunications, and finance industries. FALLCHILL malware allegedly used by Hidden Cobra is a fully functional RAT with multiple commands that can be issued from a command and control (C2) server to a victim’s system via dual proxies. The malware enables Hidden Cobra to perform intrusive functions like retrieving data from installed disks, access files, and even modify and remove files to delete any evidence that can lead to them.
FALLCHILL typically infects a system as a file dropped by other HIDDEN COBRA malware or as a file downloaded unknowingly by users when visiting sites compromised by HIDDEN COBRA actors. HIDDEN COBRA actors use an external tool or dropper to install the FALLCHILL malware-as-a-service to establish persistence. Because of this, additional HIDDEN COBRA malware may be present on systems compromised with FALLCHILL.
The alerts also add information about IP addresses that have been dropping Volgmer, a backdoor Trojan designed to provide covert access to a compromised system that has been used since at least 2013. Volgmer has been used by Hidden Cobra to target the government, financial, automotive, and media industries.
This week's warnings come a few months after a US-CERT alert that had implicated Hidden Cobra in a number of cyberattacks going back to 2009, including the 2014 Sony Pictures hack - that some security researchers have said North Korea wasn't actually responsible for. Security researchers have also previously suggested that the FBI needs to pay attention to the servers and services, not the IP addresses.