What is Hidden Cobra? US warns about North Korean hacker group's 8-year-long attack spree
US warned that North Korean nation state hackers use tools such as wiper malware, keyloggers and RATs.
The US government has issued a rare warning about North Korea's cybercriminal activities, accusing the reclusive state of an eight-year-long hacking spree.
Public have been alerted to more likely attacks. The joint alert from the FBI and the DHS (Department of Homeland Security) states that a North Korean hacker group called "Hidden Cobra" has launched attacks against global institutions, including media organisations, aerospace and financial industries and critical infrastructure.
According to US authorities, North Korean hackers used a malware dubbed DeltaCharlie to control a DDoS botnet, which in turn the hackers leveraged to conduct widespread attacks. The cyberespionage group has been operating since 2009 and has been typically targeting "systems running older, unsupported versions of Microsoft operating systems".
"It is clear the purpose of building a DDoS botnet is to cripple a target," Mounir Hahad, senior director, Cyphort Labs told IBTimes UK. "Sometimes that's an end by itself, as when the electrical grid infrastructure or water treatment plants or air traffic control systems are targeted.
"But more often than not, DDoS attacks are used to hide more nefarious activity taking place under the radar while the IT staff is busy fighting the overt DDoS attack. That's is the kind of scenario to worry about when the target of the DDoS attack is a government installation for example and those are typically espionage by nature."
What and who is Hidden Cobra?
According to US authorities, Hidden Cobra group includes "cyber actors of the North Korean government". The group is better known in the infosec community as the Lazarus Group, which has been previously tied to the Sony hack by the FBI. Experts believe that the cyberespionage group has also posed as hacktivists groups, one in particular called the Guardians of Peace.
The group has been using various cyber tools, including DDoS botnets, RATs (Remote Access Tools), data-wiping malware and keyloggers to conduct attacks. The alert also said that the group used SMB worm tools. Recent leaked NSA cybertools included SMB worms such as EternalRocks, which security experts warned, could be used by hackers to launch widescale attacks.
North Korean hackers also made use of a DDoS malware tool called DeltaCharlie, which "is capable of downloading executables, changing its own configuration, updating its own binaries, terminating its own processes, and activating and terminating denial-of-service attacks".
However, Hidden Cobra's use of DDoS botnet doesn't necessarily reflect its level of sophistication or indicate that the group has evolved.
"North Korea's usage of botnets does not mean their capabilities have evolved," Hahad said. "Many actors control botnets these days. The true measure of maturity of the capability is how stealthy the botnet is, how resilient it is to take-downs and how quickly can a new one be built should the exist one be taken down. This will depend on the kind of exploits the threat actor favours.
"Botnets are readily available and relatively cheap to rent, Tim Matthews from Imperva told IBTimes UK. "That said, more research on the sophistication of the attacks will be required to truly assess the power and sophistication of Hidden Cobra. Just like weapons, botnets have degrees of sophistication that make them more of less threatening to nation states."
North Korea's state-sponsored hacker groups have recently linked to a series of global bank hacks as well as other cyberespionage activities, including the global WannaCry ransomware attacks. The country is also known to use its cyber warriors to conduct financially motivated attacks, aimed at filling its state coffers.
© Copyright IBTimes 2024. All rights reserved.