The Department of Homeland Security has issued a warning about cyber attacks originating in North Korea and perpetrated by the North Korean government, referred to as “Hidden Cobra.”
A technical alert posted by US-CERT (United States Computer Emergency Readiness Team), the DHS department responsible for being proactively aware of cybersecurity threats facing the country, has revealed that a remote administration tool (RAT) from North Korea has been deployed by Hidden Cobra since 2016 to target a number of industries including finance, telecom and aerospace.
The RAT, called FALLCHILL, enables the Hidden Cobra group to use dual proxies to issue commands to a victim’s server. In essence, this allows the group to get away with clandestine actions like accessing files, retrieving information about all installed disks on a server, modifying file or directory timestamps and even deleting evidence on the server altogether.
The alert by the US-CERT is jointly issued after investigative efforts by both the DHS and the FBI, working in tandem with other US government partners.
An excerpt from the alert read:
Working with U.S. government partners, DHS and FBI identified Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with a remote administration tool (RAT) used by the North Korean government—commonly known as FALLCHILL. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.
The FALLCHILL malware has been active since 2016, the US government alert further revealed, adding that it had identified 83 network nodes that collectively made for the malware’s infrastructure.
Both the FBI and the DHS have also posted a list of IP addresses associated with Hidden Cobra. The FBI asserts, with “high confidence”, that those IP address are directly linked to attacks targeting computer systems using a Trojan malware called Volgmer. With it, Hidden Cobra has reportedly targeted government, auto, financial and media industries.
The new warning comes within 6 months of a previous technical alert implicating Hidden Cobra in a series of cyberattacks dating back to 2009, as well as the 2014 Sony Pictures hack.
Image credit: Flickr.
