DHS, FBI Warn of North Korea ‘Hidden Cobra’ Strikes Against US Assets

hidden cobra

DHS and the FBI warned that North Korean attackers are targeting U.S. businesses with malware- and botnet-related attacks that are part of concerted effort dubbed “Hidden Cobra.”

United States top cybersecurity cops warned Tuesday that North Korean government threat actors are targeting U.S. businesses with malware and botnet-related attacks that are part of concerted effort dubbed “Hidden Cobra.”

According to a United States Computer Emergency Readiness Team (US-CERT) bulletin, Hidden Cobra is leveraging malware called DeltaCharlie, which is the brains behind North Korea’s distributed denial-of-service (DDoS) botnet infrastructure being used against U.S. assets.

Both the Department of Homeland Security and the Federal Bureau of Investigation were part of the Hidden Cobra research released Tuesday. They warn Hidden Cobra is actively targeting the media, aerospace, financial, and critical infrastructure sectors in the United States and other global assets.

A successful network intrusion attack could result in a “temporary or permanent loss of sensitive or proprietary information, disruption to regular operations, financial losses incurred to restore systems and files, and potential harm to an organization’s reputation,” according to the DHS and FBI.

Hidden Cobra, believed to be the work of the Lazarus Group, has been on security experts’ radar screen since 2014. According to research by Kaspersky Lab, a number of Lazarus tool samples were compiled as recently as last year. Lazarus is alleged to be behind the Sony hack, which featured wiper malware and damaging data leaks, as well as the SWIFT attacks against banks in Bangladesh, Poland and Mexico.

“The Hidden Cobra malware is used to conduct DDoS-attacks by abusing a number of technologies, such as CGN (Carrier Grade NAT), NTP (Network Time Protocol) and DNS. We are not aware of the particular targets actively attacked by this malware,” Kaspersky Lab researchers said on Wednesday.

According to researchers at Kaspersky Lab, one recently detected Hidden Cobra malware sample contained a hardcoded IP that belongs to a major U.S. financial institution.

The DeltaCharlie malware, used by Lazarus, was first referenced in the Operation Blockbuster Destructive Malware report released in February 2016. Operation Blockbuster, a coalition of security companies including Kaspersky Lab, Novetta and Invincea, found that DeltaCharlie was one of several DDoS tools used by the Lazarus Group.

“DeltaCharlie is a DDoS tool capable of launching Domain Name System attacks, Network Time Protocol ¬†attacks, and Character Generation Protocol attacks,” according to the US-CERT bulletin. “The malware operates on victims’ systems as a svchost-based service and is capable of downloading executables, changing its own configuration, updating its own binaries, terminating its own processes, and activating and terminating denial-of-service attacks.”

DeltaCharlie malware and its accompanying botnet have been observed in 25 countries, including  France, Brazil, Russia, Malaysia, UK, USA, UAE, Taiwan, Rwanda and Philippines, researchers at Kaspersky Lab said.

DHS and FBI analysis of Hidden Cobra’s modus operandi reveal desirable targets are businesses running older, unsupported versions of Microsoft Windows along with vulnerable versions of Adobe Flash player and a Korean word processing application called Hangul. “We recommend that organizations upgrade these applications to the latest version and patch level,” according to the bulletin.

Authorities are urging system administrators who observe indicators of compromise that match the Hidden Cobra profile to flag and report observations to the DHS National Cybersecurity Communications and Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch).

“DHS and FBI are distributing these IP addresses to enable network defense activities and reduce exposure to the DDoS command-and-control network. FBI has high confidence that Hidden Cobra actors are using the IP addresses for further network exploitation,” it said.

DHS and FBI recommend that network administrators review the IP addresses, file hashes, network signatures, and YARA rules provided, and add the IPs to their watchlist to determine if malicious activity has occurred on their network.

Suggested articles


  • No time for your crap on

    I think for once it would be nice if these unelected marginal agencies would stick to doing their jobs as oppose to leaking classified information the public. You go to a restaurant, the chef doesn't tell you all the steps he/she takes when making your food and keeps alarming you over the spices, hotness, obesity and other risks with the food. I get it, North Koreans are bad and bad people have computers. So, you have computers as well, install Windows Defender and be quiet.
    • TmHd on

      ROFL yes, Windows Defender. Of course that's the answer! Because Microsoft doesn't have to patch a dozen CVE's every month. Because Windows Defender is DDoS-proof. Because network security is literally that simple. Because bringing attention to a highly successful and destructive cyber campaign and pushing best practices does nobody any good at all and is, quite frankly, just annoying. Because cyber espionage is just political anyways and doesn't cost companies billions a year. Grr Obama rant grr big government grrrr. Now, to those who actually understand this industry, this was a good read and any information regarding emerging threats is good information.
  • Some people need to chill out on their comments. on

    Thanks for sharing this info. To me its like a doctors visit, and if you don't know what to look for how will you know you're infected. There are no commands in the article that could help a script kiddie, so the prior comment means nothing to me.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.