The US government has issued a joint alert from the U.S. Department of Homeland Security and the Federal Bureau of Investigation linking the Hidden Cobra APT group to the North Korean government.
Hidden Cobra is made up of "cyber-actors of the North Korean government,” responsible for targeting the media, aerospace, the financial sector and critical infrastructure via a range of common, known vulnerabilities. The alert issued is affiliated with or is part of two major APT players, the Lazarus Group and Guardians of the Peace, which are behind offensives aimed at South Korea and the high-profile 2014 attack on Sony Pictures Entertainment, respectively (among other things).
The good news is that compromise is preventable with patching.
“Hidden Cobra actors commonly target systems running older, unsupported versions of Microsoft operating systems,” the alert said. The multiple vulnerabilities in these older systems provide cyber actors many targets for exploitation. These actors have also used Adobe Flash player vulnerabilities to gain initial entry into users’ environments.”
Once in, the group carries out denial of service attacks (DHS and the FBI said that the DeltaCharlie DDoS bot is linked to the group), plus espionage via keylogging and remote access tools, and it delivers several variants of malware.
DHS is recommending that more research should be conducted on the North Korean cyber-activity that has been reported by cybersecurity and threat research firms.
“The alleged connection to the attacks on South Korea and Sony reveal that these attacks are politically motivated. Botnets are readily available and relatively cheap to rent,” said Tim Matthews, vice president at Imperva, via email. “That said, more research on the sophistication of the attacks will be required to truly assess the power and sophistication of Hidden Cobra. Just like weapons, botnets have degrees of sophistication that make them more or less threatening to nation states.”
Organizations should upgrade Adobe Flash and Microsoft Silverlight to the latest version and patch level, thus inoculating themselves against Hidden Cobra’s bag of tricks. If the apps are no longer required, they should be removed from systems entirely.