A Department of Homeland Security (DHS) Alert released on Tuesday warns the public about a campaign of hacking by the government of North Korea it has code-named “Hidden Cobra.”
DHS joined the FBI for a joint Technical Alert about the campaign and its use of a piece of malicious software dubbed FallChill, a remote access trojan (RAT) that obscures so-called “command and control” communications between North Korean hackers and compromised systems on sensitive networks.
The warning is just the latest evidence of what appears to be a widespread campaign of hacks targeted at organizations in the U.S. On Saturday, The Security Ledger reported on attacks targeting U.S. defense contractors that are designed to steal information on weapons systems deployed on the Korean peninsula. And, in October, The Wall Street Journal reported on an apparent North Korean hack and the theft of military secrets from the South Korean firm Daewoo Shipbuilding & Marine Engineering Co.
The joint Technical Analysis released by FBI and DHS cites “trusted third-party reporting” to warn that North Korean actors that are part of the Hidden Cobra operation have been using FallChill malware since 2016 to target the aerospace, telecommunications, and finance industries.
A RAT with many tricks
FallChill is described as “a fully functional RAT with multiple commands that the actors can issue from a command and control (C2) server to a victim’s system via dual proxies.” The RAT is installed (or “dropped”) by other malware associated with the Hidden Cobra operation or as a result of “drive by downloads” from malicious websites controlled by the attackers.
US Government analysts have identified 83 network nodes associated with the FallChill malware. But DHS warned that the command and control (C2) infrastructure of FallChill relies on multiple proxies to obfuscate network traffic between North Korean hackers and victim system.
The presence of FallChill malware on a system could indicate that other malicious software associated with Hidden Cobra is also present, DHS and FBI warned.
The consequences of a compromise are severe. They include the temporary or permanent loss of sensitive or proprietary information, disruptions caused by destructive malware and the subsequent financial and reputation costs, the Alert warns.
Researchers at the firm CrowdStrike have also seen an uptick in attacks against defense industrial base, aerospace and financial firms in recent months, Adam Meyers, the Vice President of Intelligence at the firm CrowdStrike.
Meyers told The Security Ledger that his company has seen a shift in recent years from a near exclusive focus on main rival South Korea to campaigns with targets outside of the Korean peninsula.
The danger for targeted firms is considerable, Meyers said. “We’re not sure what their intentions are. We haven’t been able to observe enough of what they’re going after to understand whether this is espionage or whether they’re laying the groundwork for a destructive attack,” he said.
There may not be much difference. “Historically, those two types of campaigns start off as the same thing,” Meyers said.
Recent incidents like the WannaCry attack suggest that disruption is one goal of the North Korean cyber offensive units.
“Companies have to maintain extreme vigilance,” Meyers said. “They need to understand where on their infrastructure (North Korea) is and what they’ve done.”