DHS/FBI: HIDDEN COBRA Threat Activity Attributed to North Korean Government

The Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) released a joint Technical Alert (TA17-164A) providing details on the tools and infrastructure used by cyber actors of the North Korean government to target the media, aerospace, financial, and critical infrastructure sectors in the United States and globally. The US Government refers to the malicious cyber activity attributed to the North Korean government as HIDDEN COBRA. Tools and capabilities used by HIDDEN COBRA actors include distributed denial-of-service (DDoS) botnets, keyloggers, remote access tools (RATs), and wiper malware. Variants of malware and tools used by these actors include Destover, Wild Positron/Duuzer, and Hangman. The report identifies IP addresses associated with a malware variant, known as DeltaCharlie, used to manage North Korea’s botnet infrastructure. The FBI has high confidence that HIDDEN COBRA actors are using the identified IP addresses for further network exploitation. The alert contains indicators of compromise (IOCs), malware descriptions, network signatures, and host-based rules to help network defenders detect activity conducted by the North Korean government. The IOCs are also available in .csv and STIX formats. The NJCCIC recommends users and administrators review the Technical Alert and use the IOCs provided to determine whether malicious activity associated with HIDDEN COBRA has been observed within your organization. If detected, this activity should be given the highest priority for mitigation and reported to the NJCCIC as soon as possible.