The United States Computer Emergency Readiness Team (US-CERT) has issued a warning that North Korea has stepped up its efforts to attack media, aerospace, and financial companies in the United States. Critical infrastructure and public utility systems are also thought to be high-priority targets as well. This warning is the work of a multi-way partnership between various companies in the private sector, the Department of Homeland Security (US-CERT is a division of DHS) and the FBI. It states:

Working with U.S. Government partners, DHS and FBI identified Internet Protocol (IP) addresses associated with a malware variant, known as DeltaCharlie, used to manage North Korea’s distributed denial-of-service (DDoS) botnet infrastructure. This alert contains indicators of compromise (IOCs), malware descriptions, network signatures, and host-based rules to help network defenders detect activity conducted by the North Korean government. The U.S. Government refers to the malicious cyber activity by the North Korean government as HIDDEN COBRA.

If users or administrators detect the custom tools indicative of HIDDEN COBRA, these tools should be immediately flagged, reported to the DHS National Cybersecurity Communications and Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and given highest priority for enhanced mitigation. This alert identifies IP addresses linked to systems infected with DeltaCharlie malware and provides descriptions of the malware and associated malware signatures. DHS and FBI are distributing these IP addresses to enable network defense activities and reduce exposure to the DDoS command-and-control network. FBI has high confidence that HIDDEN COBRA actors are using the IP addresses for further network exploitation.

A downloadable set of IOCs (Indicators of Compromise) are available at the US-CERT webpage. The hacking teams behind Hidden Cobra are known to use DDoS botnets, keyloggers, remote access tools, and various types of wiper malware. They typically target older versions of Windows running outdated or unpatched versions of the operating system and are known to leverage several different security exploits in third-party plugins, including:

• CVE-2015-6585: Hangul Word Processor Vulnerability
• CVE-2015-8651: Adobe Flash Player 18.0.0.324 and 19.x Vulnerability
• CVE-2016-0034: Microsoft Silverlight 5.1.41212.0 Vulnerability
• CVE-2016-1019: Adobe Flash Player 21.0.0.197 Vulnerability
• CVE-2016-4117: Adobe Flash Player 21.0.0.226 Vulnerability

The full US-CERT report goes into detail on the specific DDoS and hacking tool (DeltaCharlie) used by the organization. It wouldn’t be surprising if North Korea is stepping up its cyberattacks on the United States; the communist country has been increasingly belligerent of late. It has launched multiple high-profile ballistic missile tests towards Japan, threatened to resume nuclear weapon testing, and successfully tested what it claimed was a fusion weapon 18 months ago (it probably wasn’t).

Back in April, news surfaced that the United States had deployed its own cyber attack squads to covertly sabotage North Korea’s missile tests. In the three years since our own sabotage program went into operation, North Korean missiles have suffered an 88 percent self-destruct rate. The New York Times reported that news of this program “appears to have shaken Pyongyang and led to an internal spyhunt as well as innovative ways to defeat a wide array of enemy cyberstrikes.”

The NYT noted that the Trump Administration was expected to continue using the program, which began under the Obama Administration. Whether the North Koreans have accurately identified and plugged the security flaws in their own operation or not, it makes sense that they’d be looking to turn the tables against the US.