US Blames North Korea Group Dubbed "Hidden Cobra" for Domestic and Global Hacks

A recent US Government Technical Alert (TA) issued by the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI), singles out a hacking group believed to be associated with the North Korean government and allegedly responsible for hacks of media, aerospace, financial, and critical infrastructure sectors.

Dubbed “Hidden Cobra,” the alert includes details involving tools actively employed by the hackers, targets and indicators of compromise (IoC) that can help organizations defend themselves against them. While the analysis also includes a list of vulnerabilities allegedly used by the hacker group – ranging from Adobe Flash Player to Microsoft Silverlight and Hangul Word Processor – most have already been patched by newer distributions.

The alert also attributes the WannaCry incident, which involved a vulnerability in the SMB v1 Windows protocol, to the Hidden Cobra group, while urging independent security researchers to join the investigation to uncover the full extent of the group”s full cyber capabilities.

“Since 2009, HIDDEN COBRA actors have leveraged their capabilities to target and compromise a range of victims; some intrusions have resulted in the exfiltration of data while others have been disruptive in nature,” reads the alert. “Commercial reporting has referred to this activity as Lazarus Group[1] (link is external) and Guardians of Peace.[2] (link is external) DHS and FBI assess that HIDDEN COBRA actors will continue to use cyber operations to advance their government”s military and strategic objectives. Cyber analysts are encouraged to review the information provided in this alert to detect signs of malicious network activity.”

A distributed denial-of-service (DDoS) botnet infrastructure codenamed “DeltaCharlie” is also believed to be used by Hidden Cobra. The tool”s capabilities range from downloading additional components to self-removal from infected machines. Proposed mitigation solutions include updating and patching operating systems and applications to their latest version, application whitelisting, restrictive administrative privileges, network segregation, firewalls, logging and access control lists.

“We recommend that organizations upgrade these applications to the latest version and patch level. If Adobe Flash or Microsoft Silverlight is no longer required, we recommend that those applications be removed from systems,” reads the alert.