Industry News

US Government warns of more North Korean malware attacks

With Donald Trump and Kim Jong Un exchanging handshakes and smiles at the Singapore security summit earlier this month, you may have been fooled into thinking that all was cordial between the United States and North Korea.

Look under the surface, however, and things may be rather different.

For instance, just days after the two countries signed a joint agreement at their unprecedented talks, the US Department of Homeland Security has issued a warning about more malware being used by the North Korean government against US organisations.

The malware, dubbed “Typeframe”, is thought to be related to other attacks previously attributed to the Hidden Cobra hacking gang (also sometimes called “Lazarus” or “Guardians of the Peace”).

The hacking group has become notorious for its use of Remote Access Trojans (RATs), DDoS botnet attacks, keylogging spyware, and data-wiping malware in attacks against foreign companies.

Most recently, Chile’s second largest bank, has confirmed that in late May it suffered a serious malware attack that breached its systems and disrupted its services.

That attack saw attackers use Hidden Cobra’s disk-wiping malware to distract attention, while some US $10 million was stolen via the SWIFT money transferring system.

If the attack was indeed the work of North Korea, it would be the latest in a long series of attacks on SWIFT which have allegedly stolen hundreds of millions of dollars for the pariah state.

And in the past, the US Government has even blamed Hidden Cobra for the notorious WannaCry ransomware attack, a claim which North Korea predictably denied.

In their latest report, the Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT) does not share details of how many computers may have been infected by Typeframe, or what industries may have been targeted.

However, it does share a technical analysis of 11 malware samples (Windows executables files, and a Microsoft Word document) that attempt to download and install spyware, connect to command and control servers, and meddle with victims’ firewalls to allow incoming connections.

All of the malware samples appear to have been compiled before the Singapore security summit was announced.

To better defend against the Typeframe attacks, organisations are being urged by US-CERT to look for indications of compromise – detailed within the report – by reviewing network logs for IP addresses, and using a variety of network signatures and host-based rules.

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.