A new alert from the United States Computer Emergency Readiness Team warns that the North Korean hacking team Hidden Cobra is targeting U.S. media, aerospace, financial and critical infrastructure sectors with botnet-related malware.
The US-CERT warning comes from the Department of Homeland Security and the FBI, and it describes Hidden Cobra’s use of the malware variant DeltaCharlie, which manages the group’s distributed denial-of-service (DDoS) botnet infrastructure. Now, Hidden Cobra is actively targeting the U.S. with DeltaCharlie.
According to the US-CERT alert, “A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed.” The potential effects of DeltaCharlie malware include the loss of sensitive or proprietary information, the disruption of regular operations, financial losses and harm to the reputation of the affected organization.
The US-CERT alert cited a 2016 report from McLean, Va., advanced analytics company Novetta, “Operation Blockbuster Destructive Malware,” as the first evidence of the DeltaCharlie DDoS botnet. “DeltaCharlie is a DDoS bot that relies on the Winpcap NPF driver for the generation of raw network packets,” the report stated. DeltaCharlie has several capabilities, including the ability to update its own binary, as well as activate and terminate a DDoS attack, according to the report. The alert from US-CERT added that DeltaCharlie is able to launch domain-name-system attacks, Network Time Protocol attacks and Character Generation Protocol attacks, as well.
The alert from US-CERT provided indicators of compromise, including IP addresses that are connected to systems infected with the DeltaCharlie malware. “DHS and FBI are distributing these IP addresses to enable network defense activities and reduce exposure to the DDoS command-and-control network,” the alert read. “FBI has high confidence that Hidden Cobra actors are using the IP addresses for further network exploitation.”
The Hidden Cobra efforts are believed to be the work of the Lazarus Group, which is a North Korean hacking group that has been at work since 2009, but is best known for the 2014 Sony Pictures hack. The Lazarus Group is also reportedly behind malware strains such as Hangman and Wild Positron, and it primarily targets victims in South Korea, India, China, Brazil Russia and Turkey.