This page provides an overview of the Cybersecurity and Infrastructure Security Agency’s (CISA’s) assessment of the North Korean government’s malicious cyber activities. The U.S. Government (USG) refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. The overview leverages publicly available, open-source intelligence and information regarding this threat. This page also includes a complete list of related CISA publications, many of which are jointly authored with other U.S. government agencies (Note: unless specifically stated, neither CISA nor the U.S. Government attributed specific activity described in the referenced sources to North Korean government actors). Additionally, this page provides instructions on how to report related threat activity.
The North Korean government—officially known as the Democratic People’s Republic of Korea (DPRK)—employs malicious cyber activity to collect intelligence, conduct attacks, and generate revenue., Recent advisories published by CISA and other unclassified sources reveal that North Korea is conducting operations worldwide. According to the U.S. Office of the Director of National Intelligence 2021 Annual Threat Assessment, “North Korea’s cyber program poses a growing espionage, theft, and attack threat.” Specifically, the Assessment states, “North Korea has conducted cyber theft against financial institutions and cryptocurrency exchanges worldwide, potentially stealing hundreds of millions of dollars, probably to fund government priorities, such as its nuclear and missile programs.”
Latest U.S. Government Report on North Korean Malicious Cyber Activity
On February 17, 2021, CISA, the Federal Bureau of Investigation (FBI), and the Department of the Treasury identified malware and other indicators of compromise (IOCs) used by the North Korean government to facilitate the theft of cryptocurrency—referred to by the USG as “AppleJeus.” See the Joint FBI-CISA-Treasury Cybersecurity Advisory: AppleJeus: Analysis of North Korea’s Cryptocurrency Malware for details, including Malware Analysis Reports (MARs) on AppleJeus malware versions: Celas Trade Pro, JMT Trading, Union Crypto, Kupay Wallet, CoinGoTrade, Dorusio, and Ants2Whale.
The North Korean Malicious Cyber Activity section below lists all CISA Advisories, Alerts, and MARs on North Korea’s malicious cyber activities.
North Korean Malicious Cyber Activity
The information contained in the Alerts, Advisories, and MARs listed below is the result of analytic efforts between CISA, FBI, the U.S. Departments of Homeland Security (DHS), Defense (DoD), and Treasury; and U.S. Cyber Command; to provide technical details on the tools and infrastructure used by cyber actors of the North Korean government. The publications below include descriptions of North Korean malicious cyber activity, technical details, and recommended mitigations. Users and administrators should flag activity associated with the information reported in the publications listed in table 1 below, report the activity to CISA or FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.
Table 1: CISA and Joint CISA Publications
|February 17, 2021||CISA, FBI, and the Department of the Treasury released a Joint Cybersecurity Advisory and seven MARs on the North Korean government’s dissemination of malware that facilitates the theft of cryptocurrency—referred to by the U.S. Government as “AppleJeus.”|
|October 27, 2020||CISA, FBI, and the U.S. Cyber Command Cyber National Mission Force (CNMF) released a new Joint Cybersecurity Advisory on TTPs used by North Korean APT group Kimsuky.|
|August 26, 2020||CISA, the Department of the Treasury, FBI, and U.S. Cyber Command released a joint Technical Alert and three MARs on the North Korean government’s ATM cash-out scheme—referred to by the U.S. Government as “FASTCash.”|
|August 19, 2020||CISA and FBI have identified a malware variant—referred to as BLINDINGCAN—used by North Korean actors. FBI has high confidence that HIDDEN COBRA actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation. A threat group with a nexus to North Korea targeted government contractors early this year to gather intelligence surrounding key military and energy technologies.|
|May 12, 2020||
CISA, FBI, and DoD identified three malware variants used by the North Korean government.
|May 12, 2020||CISA, FBI, and the broader U.S. Government authored a Joint Alert with details on vulnerabilities routinely exploited by foreign cyber actors, including North Korean cyber actors.|
|April 15, 2020||The U.S. Departments of State, Treasury, and Homeland Security and FBI issued this Advisory as a comprehensive resource on the North Korean cyber threat for the international community, network defenders, and the public. The Advisory highlights the cyber threat posed by North Korea and provides recommended steps to mitigate the threat.|
|February 14, 2020||
CISA, FBI, and DoD identified multiple malware variants used by the North Korean government.
|September 9, 2019||
CISA, FBI, and DoD identified multiple malware variants used by the North Korean government.
|October 2, 2018||CISA, Treasury, FBI, and U.S. Cyber Command identified malware and other IOCs used by the North Korean government in an ATM cash-out scheme—referred to by the U.S. Government as “FASTCash.” The Joint Technical Alert provides information on FASTCash and the MAR provides information on 10 malware samples related to this activity.|
|August 9, 2018||DHS and FBI identified a Trojan malware variant—referred to as KEYMARBLE—used by the North Korean government. KEYMARBLE is a RAT capable of accessing device configuration data, downloading additional files, executing commands, modifying the registry, capturing screen shots, and exfiltrating data.|
|June 14, 2018||DHS and FBI identified a Trojan malware variant—referred to as TYPEFRAME—used by the North Korean government. DHS and FBI distributed this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity. This malware report contains an analysis of multiple malware samples consisting of 32-bit and 64-bit Windows executable files and a malicious Microsoft Word document that contains Visual Basic for Applications macros.|
|May 29, 2018||
This Joint Technical Alert and MAR authored by DHS and FBI provides information, including IOCs associated with two families of malware used by the North Korean government:
|March 28, 2018||DHS and FBI identified a Trojan malware variant—referred to as SHARPKNOT—used by the North Korean government. SHARPKNOT is a 32-bit Windows executable file. When executed from the command line, the malware overwrites the Master Boot Record and deletes files on the local system, any mapped network shares, and physically connected storage devices.|
|February 13, 2018||DHS and FBI identified a Trojan malware variant—referred to as HARDRAIN—used by the North Korean government.|
|December 21, 2017||
DHS and FBI identified a Trojan malware variant—referred to as BANKSHOT—used by the North Korean government. This MAR analyzes three malicious executable files.
|November 14, 2017||These Joint Technical Alerts provide information and IOCs on malware variants used by the North Korean government to maintain a presence on victims’ networks and to further network exploitation. DHS and FBI distributed these alerts to enable network defense and reduce exposure to any North Korean government malicious cyber activity.|
|August 23, 2017||This MAR examines the functionality of the DeltaCharlie malware variant to manage North Korea’s distributed denial-of-service (DDOS) botnet infrastructure (refer to TA17-164A). DHS distributed this MAR to enable network defense and reduce exposure to any North Korean government malicious cyber activity.|
|June 13, 2017||This Joint Technical Alert provides technical details on the tools and infrastructure used by cyber actors of the North Korean government to target the media, aerospace, financial, and critical infrastructure sectors in the United States and globally. Working with U.S. government partners, DHS and FBI identified Internet Protocol addresses associated with a malware variant, known as DeltaCharlie, used to manage North Korea’s DDoS botnet infrastructure.|
|May 12, 2017||This DHS-FBI Joint Technical Alert provides information, including IOCs on the ransomware variant known as WannaCry. The U.S. Government publicly attributed this WannaCry ransomware variant to the North Korean government.|
Report Activity Related to This Threat
CISA encourages all organizations to urgently report any additional information related to this threat. Users and administrators should flag associated activity, report the activity to CISA (see below) or FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.
- 1-888-282-0870 (From outside the United States: +1-703-235-8832)
- Central@cisa.gov (UNCLASS)
CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on the CISA homepage at https://www.us-cert.cisa.gov/.
Mitigate and Detect this Threat
CISA recommends users and administrators review the publications in the North Korean Malicious Cyber Activity section as well as the following resources for descriptions of tactics and techniques associated with this threat and recommended mitigations and detections. Note: unless specifically stated, neither CISA nor the U.S. Government attributed specific activity described in the referenced sources to North Korean government actors.
Respond to an Incident
CISA recommends users and administrators consult the Joint Advisory, Technical Approaches to Uncovering and Remediating Malicious Activity, which details technical approaches to uncovering malicious activity and includes mitigation steps according to best practices. This Joint Advisory is the result of a collaborative research effort by the cybersecurity authorities of five nations: Australia, Canada, New Zealand, the United Kingdom, and the United States.
 U.S. Department of Defense | Military and Security Developments Involving the Democratic People’s Republic of Korea 2013 | 2013 | URL: https://fas.org/irp/world/dprk/dod-2013.pdf
 Reuters | North Korea took $2 billion in cyberattacks to fund weapons program: U.N. report | 05_AUG-2019 | URL: https://www.reuters.com/article/us-northkorea-cyber-un/north-korea-took-2-billion-in-cyberattacks-to-fund-weapons-program-u-n-report-idUSKCN1UV1ZX
 U.S. Office of the Director of National Intelligence | 2021 Annual Threat Assessment | April 9, 2021 | URL: https://www.dni.gov/files/ODNI/documents/assessments/ATA-2021-Unclassified-Report.pdf