US Government Outing North Korean Cyberespionage

by Dennis Fisher on Wednesday May 30, 2018

The Federal Bureau of Investigation and the Department of Homeland Security on Tuesday released an alert detailing two kinds of malware used by Hidden Cobra, the codename the U.S. has given to the North Korean government's cyberattacks.

The United States government is getting more aggressive in identifying publicly the tools and infrastructure used by foreign governments in cyber espionage operations. After years of being pretty oblique and vague when attributing operations and tools to specific operators, now the US-CERT is taking a different, more direct tack.

This week, the organization, which is part of the Department of Homeland Security, released a technical advisory that not only directly attributed specific pieces of malware to the North Korean government, but also identifies IP addresses of the servers used in the group’s operations. Altogether, US-CERT picked out 87 compromised network nodes used by the North Korean operators. The US-CERT advisory provides a detailed analysis of the Hidden Cobra attack group, the name DHS and the U.S. government use for North Korea’s cyber espionage team.

The advisory calls out two tools in particular: Joanap and Brambul. Joanap is a remote-access tool that gives the attackers the ability to control compromised machines and send remote commands. It’s the kind of tool that’s standard equipment for attack teams. The second piece of malware DHS identified, Brambul, is a network worm that uses a list of hard-coded credentials to try to spread over SMB shares and move through a target network.

“According to reporting of trusted third parties, HIDDEN COBRA actors have likely been using both Joanap and Brambul malware since at least 2009 to target multiple victims globally and in the United States—including the media, aerospace, financial, and critical infrastructure sectors,” the US-CERT advisory says.

Blog Post

U.S. Government Officially Blames North Korea for WannaCry Attack

READ NOW

“Like many of the families of malware used by HIDDEN COBRA actors, Joanap, Brambul, and other previously reported custom malware tools, may be found on compromised network nodes. Each malware tool has different purposes and functionalities.”

While Joanap and Brambul are pretty much run-of-the-mill malware tools for cyber espionage teams, the fact that US-CERT is publishing more and more information about North Korea’s cyber espionage activities is an interesting development. Many security analysis teams, in both government and the private sector, shy away from directly identifying the source of cyber espionage campaigns. Analysts generally don’t like to put all of their cards on the table and let adversaries know everything they know. And for government agencies, there can be political and diplomatic implications to consider, as well.

But by directly attributing the Hidden Cobra operations and malware tools to the North Korean government, US-CERT and the FBI seem to be making a clear statement that they know what the North Korean government is doing and how it’s doing it. There’s no ambiguity in these actions.

“FBI has high confidence that HIDDEN COBRA actors are using the IP addresses—listed in this report’s IOC files—to maintain a presence on victims’ networks and enable network exploitation. DHS and FBI are distributing these IP addresses and other IOCs to enable network defense and reduce exposure to any North Korean government malicious cyber activity,” the advisory says.

The government has dossiers like this on lots of other attack groups, many of which are tied to foreign governments, and could release similar information on any of them if it so chooses. There’s no way of knowing whether that will happen, but outing North Korea’s cyber espionage activities on a regular basis is a pretty strong start.

Tags: Malware , Government