The FBI and the Department of Homeland Security released an alert on Tuesday regarding malware campaigns connected to a North Korean hacking group known as Hidden Cobra.
The alert, which includes indicators of compromise (IOCs) such as IP addresses, attributes two malware families to the North Korean government by way of Hidden Cobra: a remote access tool called Joanap and a worm known as Brambul, which spreads via Windows’ Server Message Block (SMB) protocol. Both malware families were first identified by Symantec in 2015 and were observed targeting South Korean organizations. Other cybersecurity vendors later attributed the two malware campaigns to the nation-state hacking group Hidden Cobra, also known as Lazarus Group.
However, Tuesday’s alert, which was issued by US-CERT, marks the first time U.S. authorities publicly attributed the malware families and their activity to North Korean hacking operations.
“FBI has high confidence that HIDDEN COBRA actors are using the IP addresses — listed in this report’s IOC files — to maintain a presence on victims’ networks and enable network exploitation,” US-CERT said. “DHS and FBI are distributing these IP addresses and other IOCs to enable network defense and reduce exposure to any North Korean government malicious cyber activity.”
The alert also claimed that, “according to reporting of trusted third parties,” Joanap and Brambul have likely been used by the North Korean hacking group since at least 2009 to target organizations in various vertical industries across the globe. The FBI and DHS didn’t identify those trusted parties, but the alert cited a 2016 report, titled “Operation Blockbuster Destructive Malware Report,” from security analytics firm Novetta, which detailed malicious activity conducted by the Lazarus Group.
DHS’ National Cybersecurity and Communications Integration Center conducted an analysis of the two malware families, and the U.S. government discovered 87 network nodes that had been compromised by Joanap and were used as infrastructure by Hidden Cobra. According to the US-CERT alert, those network nodes were located in various countries outside the U.S., including China, Brazil, India, Iran and Saudi Arabia.
The FBI and DHS attribution case for Brambul and Joanap represents the latest evidence connecting the North Korean government to high-profile malicious activity, including the 2014 breach of Sony Pictures. Last December, the White House publicly attributed the WannaCry ransomware attack to the North Korean government; prior to the U.S. government’s accusation, several cybersecurity vendors had also connected the WannaCry source code, which also exploited the SMB protocol, with the Brambul malware.
The US-CERT alert also follows tense, back-and-forth negotiations between President Donald Trump and North Korean leader Kim Jong Un regarding a U.S.-North Korea summit. Last week, Trump announced the U.S. was withdrawing from the summit, but talks have reportedly resumed.