It’s no secret that North Korea has a cyber army working in the shadows to attack western interests. The cyber-attack against Sony Pictures Entertainment in 2014 made it clear that the nation had developed its cyber warfare capabilities much more than had been realized until then.
But now it appears that North Korea has set its sights on loftier goals, perhaps spreading chaos and even damage worldwide through a well-placed series of cyber-attacks on defense targets, industry and media.
Now, US-CERT and the Federal Bureau of Investigation have issued a series of warnings intended to provide the necessary information for organizations to prevent or reduce the likelihood of a successful North Korean infiltration.
However, it the warning may be too late for some organization because their networks have been infected by the components of Hidden Cobra, which refers to the collection of malware being used to attack targets in South Korea and elsewhere around the world.
Hidden Cobra is an umbrella operation that launches malware against a wide variety of targets that North Korea is studying, apparently for future action. According to Paul Innella, CEO of TDI based in Washington, the goal of the Hidden Cobra operation appears to have changed. He said that North Korea has moved from running ransomware operations to something more sinister—information gathering.
“A lot of it is polling information on network infrastructure data,” Innella explained. “They’re trying to map out what we have.” He said that this operation already resulted in a breach that compromised planning between the military of South Korea and the United States.
Innella said that there’s been discussion recently about recent failures of North Korean rocket launches and whether those failures occurred as a result of cyber-attacks by the west. He said that it appears that the North Korean effort to map out the infrastructure of organizations in the west is a precursor to cyber-war.
Initially the attacks are likely to be against the military or launch systems, Innella said. But the plans of the North Koreans apparently go beyond that. The warnings from the Department of Homeland Security through US-CERT and the FBI indicate that there are also plans to attack the financial sector, aerospace and telecommunications using its FallChill malware, which is part of Hidden Cobra.
FallChill is a remote administration tool that evades detection by encrypting its communications traffic using TLS (transport layer security). The malware is able to use its remote administration capabilities to map out a network and then to report what it finds. The idea is that once FallChill has mapped out the networks (including the defenses) North Korea will know what and where to attack for best effect.