This article is more than 1 year old

Crouching cyber, Hidden Cobra: Crack North Korean hack team ready to strike, says US-CERT

DeltaCharlie malware aimed at American biz, we're told

The Norks are coming and it won't be fun, according to a new bulletin from the United States Computer Emergency Readiness Team (US-CERT).

The advisory warns that a North Korean hacking team, dubbed Hidden Cobra, is actively targeting media, aerospace, financial, and critical infrastructure sectors in the US and around the world. CERT says it has been working with the FBI and Homeland Security and has identified IP addresses used by the Hidden Cobra team in their attacks.

(Stop us if you've heard this all before about North Korean hackers.)

"If users or administrators detect the custom tools indicative of Hidden Cobra, these tools should be immediately flagged, reported to the DHS National Cybersecurity Communications and Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and given highest priority for enhanced mitigation," the warning states.

"DHS and FBI are distributing these IP addresses to enable network defense activities and reduce exposure to the DDoS command-and-control network. FBI has high confidence that Hidden Cobra actors are using the IP addresses for further network exploitation."

CERT says that the Hidden Cobra team, also known as the Lazarus Group or Guardians of Peace, has been active since 2009 and uses DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware in their actions. It's the DDoS capabilities that has CERT particularly worried at the moment.

The hacking group is using botnet creation malware called DeltaCharlie to attack foreign companies. CERT and law enforcement have compiled a list of IP addresses used by the botnet and IT admins are advised to block them as a matter of urgency.

"The malware operates on victims' systems as an svchost-based service and is capable of downloading executables, changing its own configuration, updating its own binaries, terminating its own processes, and activating and terminating denial-of-service attacks," CERT says.

As for more general hacking, Hidden Cobra targets older Windows systems using known vulnerabilities where patches are available but uninstalled. It also hacks using Flash and Silverlight, and CERT recommends removing those applications and focusing on the following vulnerabilities:

  • CVE-2015-6585: Hangul Word Processor Vulnerability
  • CVE-2015-8651: Adobe Flash Player and 19.x Vulnerability
  • CVE-2016-0034: Microsoft Silverlight 5.1.41212.0 Vulnerability
  • CVE-2016-1019: Adobe Flash Player Vulnerability
  • CVE-2016-4117: Adobe Flash Player Vulnerability

CERT believes Hidden Cobra was the source of the WannaCry aka WannaCrypt malware attacks, but offers no evidence. It has included a checklist for IT admins who think they might be under attack that should mitigate the worst effects and help law enforcement investigations. ®

More about

More about

More about


Send us news

Other stories you might like