North Korea has increasingly become the known or suspected culprit behind many major cybersecurity disasters, including the 2016 Bangladesh Bank heist and the 2014 Sony Pictures Entertainment breach.
In recent months, the Department of Homeland Security and the Federal Bureau of Investigation have issued several joint technical alerts, warning the public about state-sponsored cyber threat actors from North Korea and their efforts to engage in cyber warfare against the United States.
The most recent alerts were issued in November, with the purpose of informing the public about ongoing malicious cyber activity from North Korea under the code name Hidden Cobra. The alerts outline details on tools and infrastructure used by this group to target critical infrastructure sectors in the U.S. and globally. This includes efforts to specifically penetrate the media, aerospace and financial industries, using DeltaCharlie malware, Hidden Cobra’s primary weapon, which manages its distributed denial-of-service (DDoS) botnet infrastructure.
North Korea has increasingly become the known or suspected culprit behind many major cybersecurity disasters, including the 2016 Bangladesh Bank heist and the 2014 Sony Pictures Entertainment breach. The Bangladesh Bank incident transpired when instructions to steal $951 million from Bangladesh Bank were issued via the SWIFT network, the international money transfer system used between banks. While the majority of the transactions were blocked, they were successful in stealing $81 million from the institution.
Most of us remember the impact Sony felt from the breach – its computers were rendered inoperable, entire servers and data centers were shut down and offices and movie lots that were protected by managed, electronic access became inaccessible. These attacks provide sobering reminders that North Korean threat actors are unpredictable, opportunistic and driven by a wide range of motivations. They may take a variety of measures, whether financial, political, or retaliatory, in a demonstration of force that can completely disable their targets. The activity encompassed by Hidden Cobra is extremely sophisticated and can wreak havoc, even for organizations that already have a strong security posture and in-depth safeguards, and the unpredictability of the North Korean actors means that everyone must take notice.
While DeltaCharlie doesn’t appear to have an overt destructive component, it is still a concern for cybersecurity professionals, who must remember that destructive software remains a typical signature of Hidden Cobra. Organizations should be aware of the possibility that there may be a secondary or hidden component to the malware that could present additional future problems to systems that were previously breached by DeltaCharlie malware.
Information that has been released by the U.S. government to date provides important intelligence for security professionals that can be used to strengthen defenses against threats from Hidden Cobra. The issued alerts provide indicators of compromise, network signatures, descriptions of the malware and other details about Hidden Cobra that can help bolster network security. In addition to staying abreast of the most up-to-date intelligence on this front, organizations should build strong incident response programs to deal with emerging risks from Hidden Cobra and threat actors representing other hostile countries with sophisticated hacking capabilities, such as Russia and Iran. Savvy cybersecurity professionals must:
- Gather Intelligence: It is vital to keep the latest intelligence and attack trends in mind, regularly collaborating with other organizations and federal authorities to ensure knowledge of current threats. Every organization should maintain an intelligence platform that gathers all crucial cyber threat information – including tactical intelligence like digital fingerprints and strategic intelligence about the attacker’s motivations – and makes it accessible to analysts working on the front lines of defense.
- Contain Points of Compromise: During an active attack, any breached segments of the network must be contained to minimize the spread of infection. Conducting a sweep for threat indicators that have been observed going out or coming in can prevent further compromise. This also includes limiting user access. Because malware can only impact the user’s space at the highest level of access that user has, limiting user rights can prevent the malware from propagating broadly across the network. These containment efforts are critical to an efficient prevention and incident response program.
- Conduct Hunt Operations: Any organization that is at high risk for attack – particularly pharmaceutical, financial services, energy, manufacturing and retail companies – must retain cybersecurity subject matter experts that can engage in proactive efforts to locate threat actors that are attempting to find and exploit cybersecurity vulnerabilities. By understanding vulnerabilities and even the threat actors that want to use them, an organization is in a much stronger position to hold its defensive line.
- Educate Employees: A network is only as strong as its weakest link, which in many cases is its people. Educating personnel and partners about the threat landscape and ensuring they have a stake in maintaining cybersecurity cannot be overlooked. Building training and incentive programs that keep employees engaged in identifying attempts from cyber threat actors and defend against attacks can be a critical component of a strong cybersecurity program.
The Internet truly has no borders, and threats from the other side of the globe can quickly impact U.S. interests. Historically, cybersecurity operations have relied on a reactive approach – implementing intrusion detection systems, network rules and alerts, and reacting to red flags or incidents. In today’s landscape, those steps are still important, but a much more proactive and strategic stance is necessary to keep pace with the rapidly advancing abilities of state-sponsored threat actors like North Korea.