The Department of Homeland Security (DHS) and the Federal Bureau of Investigations (FBI) released two joint Technical Alerts (TA) on Tuesday detailing techniques used by the North Korean government in cyberattacks on U.S. and global entities.
The two “hidden cobra” alerts – a codename the U.S. uses to refer to malicious cyber activity by North Korea – provide details on a remote administration tool (RAT) and Trojan used by the DPRK hackers.
Both are forms of malicious software – or malware – and have been named in the alerts as “FALLCHILL” and “Volgmer.”
“The North Korean government malicious cyber activity noted in these alerts is part of a long-term campaign of cyber-enabled operations that impact the U.S. Government and its citizens,” an accompanying press release on the DHS website reads.
“Working closely with our interagency, industry and international partners, DHS is constantly working to arm network defenders with the tools they need to identify, detect and disrupt state and non-state actors targeting the networks and systems of our country and our allies,” it added.
According to the TAs, FALLCHILL has been in use since 2013 and Volgmer since 2016 in targeted attacks on media, aerospace, financial, and critical infrastructure sectors in the U.S. and around the world.
Once RATs and Trojans have infected a device, they can allow hackers to control it from a remote location – accessing or deleting data, monitoring activity, disrupting networks and data, as well other malicious functions.
For both of the alerts, the FBI said it possessed “high confidence” that the North Korean government was behind the malware observed and included details on tools as well as Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with them.
The IPs associated with the Volgmer Trojan malware are both static and dynamic, with the U.S. identifying dynamic IP addresses across 18 countries.
These include Armenia, Azerbaijan, Bahrain, Bangladesh, China, Egypt, Georgia, Indonesia, Iran, the Maldives, Nepal, Pakistan, Saudi Arabia, Singapore, Sri Lanka, Taiwan, Thailand and the UK.
The vast majority of dynamic IPs discovered were from India (25.4 percent) and Iran (12.3 percent), with Pakistan (11.3 percent) in third position.
The information would correspond with a recent New York Times report, which reported that researchers now believe that nearly a fifth of North Korea’s cyber attacks now originate from India.
Tuesday’s publication of the joint TAs is the second occasion the FBI and DHS has done so this year, with similar alerts issued in June regarding other malware.
North Korea has been credited by cybersecurity companies and governments for a series of attacks in recent years, including the high-profile 2015 hack of Sony Pictures Entertainment, which led to unilateral sanctions by the U.S.
The hack of Sony was claimed by a group called the Lazarus Group (aka the Guardians of Peace), but the FBI concluded that North Korea was behind the incident.
In mid-May, two top security firms Kaspersky and Symantec reported that they had found evidence that the WannaCry ransomware – which has attacked hundreds of thousands of computers across 150 countries this year – was linked to North Korea.
Both claimed that the WannaCry code is similar to the one used in a USD$81 million heist of a Bangladeshi bank in 2016.
More recently in October, UK security minister Ben Wallace blamed North Korea for the WannaCry cyber attack, which affected the country’s hospitals in May this year.
North Korea had consistently used its state media to deny involvement in cybercrime.
Edited by Oliver Hotham
Join the influential community of members who rely on NK News original news and in-depth reporting.
Subscribe to read the remaining 576 words of this article.
Featured Image: Data Security Breach by Visual Content on 2016-09-28 17:10:18