Jung Yeon-Je / Getty Images
The U.S. Pentagon, the FBI, and the Department of Homeland Security uncovered a North Korean hacking operation on Friday, providing technical details for seven malware used in the campaign.
The US Cyber National Mission Force, an arm of the Pentagon's US Cyber Command, said on Twitter that the malware "is currently being used by cyber actors (the North Korean government) for phishing and remote access to carry out illegal activities," says Monet steal and circumvent sanctions. The tweet is linked to a post on VirusTotal, Alphabet's malware repository, that contains cryptographic hashes, filenames, and other technical details that allow defenders to compromise on the networks they protect.
Malware attributed to #NorthKorea by @FBI_NCIJTF has just been released here: https://t.co/cBqSL7DJzI. This malware is currently used by # DPRK phishing and remote access cybercriminals to carry out illegal activities, steal funds and circumvent sanctions. #HappyValentines @CISAgov @DHS @US_CYBERCOM
– USCYBERCOM Malware Alert (@CNMF_VirusAlert) February 14, 2020
An accompanying opinion from the DHS Cybersecurity and Infrastructure Security Agency said the campaign was the work of Hidden Cobra, the government's name for a hacking group sponsored by the North Korean government. Many private sector security researchers use different names for the group, including Lazarus and Zink. Six of the seven malware families were uploaded to VirusTotal on Friday. These included:
- Bistromath, a fully functional Trojan and implant that performs remote access, system surveys, file upload and download, processing and command execution, and monitoring of microphones, clipboards, and screens
- Slickshoes, a "dropper" that loads but does not perform a "beaconing implant" that can perform many of the same tasks as Bistromath
- Hot croissant, a fully featured beaconing implant that also performs many of the tasks listed above
- Artfulpie, an "implant that downloads, loads and executes DLL files from a hard-coded URL in memory"
- Buttetline, another full-featured implant, uses a fake HTTPS scheme with modified RC4 encryption to stay hidden
- Crowdedflounder, an executable Windows file that can be used to unpack a RAS Trojan and run it in computer memory
But wait … there's more
Friday's Cybersecurity and Infrastructure Security Agency opinion also provided additional details for the previously released Hoplight, a family of 20 files that act as a proxy-based back door. None of the malware contained fake digital signatures, a technique that is standard in more advanced hacking operations and that makes it easier to bypass endpoint security protection.
Costin Raiu, director of Kaspersky Lab's global research and analysis team, posted a picture on Twitter that shows the relationship between Friday's malware and malicious examples identified by the Moscow-based security company in other campaigns attributed to Lazarus ,
The joint consultation on Friday is part of a relatively new approach by the federal government to publicly identify hackers from abroad and the campaigns they have carried out. Previously, government officials had largely avoided assigning certain hacking activities to certain governments. This approach began to change in 2014 when the FBI publicly concluded that the North Korean government was behind Sony Pictures' extremely destructive hack a year earlier. In 2018, the Department of Justice accused a North Korean agent of allegedly executing the Sony hack and triggering the WannaCry ransomware worm that shutdown computers worldwide in 2017. Last year, the U.S. Treasury Department sanctioned three North Korean hacking groups that have been widely accused of targeting critical infrastructure and stealing millions of dollars from cryptocurrency exchanges.
As Cyberscoop emphasized, Friday was the first time that the US Cyber Command identified a North Korean hacking operation. One reason for the change: Although the hackers of the North Korean government often use less advanced malware and techniques than others from other countries, the attacks are becoming more sophisticated. News agencies, including Reuters, cited a United Nations report last August that estimated that North Korea's hacking of banks and cryptocurrency exchanges generated $ 2 billion for the country's WMD programs.