On March 31, the National Cybersecurity and Communications Integration Center (NCCIC) issued a joint Technical Alert produced by the Department of Homeland Security (DHS) and the FBI. The document warned of recent “malicious cyber activity by the North Korean government” as part of an ongoing operation by Pyongyang sponsored hacker teams. For the past year, these series of hacks have been dubbed by U.S. investigators as Operation Hidden Cobra. In the latest identified activities of Hidden Cobra, the NCCIC states that hackers are using two pieces of malware - until now unobserved - to gain illicit access to private networks and exfiltrate data.
The first program called Joanap, is a Remote Access Trojan, or RAT, which if successfully delivered allows an attacker to take control of a users machine and run pretty much any operation they please. RATs are usually delivered via email phishing, relying on a victim to unknowingly download a file containing the malicious software. Joanap is suspected of being used as both a means to extract files and other data, as well as a way of harnessing large numbers of computers worldwide to take part in bigger hacks that require a broad base of participating machines (such as a Distributed Denial of Service attack). According to NCCIC, so far, Joanap has been identified on 87 compromised network nodes in 17 countries, including Brazil, China, Spain, Taiwan, Sweden, India, and Iran.
A second malware type was also discovered in the form of a Server Message Block (SMB) Worm. As its name suggests, SMB Worms work by exploiting the Server Message Block, a protocol that enables different nodes on a network to share data. This function allows the Worm to spread rapidly to many different computers, potentially all over the world. This particular SMB Worm, named Brambul, attempts to gain access to user accounts and protected files via brute-force password attacks using a list of embedded passwords. Considering that a large percentage of all successful hacks are the result of weak passwords that almost anyone can guess, this method can be devastatingly effective. Once Brambul gains unauthorized access, the malware communicates information about the victim's systems back to Hidden Cobra hackers using email. The information includes the IP address and hostname, as well as the username and password of each target’s system.
The Technical Alert put out by NCCIC concluded by urging users to review their system protocols and consider improving some of their security practices, such as keeping operating systems and software up to date, maintaining up to date antivirus software, restricting user permissions on computers to install and run unwanted software, scanning for and removing suspicious email attachments, disabling Microsoft’s File and Printer Sharing service, and utilizing a personal firewall.
Now that the Singapore summit between the U.S. and North Korea is back on track, it seems a bit ironic that North Korea is still actively pursuing its cyber campaigns. The question is how much this revelation of federal law enforcement will affect the diplomatic road ahead, though it is likely it will be pushed under the rug. While North Korea’s hacking exploits are nothing to scoff at—recent events from the WannaCry to the Youbit hacks stand as stark reminders of that—these findings are not enough of a big deal to disrupt the historic opportunity to reconcile with the DPRK. U.S. leaders can add that to the topics to discuss at the June 12 meeting. Until then, it will likely remain a sidenote.