The North Korean Cyberwar Operations group is known variously as Lazarus Group, Guardians of Peace, or Hidden Cobra. A few of their notable achievements include the 2014 attack on Sony Pictures inspired by the satirical Seth Rogan film “The Interview, ” the $81 million cyber bank heist against Bangladesh’s central bank, and the 2017 WannaCry ransomware attack.
In June 2017, US-CERT sent a public warning to US businesses about the danger of North Korean cyber-attacks and the need to patch old software to defend against them. The type of attacks that the North Koreans were using included DDoS (distributed denial of service) botnets, remote access Trojan horse programs (RAT) such as the Jonap RAT, disk wiping and data destruction programs, keylogging credential stealing programs, and Windows SMB (server message block) exploits such as the WannaCry, Brambul, and Eternal Blue worms.
The current North Korean botnet has been built using the Brambul SMB worm to hijack and gain access to victim computers, and the Jonap RAT to recruit and join the computer to the botnet. The FBI got a court order and search warrant in a California court in October. This gave the FBI and the US Air Force Office of Special Investigations (AFOSI) the legal authority to operate servers that pretended to be infected systems in the Jonap botnet.
The FBI and the US Air Force successfully infiltrated the botnet. They have been able to identify many of the affected computers. The victims of this attack are being notified by their Internet Service Providers, or by direct notifications. The FBI is contacting other national governments to inform them about victims in their jurisdictions.
The good news is if you have been keeping your computer patched with the latest Windows updates, and have been using a fully updated version of any anti-malware program, then your computer is probably not affected. You still might keep your eye out for an email from your ISP. This will not be a hoax, and you should follow the directions to clear this malware from your computer. You may want to hire a qualified professional who is familiar with this exploit to do the work for you.
If you are an IT professional responsible for a business network, you may want to read the information linked below to learn about the tactics and techniques and indicators of compromise. This should make it easier to scan your network for infection and remediate any affected systems.
- Sophos Naked Security
- US-CERT – TA18-149A: HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm
- US-CERT – North Korean Malicious Cyber Activity
- US-CERT – TA17-318B: HIDDEN COBRA – North Korean Trojan: Volgmer
- US-CERT – TA17-164A: HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure