US-CERT, the Department of Homeland Security team responsible for analyzing cybersecurity threats, has posted a warning about cyber attacks by the North Korean government, which it collectively refers to as “Hidden Cobra.” The technical alert from the FBI and Department of Homeland Security says a remote administration tool (RAT) called FALLCHILL has been deployed by Hidden Cobra since 2016 to target the aerospace, telecommunications and finance industries.
FALLCHILL allows Hidden Cobra to issue commands to a victim’s server by dual proxies, which means it can potentially perform actions like retrieving information about all installed disks, accessing files, modifying file or directory timestamps and deleting evidence that it’s been on the infected server.
The FBI and Department of Homeland Security also posted a list of IP addresses linked to Hidden Cobra. The FBI says it “has high confidence” that those IP addresses are linked to attacks that infect computer systems with Volgmer, a Trojan malware variant used by Hidden Cobra to target the government, financial, auto and media industries.
The U.S. government says Volgmer has been used to gain access to computer systems since at least 2013. Once Volgmer establishes a presence in a systems, it can gather system information, update service registry keys, download and upload files, execute commands and terminate processes and list directories, says the FBI and Department of Homeland Security.
The new warnings from US-CERT come five months after a technical alert posted in June that implicated Hidden Cobra (which has also been called Lazarus Group and Guardians of the Peace by security experts) in a series of cyber attacks that date back to 2009 and include the 2014 Sony Pictures hack.
While North Korea’s cyber espionage efforts were once dismissed by many security experts, the success of Hidden Cobra over the last few years has changed that perception, and it is now seen as a serious threat because it is able to do a lot of damage at a relatively low cost.