Written by Shannon Vavra
The Pentagon, FBI, and Department of Homeland Security have publicly identified a North Korean hacking campaign as part of a broad information sharing program intended to warn industry against adversarial hacking, CyberScoop has learned.
The public disclosure includes details about at least seven different malware samples linked with North Korean hacking efforts. The samples point to cyber-espionage activities carried out by an actor the U.S. refers to as Hidden Cobra, which officials have previously associated with the North Korean government. The files detailed use tools meant to steal data, create and delete files and capture screenshots, according to a person who has viewed the U.S. malware analysis report (MAR).
The Department of Defense, which added details about the malware to the Virus Total malware repository, said that the “malware is currently used for phishing & remote access by DPRK cyber actors to conduct illegal activity, steal funds & evade sanctions.”
The decision marks the first time the Pentagon’s Cyber Command will identify North Korean hacking efforts by name.
The report, which was shared with private sector in advance, is designated TLP Red, meaning it cannot be shared “with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed.”
It was not immediately clear if this activity was ongoing, or if the U.S. was sharing details about cyber-operations that have concluded.
Cyber Command has previously shared technical details that have been linked with North Korean financial heists involving the Society for Worldwide Interbank Financial Telecommunication (SWIFT), the interbank messaging system, as CyberScoop reported. Other U.S. warnings have concerned malware linked with the Lazarus Group, another alleged North Korean hacking group, while other cases have exposed malware linked with Russian-linked hacking and Iranian-linked activity.
The malware files have been dubbed, Hoplight, Buffetline, Artfulpie, Hotcroissant, Crowdedflounder, Slickshoes, and Bistromath, according to the person who has seen the malware analysis report. Some samples have compilation stamps dating back to as early as 2016.
Hoplight, a trojan linked with gathering information on victims’ operating systems, has previously been exposed by the FBI and DHS. Cyber Command also exposed activity linked with Hoplight in September.
At least one of the files may be linked with previous North Korean hacking campaigns in India, such as those linked with DTrack malware and a reported attack against an Indian nuclear power plant, as well as ATM heists, a person who has seen the MAR told CyberScoop.
Many of of those malware files exhibit typical remote access trojan (RAT) features. Slickshoes, for example, which appears to be a dropper and a RAT, has many of the common features of a RAT, such as reverse shell, screen capture, file theft, and file creation, according to the person who has seen the analysis.
Some of the files appear to have been created recently. A beaconing implant that can run file transfer and screen grabs, dubbed Hotcroissant, has a compilation timestamp from July of last year, according to the person familiar. Artfulpie, which appears to be a downloader for another payload, was compiled in June.
One of the samples shows North Korea trying to conceal its activities. Buffetline appears to encrypt its traffic in a way that fakes TLS encryption, which could make nefarious activity blend in to normal traffic. Buffetline is also capable of manipulating file timestamps so the hackers can, to some extent, obfuscate their activities to possible incident responders, according to the person familiar with the MAR.
Evolution of information-sharing
As part of DHS’ Cybersecurity and Information Security Agency’s effort to share information with the private sector about threats the U.S. government is detecting, private sector got a heads up about the North Korean malware in advance, according to multiple sources familiar with the warning.
DHS has provided this kind of early alert to private sector in concert with some of Cyber Command’s previous Virus Total sharing efforts, as CyberScoop first reported.
But this public reprimand of North Korean hacking shows Cyber Command expanding the bounds of how much it can share about threats it is seeing with the private sector — Cyber Command’s standard practice in information sharing in the past has been to not comment on attribution at all.
In previous months, when reached for comment on attribution, the command would only say that “the Cyber National Mission Force is releasing malware.”
The command has also typically not gone so far as to characterize even the capabilities of malware it shares. That practice has changed in the last few months of 2019. Cyber Command started testing its appetite for sharing more in its last Virus Total release, when it tacked on information about the malware’s capabilities alongside the files.
“These malware samples are currently used for fund generation and malicious cyber activities including remote access, beaconing, and malware command by malicious cyber actors,” Cyber Command said in November.
It wasn’t clear why Cyber Command made the decision to explicitly expose the North Korean regime in its latest warning, but the transparency level-up coincides with a separate National Security Agency initiative to accelerate and improve how it tips private sector off to more adversarial threat information through a new Cybersecurity Directorate. Cyber Command and the NSA, a DOD signals intelligence agency, are co-located and share the same leader, Gen. Paul Nakasone.