Malware developed in North Korea is still sitting on computers networks around the world with potentially “severe impacts”, according to the FBI.
The FBI and Department of Homeland Security (DHS) have issued two warnings detailing the tools and infrastructure that hackers – believed to be linked to the North Korean government – have been using for years.
These hackers, which the FBI refers to collectively as Hidden Cobra, have been using a remote administration tool known as FallChill and infecting networks around the world with Trojan malware variant Volgmer in order to infiltrate and target governments and businesses globally.
This is part of a “long-term campaign of cyber-enabled operations that impacts the US government and its citizens”, the FBI and DHS said, with Hidden Cobra having the ability to “maintain a presence on a victim’s network to further network exploitation”.
The warning said the group had deployed Volgmer, a backdoor Trojan giving remote access to compromised networks to target a range of victims.
“Since at least 2013, Hidden Cobra actors have been observed using Volgmer malware in the wild to target the government, financial, automotive and media industries,” the alert said.
Hidden Cobra has also been utilising the North Korea Remote Administration Tool (RAT), dubbed FallChill. The FBI believes this has been used since last year to target the aerospace, telecommunications and finance industries.
The tool allows Hidden Cobra to command the targeted servers via dual proxies, giving it the power to potentially retrieve information about installed disks, access and modify files and delete any evidence that it has been on the system.
“Hidden Cobra actors have likely been using FallChill malware since 2016 to target the aerospace, telecommunications, and finance industries,” the FBI and DHS alert said.
“The malware is a fully functional RAT with multiple commands that the actors can issue from a command and control server to a victim’s system via dual proxies.”
These tools can have potentially “severe impacts”, the alert said, including temporary or permanent loss of sensitive or proprietary information, disruption to regular operations, financial losses incurred to restore systems and files and potential harm to an organisation’s reputation.
The FBI and DHS has released a list of IP addresses they believe Hidden Cobra actors to be using to maintain a presence on victims’ networks.
The organisations recommended a number of solutions any individual or business can complete to avoid the hacks, including application whitelisting to help prevent malicious software and unapproved programs from running, keeping patches and antivirus software up to date, restricting various users’ abilities, and to not follow unsolicited website links sent from unknown sources.
The two new warnings come more than six months after the FBI issued another alert implicating Hidden Cobra in a series of cyber attacks dating back nearly a decade, including the hacking of Sony Pictures in 2014.
“DHS and FBI assess that Hidden Cobra actors will continue to use cyber operations to advance their government’s military and strategic objectives,” the warning said.
“Some intrusions have resulted in the exfiltration of data while others have been disruptive in nature.”
The alert said that the North Korean-linked hackers target computer systems that have not recently been updated.
“Hidden Cobra actors commonly target systems running older, unsupported versions of Microsoft operating systems,” it said.
“The multiple vulnerabilities in these older systems provide cyber actors many targets for exploitation. These actors have also used Adobe Flash player vulnerabilities to gain initial entry into users’ environments.”