US warns against North Korean 'Hidden Cobra' hackers

The US government has taken the unusual step of naming the North Korean government as behind a hacking group it has dubbed "Hidden Cobra".

The US computer emergency response team (CERT) today issued an alert revealing the group had been targeting the media, aerospace, financial, and critical infrastructure sectors globally since 2009.

While the US government has labelled the North Korean group Hidden Cobra, it is also known as the Lazarus Group and Guardians of Peace. 

Hidden Cobra is believed to be behind the high-profile hack on Sony Pictures and Entertainment in 2014.

The group has also been linked to the recent WannaCry ransomware epidemic - security researchers found shared code in the malware that the Lazarous Group had used in the past.

US-CERT worked with the Department of Homeland Security and the FBI to map the tools and infrastructure Hidden Cobra uses. 

The group has a large set of malicious tools in its arsenal, according to the CERT.

Among these is the DeltaCharlie malware [pdf], used to control botnets for distributed denial of service attacks. It can attack domain name system and network time protocol servers, as well as run character generation protocol (chargen) traffic flooding assaults. 

It also utilises keyloggers, remote access tools (RATs), and data wiper malware.

The group has in the past used the Destover, Wild Positron/Duuzer, and Hangman malware.

Hidden Cobra's favoured method of attack is to use vulnerable versions of Adobe's Flash Player running on unsupported versions of Microsoft's Windows operating system.

Vulnerable versions of Microsoft's Silverlight media player have also been in Hidden Cobra's cross-hairs. US-CERT recommends that users either upgrade or remove the product from their computers.