Skip to content
Naked Security Naked Security

US-CERT issues North Korean cyberattack patch warning

The US has issued an unusually stark public warning about the threat posed by North Korean cyberattacks

The US has issued an unusually stark public warning to businesses about the threat posed by North Korean cyberattacks and the urgent need to patch old software to defend against them.

No surprise in this, you might say, after all the US has been accusing the Democratic People’s Republic of Korea (DPRK) of causing trouble in cyberspace as far back as the high-profile attack on Sony in 2014.

This alert is a bit different, both in its detail and that it has been made public by the US Department of Homeland Security (DHS) and the FBI through US-CERT, usually taken as a sign of imminent trouble.

The advisory’s first message is that anyone detecting activities by the DPRK, codenamed “Hidden Cobra” (aka the Lazarus Group or Guardians of Peace), should report activity through the DHS National Cybersecurity Communications and Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch).

Indicators of Compromise (IOCs) cover a gamut of DDoS botnet activity, keylogging, remote access tools (RATs), and disk wiping malware, as well as SMB worm malware of the sort blamed for the recent WannaCry attacks.

It also refers to IP address ranges used for DDoS attacks, dubbed “DeltaCharlie”, and describes some of the tools employed by Hidden Cobra:

…DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. Variants of malware and tools used by HIDDEN COBRA actors include Destover, Wild Positron/Duuzer, and Hangman. DHS has previously released Alert TA14-353A, which contains additional details on the use of a server message block (SMB) worm tool employed by these actors.

The takeaway for Naked Security readers is to patch the older applications alleged North Korean cyberattacks like to prey on, particularly the following CVEs:

Interestingly, although these emerged as zero-day vulnerabilities, it’s likely that Hidden Cobra exploited them after patches appeared. This suggests a crude but well proven MO in which vulnerabilities are targeted to catch out anyone who hasn’t applied updates.

As with the other advice given (reducing user privileges, paying attention to web services vulnerabilities) patching old vulnerabilities is something companies should be doing anyway. Threat hunters working in Security Operations Centres (SOCs) get YARA signatures to help with detection.

All in all, US-CERT is making a lot of fuss over the DPRK, including repeating the relatively recent suggestion that Hidden Cobra has been conducting cyberattacks as far back as 2009. Some think it probably goes back to 2007, not long after the US began its own advanced cyberwarfare effort.

This is a lot earlier than anyone has previously acknowledged which, taken at face value, perhaps underlines how long the DPRK has been ignored or under-estimated as a threat.

What marks out cyberattacks connected to the DRPK is their strange vindictiveness. In addition to the grudge attack on Sony, disk wipers were a common theme used to target South Korean businesses, including DarkSeoul malware first identified by Sophos.

Earlier this year, the DPRK was forensically linked to the alarming attack on the SWIFT bank messaging system through a Bangladesh bank that netted $81 million for the attackers.

Then came the real oddity, WannaCry, also attributed in some quarters to North Korea. If this was a cry for attention, it succeeded in its aim.

North Korea is starting to look like a major cyber-worry, an unpredictable actor capable of pulling off financial spectaculars as well as unrestrained revenge stunts.


John E Dunn

“North Korea is starting to look like a major cyber-worry, an unpredictable actor capable of pulling off financial spectaculars as well as unrestrained revenge stunts.”

Do you have a shred of absolute proof it’s North Korea and that they even have the capability???

Have you ever heard the expression…
Weapons of Mass Lies
If you want to add $55-60 Billion to a Military Budget you need a good reason.
Selling $350 Billion and Assembly Plants to your enemy (Saudi’s) is a good Reason…
I’d say…
Some don’t get it…
Adding is a simple mathematical skill…worth learning.

On the other hand…North Korea

Cyber…IC Ballistic Missiles…Nukes

I have yet to see North Korean absolute proof from anybody including America.
Let me prove MY POINT….Iraq…Weapons of Mass…Bla…Bla…Bla…
That should do it.!!!
Adding is a simple mathematical skill…worth learning.

You are suppose to be the Solution…NOT the problem !!!


I thought the article was spot on. Sounds like ‘Real Joe’ is a fake NK plant. Like in China, they employ people solely to post positive comments about their country.


WHile I do not appreciate the tone of Real Joe, I would question the statements in the article attributing such attacks to North Korea, I do not believe there is any absolute proof of this just a lot of opinions and I always thought Sophos to be above going with mass opinion instead favouring to stick with factual statements. Looks like this has changed!!!


To be fair, this article isn’t really about Sophos or its own opinions on North Korea – the first sentence says what the deal is here, namely that whether *you* think DPRK is in the frame for any of the abovementioned attacks or not, US-CERT is warning that it is.

As we put it up front, “The US has issued an unusually stark public warning to businesses about the threat posed by North Korean cyberattacks.”

As the linked-to report puts it, ‘This alert provides technical details on the tools and infrastructure used by cyber actors of the North Korean government to target the media, aerospace, financial, and critical infrastructure sectors in the United States and globally.”

Speaking for myself, not for Sophos…I’d patch *anyway*. After all, If I’m at risk of getting pwned by DPRK, I’m at risk of getting pwned by any number of other “threat actors” (I don’t know why the industry chose that word, because these guys aren’t acting – they’re for real!) who happen to know the same or any similar attack techniques… it’s worth working on the assumption that once someone knows about a specific security hole, anyone and everyone knows too, or could find out if they wanted to.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!