Global malware campaign attributed to North Korean cyber group

Hidden Cobra targets critical infrastructure

UPDATE The Computer Emergency Response Team in Thailand (ThaiCERT) has reported the seizure of a server allegedly belonging to the North Korean cybercrime syndicate Hidden Cobra. Security researchers at McAfee believe this server was used to control the group's attack operations. ThaiCert said it was now working with authorities to analyze the device. 

All eyes are on east Asia today, as North Korea leader Kim Jong-un crosses into the South, breaking the border that has divided the Korean Peninsula in the rhetoric of war for decades.

The meeting between Jong-un and his South Korean counterpart, Moon Jae-in, is a step towards peace between the two nations, and one that may very well begin the process of dismantling the North’s heavy nuclear armament.

But a concerning nuclear program isn’t the only thing causing North Korea to be named as a considerable threat to Western Allies.

Cyber-attacks like WannaCry last May have equally placed the nation on the map for global espionage – reaffirmed earlier this month by then White House Cyber Coordinator Rob Joyce, The Daily Swig reported.

Now the extent of a new suspected North Korean state-sponsored hacking campaign has been revealed by researchers at security software firm McAfee.

The cyber-offensive – dubbed Operation GhostSecret – targets critical infrastructure in a number of countries with aims of surveillance and theft, McAfee said.

Targets were hit by a range of bespoke malware that allowed data to be siphoned undetected around the world.

Attacks predominately occurred in sectors of entertainment, finance, healthcare, and telecommunications, with McAfee first discovering the campaign after a number of Turkish banks were hit in March.

The malware used here – the Bankshot implant – was attributed to the Lazarus Group, also known as ‘Hidden Cobra’.

Since 2009 groups like Hidden Cobra – regarded by the US as the product of the North Korean government – have deployed multiple variants of malware on high-profile victims, the US Department of Homeland Security has noted.

Typically, as with the Bankshot implant, attackers exploit known vulnerabilities to embed a device with malicious software – oblivious users open an attachment sent in an email, for example.

Many other forms of malware were discovered in the McAfee analysis of Operation GhostSecret, which also found targets in the US, UK, Germany, Japan, China, and Russia.

“The evolution in complexity of these data-gathering implants reveals an advanced capability by an attacker that continues its development of tools,” McAfee said.

“Our investigation uncovered an unknown infrastructure connected to recent operations with servers in India using an advanced implant to establish a covert network to gather data and launch further attacks.”

The threat to national critical infrastructure has been a hot topic recently, with nations like the US and UK issuing a wave of guidance on how all stakeholders can prevent cyber-attack.

At the joint committee on national security strategy in London this week, British MPs heard evidence from infrastructure operators in light of the Network and Information Systems (NIS) Directive, which is set to become law next month.

The NIS Directive looks to mitigate cyber-risks associated with crucial areas like electricity, water, and telecoms supply, giving regulators additional powers to ensure that security standards are being met in the rapidly changing digital world.

Steve Unger, chief technology officer at Ofcom, said: “Essentially one of the risks is that some unfriendly state might use an existing known vulnerability in networks to attack infrastructure with the aim of taking out elements of our critical national infrastructure.”

He added: “I would say the biggest change in our approach over the last few years has been a shift from looking at incidents reactively to trying to assess risk more proactively.”