The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) released a technical alert today on Hidden Cobra, the malicious cyber activities by the North Korean government. North Korea’s DDoS botnet infrastructure is also sometimes referred to as Hidden Cobra.

The alert provides technical details on the tools and infrastructure, including IP addresses associated with DeltaCharlie, a malware variant used to manage North Korea’s distributed denial of service (DDoS) botnet infrastructure. Also listed were indicators of compromise, malware descriptions, network signatures, and host-based rules that network admins can use to detect activity conducted by the North Korean government on their networks.

The technical alert encourages users and administrators who detect the use of Hidden Cobra custom tools to report such activities to the DHS or FBI.

We’ve put together some frequently asked questions and will monitor the situation and update this post.

Q. What is Hidden Cobra?

A. The U.S. Government refers to the malicious cyber activity by the North Korean government as Hidden Cobra.

Activities now identified as Hidden Cobra began in 2009. These activities include exploits by threat actors on victims in the public and private sector, theft of data and disruption of website availability.

Q. What is DeltaCharlie and how does it differ from Hidden Cobra?

A. According to the US-CERT report, DeltaCharlie is the malware used to infect machines converting them to “zombie” bots. Infected bots collectively become a botnet that is controlled by threat actors.

The DeltaCharlie malware was discovered by Novetta in its 2016 Operation Blockbuster Malware Report. There is evidence that the malware may have been present on victims’ networks for a significant period.

Q. What are the capabilities of Hidden Cobra and DeltaCharlie?

A. According to Novetta’s report, threat actors use Hidden Cobra tools and capabilities such as DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware.

Hidden Cobra threat actors use DeltaCharlie as a DDoS tool. DeltaCharlie has been used in several exploits since it was first reported.

Q. How does DeltaCharlie launch DDoS attacks?

A. DeltaCharlie can launch DNS, NTP and character generation protocol DDoS attacks by operating on victims’ systems as a svchost-based service (a system that hosts multipleWindows services in Windows NT). It can download executable files, change its configuration, update its own binaries, terminate its own processes, and activate and terminate denial of service attacks.

Q. How do the Lazarus Group and Guardians of Peace relate to all this?

A. According to the US-CERT report, Hidden Cobra has been previously reported as the Lazarus Group and Guardians of Peace.

The Lazarus Group was first reported in Operation Blockbuster by Novetta. It has been active since 2007 and has been conducting attacks as recently as May 2017. It is most well-known for its high-profile attack on Sony Pictures Entertainment in 2014.

On November 24, 2014, a post on Reddit reported that Sony Pictures had been hacked. A group identified itself as the Guardians of Peace and hacked into the Sony network, leaving it unavailable for days. The Guardians of Peace accessed information on employees, email and unreleased films. Guardians of Peace claimed it had been in the Sony network for a year before being discovered.

How to Protect Against DeltaCharlie

The US-CERT report suggests how network admins can defend their systems against the DeltaCharlie malware.

Patch applications and operating systems – Update software and patches frequently and download updates only from trusted vendor sites.

Whitelist applications – Use whitelisting to allow only specified programs to run and block malicious software.

Restrict administrative privileges – Reduce privileges to fit a user’s role. Keep administrators in privileged tiers and limit access to other tiers.

Segment networks and segregate them into security zones – By segmenting networks, admins can help protect sensitive information and critical services, and minimize damage from network perimeter breaches.

Validate input – Input validation can protect against security gaps in web applications and potentially block attacks such as SQL injection, cross-site scripting, and command injection.

Use stringent file reputation settings – Keep the file reputation lists of your anti-virus software at the most aggressive setting allowable. This can help prevent a wide range of untrustworthy code from gaining control.

Leverage firewalls – Firewalls keep your network less likely from being attacked. Web application firewalls can block data and applications from certain IPs, while allowing necessary data through.

How to Protect Against DDoS Attacks From the DeltaCharlie Botnet

To protect your website against DDoS attacks from botnets including DeltaCharlie, we recommend the following steps. Our “DDoS Response Playbook” gives you guidelines on how to prepare for a DDoS attack.

Build a DDoS response team — Identify the people and departments who will be in charge in the event of a DDoS attack.

Create a DDoS response plan — Your plan may include resources, tools and procedures that minimize the impact of a DDoS event.

Identify single points of failures in your network — Find out if there is a bottleneck in your network that may affect site availability.

Collaborate with your ISP — Large attacks could drain your bandwidth allowance and influence your ISP to provision future services. Communicate with your ISP to minimize any issues.

Set optimal DNS TTL — Find the optimal time to live (TTL) setting for your website so you know how long it will take to get your site live in the event of an attack.

DDoS testing — Plan regular penetration testing on your network to test for gaps. This will ensure your solutions will work when you need them.

We’ll update the post with our security team’s assessment of encounters we may have had with the DeltaCharlie malware.