U.S. Cert released an alert providing technical details of the HIDDEN COBRA hacking group. HIDDEN COBRA (AKA Lazarus Group or Guardians of Peace) are allegedly tied to the North Korean government and have constructed a large botnet and intrusion infrastructure. Security researcher and analysts at the National Security Agency have identified commonalities between this group and the very public Sony Picture Entertainment breach and the recent WannaCry outbreak.
HIDDEN COBRA has deployed capabilities ranging from DDoS Botnets, remote access tools, keyloggers, etc. They are also known to exploit Adobe Flash Player vulnerabilities, as well as Microsoft Silverlight and the Hangul Word Processor vulnerability.
Assuming the attribution of this group to the North Korean government is accurate, they appear to operate uniquely compared to other nation state actors. Generally speaking, nation-state hackers tend to operate under the motivation of espionage and economic development. It is atypical to see nation states publicly taking down a corporation as occurred with Sony Entertainment or launch a widespread ransomware attack. Nevertheless, regardless of the motivation behind the attacks launched by HIDDEN COBRA, they remain an active and significant threat. The fact that they operate differently makes them less predictable. Tracking their evolution and monitoring known signatures and identifiers are important for any threat intelligence and security operations team.
At Security On-Demand, we have processed the indicators provided by U.S. Cert in the linked report and are actively monitoring our customers’ networks. Our Threat Reconnaissance Unit is continually monitoring this group’s evolution.