How North Korea is hacking companies and governments
WASHINGTON DC — The U.S. government has revealed new details about two viruses it says North Korea is using to attack companies and governments.
The Department of Homeland Security (DHS) and the FBI issued joint alerts on Tuesday warning about two types of malware, or malicious software, that North Korean hackers are allegedly using against firms across industries such as aviation, finance, telecoms and media.
One of them, known as FALLCHILL, has likely been in use since 2016 and allows hackers to monitor and control infected computers remotely. It typically spreads through files dropped by other malware or when users inadvertently download it by visiting websites that are already infected.
It also uses multiple layers of “proxy malware,” according to the DHS and FBI, that allow it to disguise its origin and make the hackers harder to trace.
The other type of malware, Volgmer, infects computers through a technique known as spear phishing, where users get an apparently legitimate email with a link that then spreads the virus. North Korean hackers have been using Volgmer since at least 2013, the U.S. authorities said.
Pyongyang has repeatedly denied involvement in any international cyberattacks.
The FBI and DHS said both types of malware are associated with HIDDEN COBRA, a term the U.S. government uses to refer to “malicious cyber activity by the North Korean government.”
The security agencies said in June this year that HIDDEN COBRA — which includes groups such as Lazarus and Guardians of Peace that have been linked to previous attacks — has been operating since 2009.
The DHS and FBI also identified dozens of IP addresses across several countries through which they believe Volgmer attacks are being routed. India accounts for the biggest share of the IP addresses, with around 25%, followed by Iran and Pakistan.
“This highlights the need for nations to protect their infrastructure, not just for their own sake but also to make sure they don’t become a pawn in someone else’s war game,” said Subramanian Udaiyappan, a cybersecurity specialist with Cisco in India.
“Attackers persist with their already exploited infrastructure and tend to re-use them, which means India could become an unwilling perpetrator of more such attacks if action isn’t taken immediately,” he added.
North Korea has been linked to some of the most high-profile cyberattacks in recent years, including a $101 million theft from Bangladesh’s central bank in 2016, disruptions to neighbor South Korea’s systems on multiple occasions and a 2014 hack on movie studio Sony Pictures.
More recently, the authoritarian regime was accused of being behind the WannaCry ransomware attack in May that crippled hundreds of thousands of computers around the world. A lawmaker in South Korea also claimed two weeks ago that North Korean hackers stole blueprints for South Korean warships and submarines.