It has been reported that the U.S. Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have issued a joint malware analysis report (MAR) on a new Trojan dubbed HOPLIGHT, used by the North-Korean APT group Lazarus. According to the MAR AR19-100A advisory published on the US-CERT website, the new Trojan was detected while tracking the malicious cyber activity of the North Korean-backed hacking group HIDDEN COBRA (also known as Lazarus, Guardians of Peace, ZINC, and NICKEL ACADEMY).
https://twitter.com/Stormshield_/status/1116312451174293504
Experts Comments:
Satnam Narang, Senior Research Engineer at Tenable:
“This is the 16th report compiled by the Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) over the last two years on malicious activity associated with HIDDEN COBRA (also known as Lazarus Group), a threat actor that has been linked to the North Korean government. This particular Malware Analysis Report (MAR) highlights a new Trojan, dubbed HOPLIGHT, which primarily consists of proxy applications used by HIDDEN COBRA to disguise its efforts to “phone home,” which is the traffic sent by the malware back to its command and control (C&C) server. The continued analysis and reporting by these agencies helps provide organisations and companies key indicators of compromise to identify infected systems and affected organisations as well as guidance to thwart attempts by HIDDEN COBRA to infiltrate more organisations.”
John Sheehy, VP of Strategy at IOActive:
“Unfortunately in today’s cypher-physical systems, a cybersecurity risk is a safety risk. With the current generation of operational technology systems, an unmitigated cybersecurity issue is an unmitigated safety issue.”
“Where possible, designers should use orthogonal safety controls such as mechanical pressure relief values or mechanical governors, that have zero coincidence with the control systems and therefore cannot be affected by them. Today’s operational technology implementations should focus on managing the consequences of a cybersecurity attack through layered protections and mitigations using non-cybersecurity engineering controls. This should be done with a focus on providing operational resiliency to the process and overall operations.”
“As a cybersecurity strategy defenders should be focusing on two primary strategic objectives. First, raising the cost to the threat actors through a layered defensive model and non-cybersecurity consequences. Second, lowering the payoff to the threat actor by reducing the consequences and impact to the defenders of any successful attack. The recent attacks on SIS environments demonstrates there’s an unmet need to focus on the second.”
Bob Noel, VP of Strategic Partnerships at Plixer:
“It’s no surprise that bad actors will take steps to maintain access to compromised systems, and place effort into covering their tracks. Their degree of success depends upon their skill set, and often the cybercriminals focused on critical infrastructure are more sophisticated. In the case of Triton being used against critical infrastructure, the attackers focused on after-hours activity for reconnaissance and lateral movement. Critical infrastructure organizations, which are high-value targets, must be implementing network traffic analysis technologies to provide 7 x 24 proactive monitoring. Applying security analytics to every network conversation allows organizations to use technology to uncover low and slow data theft, credential misuse, and behavioral anomalies. Monitoring network traffic is an important complement to antivirus and other end-user device security technologies. Hackers are getting better at hiding their tracks as it pertains to antivirus, however their activities will always generate network traffic that can be used to identify their presence.”
