News broke yesterday that the U.S. government issued an alert on the activities of a hacking group it called “Hidden Cobra,” saying the group was part of the North Korean government. The joint alert from the U.S. Department of Homeland Security and the Federal Bureau of Investigation said that “cyber actors of the North Korean government” had targeted the media, aerospace and financial sectors, as well as critical infrastructure, in the United States and globally. Tim Matthews, Vice President at Imperva commented below.
Tim Matthews, Vice President at Imperva:
“The research suggests that North Korea has connections with two well-known hacker groups, The Lazarus Group, responsible for DDoS attacks against the government of South Korea in from 2007 to 2012, and The Guardians of Peace, who obtained and leaked confidential data from Sony Pictures in 2014, in an attempt to block the release of “The Interview,” a movie satirising the leaders of North Korea. The US-CERT report suggests Hidden Cobra was the botnet used by these two groups. Botnets provide the power – in terms of attack bandwidth – and the distribution – to make blocking more complicated.
The alleged connection to the attacks on South Korea and Sony reveal that these attacks are politically motivated. Botnets are readily available and relatively cheap to rent. That said, more research on the sophistication of the attacks will be required to truly assess the power and sophistication of Hidden Cobra. Just like weapons, botnets have degrees of sophistication that make them more of less threatening to nation states.
It’s not surprising to see that North Korea is using DDoS attacks which can cripple websites and are one of the most common uses for botnets as we’ve noted in the Imperva Incapsula 2016 Bot Traffic Report. In particular, the NTP and DNS DDoS attacks seen in Hidden Cobra (Delta Charlie) are among the most common types of DDoS attacks as noted in our Incapsula Q1 DDoS report.
Now that the U.S. Dept. of Homeland Security and FBI have identified the signature, we can monitor our Incapsula network for evidence of Hidden Cobra attacks and distinguish this botnet from all of the attack traffic we see.”