North Korea has been running a hacking campaign targeting aerospace, telecommunications and financial industries in the US since 2016, according to alerts issued by the government. Homeland Security and the FBI have released the technical details of what they say are North Korean-sponsored cyber attacks in an effort to help companies protect themselves. The alerts contain IP addresses associated with Volgmer, one of the backdoor Trojans the hackers have been using for years.
They also contain info on the FALLCHILL malware North Korean hackers have reportedly been using to compromise networks in the aforementioned sectors. FALLCHILL gains entry into a computer when a user visits an infected website and unwittingly downloads it. It could also come as a secondary payload brought about by another malware that had infected the system. Once it’s in, FALLCHILL can retrieve info, as well as execute, terminate and move processes and files. The malware can also clean up after itself, making it hard to detect its presence.
According to the feds, both Volgmer and FALLCHILL are part of North Korea’s “Hidden Cobra” program, which was created to deploy cyber attacks against enemy states. The US government had already issued a warning about Hidden Cobra earlier this year, claiming that it’s been infiltrating media, financial, aerospace and critical infrastructure sectors in the US and around the globe since 2009.
If the name doesn’t exactly sound familiar, it’s because they’re apparently more widely known as the Guardians of Peace — the group that claimed responsibility for the massive Sony Pictures hack in 2014 — and the Lazarus Group. North Korea, however, continues to deny all the hacking allegations thrown at it, including the attack on Sony Pictures and the theft of F-15 fighter jet wings’ blueprints from South Korea’s computers.