DHS identifies North Korean hacking infrastructure used by Lazarus Group

Anticipating that North Korea will continue to use the Lazarus Group to advance the dictatorship’s military and strategic objectives, U.S. authorities issued a report Tuesday identifying new details on the tools and infrastructure used by North Korea’s digital army.

The technical alert, produced by the Department of Homeland Security’s Computer Emergency and Response Team and the Federal Bureau of Investigation, identified with “high confidence” IP addresses and malware called DeltaCharlie that the hacking group allegedly uses to manage its botnet infrastructure.

The report includes numerous indicators of compromise meant to aid defenders targeted by the group.

Lazarus, which the new report refers to as HIDDEN COBRA, has been implicated in a series of multibillion-dollar bank thefts across 18 countries as well as attacks against “media, aerospace, financial, and critical infrastructure sectors in the United States and globally.”

“Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware,” according to the report, whose authors urge further research into the hacking group’s full capabilities.

Perhaps the most famous attack attributed to Lazarus Group is the 2014 Sony Pictures breach that’s been described by experts as technically unsophisticated but extremely impactful. Self-identifying as  the “Guardians of Peace,” the hackers successfully got Sony to pull a movie from theaters, dumped salacious internal communications and wiped Sony machines, crippling operations in the process.

The identified IP addresses are from a range of countries around the world including Singapore, India, Russia and Kuwait.

Lazarus most commonly targets out-of-date Microsoft Windows machines and Adobe Flash vulnerabilities to gain initial entry.

The foremost recommendation is to patch software so known vulnerabilities can’t be easily exploited by potent weapons.