Skip to main content

U.S. claims North Korea has been silently infiltrating networks since 2009

The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) claim North Korea is silently infiltrating the media, aerospace, financial, and critical infrastructure sectors both in and out of the United States using two known families of malware. They believe the attack has been underway since at least 2009 and conducted by a state-sponsored hacker group dubbed as Hidden Cobra. 

In a joint Technical Alert issued on Wednesday, the DHL and FBI claim that Hidden Cobra is using two pieces of malware in its campaign: a remote access tool called Joanap and a Server Message Block (SMB) worm named Brambul. The goal is to infiltrate networks, maintain a presence undetected, and send all collected information back to the hacker group. 

Recommended Videos

“FBI has high confidence that Hidden Cobra actors are using the IP addresses — listed in this report’s IOC files — to maintain a presence on victims’ networks and enable network exploitation. DHS and FBI are distributing these IP addresses and other IOCs to enable network defense and reduce exposure to any North Korean government malicious cyber activity,” the report states. 

Please enable Javascript to view this content

Joanap is typically the payload of another malware obtained through a compromised website or a malicious email attachment. It can establish a peer-to-peer network to create a botnet and accept commands from the hacker group. 

Outside the botnet aspect, Joanap is capable of file management on a compromised Windows device, process management, the creation and deletion of directories, and node management. The Technical Alert says once Joanap infects a PC, it creates a file to capture and store information such as the host IP address, the hostname, and the current system time. 

According to the report, an analysis of the infrastructure used by Joanup identified 87 compromised network nodes in 17 countries including Brazil, China, Egypt, Iran, Saudi Arabia, Sweden, and Taiwan.  

Meanwhile, Brambul is a worm serving as a “dropper” malware payload obtained by compromised sites and infected files. Once executed, it will scan the local network for additional PCs and attempt to gain unauthorized access through the file-sharing feature built into Windows. This is done through brute-force password attacks using a list of embedded passwords. 

If successful, Brambul will contact Hidden Cobra and relay the IP address, hostname, username, and password of each infiltrated PC. The hacker group can then remotely access the compromised PCs via the Windows file-sharing protocol (SMB) to harvest information, infect other PCs on the network, and more. 

While both malware can be troublesome for the mainstream web surfer, they could devastate corporations by obtaining proprietary and/or sensitive information, disrupting regular operations, and harm their reputation. The financial losses due to eradicating the malware can be costly as well. 

“DHS and FBI recommend that network administrators review the information provided, identify whether any of the provided IP addresses fall within their organizations’ allocated IP address space, and—if found—take necessary measures to remove the malware,” the report states. 

A downloadable copy of the indicators of compromise are available in CSV and STIX formats.

Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
Turns out, it’s not that hard to do what OpenAI does for less
OpenAI's new typeface OpenAI Sans

Even as OpenAI continues clinging to its assertion that the only path to AGI lies through massive financial and energy expenditures, independent researchers are leveraging open-source technologies to match the performance of its most powerful models -- and do so at a fraction of the price.

Last Friday, a unified team from Stanford University and the University of Washington announced that they had trained a math and coding-focused large language model that performs as well as OpenAI's o1 and DeepSeek's R1 reasoning models. It cost just $50 in cloud compute credits to build. The team reportedly used an off-the-shelf base model, then distilled Google's Gemini 2.0 Flash Thinking Experimental model into it. The process of distilling AIs involves pulling the relevant information to complete a specific task from a larger AI model and transferring it to a smaller one.

Read more
New MediaTek Chromebook benchmark surfaces with impressive speed
Asus Chromebook CX14

Many SoCs are being prepared for upcoming 2025 devices, and a recent benchmark suggests that a MediaTek chipset could make Chromebooks as fast as they have ever been this year.

Referencing the GeekBench benchmark, ChromeUnboxed discovered the latest scores of the MediaTek MT8196 chip, which has been reported on for some time now. With the chip being housed on the motherboard codenamed ‘Navi,’ the benchmark shows the chip excelling in single-core and multi-core benchmarks, as well as in GPU, NPU, and some other tests run.

Read more
Chrome incognito just got even more private with this change
The Chrome browser on the Nothing Phone 2a.

Google Chrome's Incognito mode and InPrivate just became even more private, as they no longer save copied text and media to the clipboard, according to Windows Latest. The changes apply to Windows 11 and 10 users and were rolled out in 2024. However, neither Microsoft nor Google documented it.

Even though this change is not a recent feature, it's odd that neither tech giant thought it was worth mentioning. Previously, the default setting was that when a user saved text or images to the clipboard history, it was synced with Cloud Clipboard on Windows. Moreover, accessing this synced content was as simple as pressing the Windows and V keys, which poses a security risk, especially when using incognito mode.

Read more