Skip to main content

U.S. claims North Korea has been silently infiltrating networks since 2009

The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) claim North Korea is silently infiltrating the media, aerospace, financial, and critical infrastructure sectors both in and out of the United States using two known families of malware. They believe the attack has been underway since at least 2009 and conducted by a state-sponsored hacker group dubbed as Hidden Cobra. 

In a joint Technical Alert issued on Wednesday, the DHL and FBI claim that Hidden Cobra is using two pieces of malware in its campaign: a remote access tool called Joanap and a Server Message Block (SMB) worm named Brambul. The goal is to infiltrate networks, maintain a presence undetected, and send all collected information back to the hacker group. 

Recommended Videos

“FBI has high confidence that Hidden Cobra actors are using the IP addresses — listed in this report’s IOC files — to maintain a presence on victims’ networks and enable network exploitation. DHS and FBI are distributing these IP addresses and other IOCs to enable network defense and reduce exposure to any North Korean government malicious cyber activity,” the report states. 

Joanap is typically the payload of another malware obtained through a compromised website or a malicious email attachment. It can establish a peer-to-peer network to create a botnet and accept commands from the hacker group. 

Outside the botnet aspect, Joanap is capable of file management on a compromised Windows device, process management, the creation and deletion of directories, and node management. The Technical Alert says once Joanap infects a PC, it creates a file to capture and store information such as the host IP address, the hostname, and the current system time. 

According to the report, an analysis of the infrastructure used by Joanup identified 87 compromised network nodes in 17 countries including Brazil, China, Egypt, Iran, Saudi Arabia, Sweden, and Taiwan.  

Meanwhile, Brambul is a worm serving as a “dropper” malware payload obtained by compromised sites and infected files. Once executed, it will scan the local network for additional PCs and attempt to gain unauthorized access through the file-sharing feature built into Windows. This is done through brute-force password attacks using a list of embedded passwords. 

If successful, Brambul will contact Hidden Cobra and relay the IP address, hostname, username, and password of each infiltrated PC. The hacker group can then remotely access the compromised PCs via the Windows file-sharing protocol (SMB) to harvest information, infect other PCs on the network, and more. 

While both malware can be troublesome for the mainstream web surfer, they could devastate corporations by obtaining proprietary and/or sensitive information, disrupting regular operations, and harm their reputation. The financial losses due to eradicating the malware can be costly as well. 

“DHS and FBI recommend that network administrators review the information provided, identify whether any of the provided IP addresses fall within their organizations’ allocated IP address space, and—if found—take necessary measures to remove the malware,” the report states. 

A downloadable copy of the indicators of compromise are available in CSV and STIX formats.

Kevin Parrish
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
The insane Samsung Odyssey Ark gaming monitor is $900 off today
A person playing a video game on the Samsung Odyssey Ark 2nd Gen Gaming Monitor.

For a gaming monitor that's going to supercharge your gaming setup, you should check out the 55-inch Samsung Odyssey Ark 2nd Gen. This amazing screen is originally priced at $3,100, but you can currently get it with a $900 discount from Samsung itself. Its lowered price of $2,200 is still pretty expensive, but it's going to be worth every single penny. You're going to have to be quick with your purchase though, as with all monitor deals with high demand, the savings may disappear sooner than you expect.

Why you should buy the 55-inch Samsung Odyssey Ark 2nd Gen curved gaming monitor

Read more
SpaceX Starlink rivalry grows as next Kuiper deployment nears
A ULA rocket launching Amazon's first Project Kuiper satellites in April 2025.

Amazon is about to send another batch of Project Kuiper internet satellites to orbit as it seeks to take on SpaceX’s Starlink service to provide broadband internet to customers around the world.

The tech giant has a long way to go before it has any hope of effectively challenging Starlink, but with its second launch set for next week, progress is being made toward its goal.

Read more
Buy a Samsung G6 or G9 gaming monitor and get a free JBL gaming headset
Kena Bridge of Spirits on the Samsung Odyssey OLED G9.

If your gaming PC setup needs a screen upgrade, we highly recommend taking a look at Samsung monitor deals. There are always some huge savings available for the brand's gaming monitors, and we've picked out two of them for you to consider. The 27-inch Samsung Odyssey OLED G6 gaming monitor is on sale for $700 following a $200 discount on its original price of $900, while the 49-inch Samsung Odyssey OLED G9 gaming monitor is down to $1,000 for savings of $800 on its sticker price of $1,800.

No matter which of these two displays you choose, you'll get the JBL Quantum One gaming headset -- featuring active noise cancellation, head-tracking 3D audio, epic audio quality, and an ergonomic design with a regular price of $200 -- for absolutely free. You're going to have to hurry with your purchase though, as there's no telling how much time is remaining until the price cuts and the offer for the free gaming headset expire.

Read more