Hidden Cobra Perfecting DDoS as Distraction for More Damaging Malware Attacks

Even Momentary DDoS Attacks Can Open the Door for Significant Damage

hidden cobra

While there are certainly exceptions, more often than not, sophisticated hacking groups like Hidden Cobra use DDoS (Distributed Denial of Service) attacks to hide more nefarious activity taking place under the radar while the IT staff is busy fighting the overt DDoS incident.

Government Warning

The US government recently released a rare warning regarding North Korea’s cybercriminal activities, accusing them of an eight-year-long hacking binge. The announcement stated that the group has targeted media, aerospace, financial, and critical infrastructure industries, and advised that the attacks would likely continue.

The joint alert from the FBI and the DHS states that a North Korean army of hackers called “Hidden Cobra” has launched attacks against the United States and abroad over the course of the last eight years. According to the warning, this is the same organization that the media has referred to as the Guardians of Peace, and the Lazarus Group, which is allegedly tied to a number of high-profile campaigns, including WannaCry ransomware.

The warning gave extensive technical details about the tools used, which included DDoS botnets, keyloggers, remote access kits, and various other types of advanced malware such as Destover, which attackers used a few years ago during the attack on Sony Pictures. Hidden Cobra’s arsenal of weapons also includes DeltaCharlie, a tool that’s capable of multiple types of DDoS assaults.

According to the alert, Hidden Cobra used DDoS attacks extensively, and will likely increase the number and intensity of this approach. It’s interesting to note that aside from several high-volume DDoS attacks over the past year, most DDoS incidents are relatively minor, with the majority of them lasting ten minutes or less and producing traffic below 10 Gbps per second. That’s enough to knock a firewall or IPS system offline for a few minutes, but not large enough to attract a lot of attention, which might result in a more thorough security investigation.

Stealth Tactics

That small window, when a minor DDoS has brought the security control systems down and the IT staff is busy restoring their infrastructure, provides skilled hackers with just enough time to get into a network and install malware. The Hidden Cobra group of attackers appear to be perfecting the placement of malicious code during this momentary security breakdown. Once installed, the malware is later used to exfiltrate data or perform other nefarious activities.

Security teams need to remain diligent during any sort of attack, even those that appear small and quickly contained. It doesn’t take long for skilled hackers to get inside your network and plant some really nasty malware.

Brian Laing

Brian Laing

For more than 20 years, Brian Laing has shared his strategic business vision and technical leadership with a range of start-ups and established companies in various executive level roles. The author of “APT for Dummies,” he was previously vice president of AhnLab, where he directed the US operations of the internationally known security and software leader. Brian previously founded Hive Media where he served as CEO. He co-founded RedSeal Systems, where he conceived the overall design and features of the product and was granted two patents related to network security. He was also founder and CEO of self-funded Blade Software, who released the industry’s first commercial IPS/FW testing tool.
Brian Laing