Hidden Cobra Perfecting DDoS as Distraction for More Damaging Malware Attacks
Even Momentary DDoS Attacks Can Open the Door for Significant Damage
While there are certainly exceptions, more often than not, sophisticated hacking groups like Hidden Cobra use DDoS (Distributed Denial of Service) attacks to hide more nefarious activity taking place under the radar while the IT staff is busy fighting the overt DDoS incident.
The US government recently released a rare warning regarding North Korea’s cybercriminal activities, accusing them of an eight-year long hacking binge. The announcement stated that the group has targeted media, aerospace, financial, and critical infrastructure industries, and advised that the attacks would likely continue.
The joint alert from the FBI and the DHS states that a North Korean army of hackers called “Hidden Cobra” has launched attacks against the United States and abroad over the course of the last eight years. According to the warning, this is the same organization that the media has referred to as the Guardians of Peace, and the Lazarus Group, which is allegedly tied to a number of high-profile campaigns, including WannaCry ransomware.
The warning gave extensive technical details about the tools used, which included DDoS botnets, keyloggers, remote access kits, and various other types of advanced malware such as Destover, which attackers used a few years ago during the attack on Sony Pictures. Hidden Cobra’s arsenal of weapons also includes DeltaCharlie, a tool that’s capable of multiple types of DDoS assaults.
According to the alert, Hidden Cobra used DDoS attacks extensively, and will likely increase the number and intensity of this approach. It’s interesting to note that aside from several high-volume DDoS attacks over the past year, most DDoS incidents are relatively minor, with the majority of them lasting ten minutes or less and producing traffic below 10 Gbps per second. That’s enough to knock a firewall or IPS system offline for a few minutes, but not large enough to attract a lot of attention, which might result in a more thorough security investigation.
That small window, when a minor DDoS has brought the security control systems down and the IT staff is busy restoring their infrastructure, provides skilled hackers with just enough time to get into a network and install malware. The Hidden Cobra group of attackers appear to be perfecting the placement of malicious code during this momentary security breakdown. Once installed, the malware is later used to exfiltrate data or perform other nefarious activities.
Security teams need to remain diligent during any sort of attack, even those that appear small and quickly contained. It doesn’t take long for skilled hackers to get inside your network and plant some really nasty malware.
Latest posts by Brian Laing (see all)
- Protection from Malicious Links - September 22, 2017
- Drive-By Downloads and How to Prevent Them - September 21, 2017
- Combining Lastline and Carbon Black for End-to-End Malware Analysis - September 14, 2017