Upon hearing that North Korea and the United States are battling it out on the internet, many people likely nod knowingly. They’ve seen the Tweets from President Trump.
What’s going on online between the nations actually goes much deeper than Twitter missives, however, and attacks that have allegedly come from state-sponsored North Korean hackers have become so pervasive that the Department of Homeland Security and FBI recently issued a rare bulletin pointing a finger at the country for DDoS attacks that have been occurring since 2009.
This is our brave new world, and our brave new world has high-profile US websites ducking for cover.
A history of attacks
The hacking activity out of North Korea has been collectively dubbed Hidden Cobra by the US government. Cybersecurity firms are also obviously concerned with the DDoS activity perpetrated by these hackers, but cybersecurity firms have taken to calling them the Lazarus Group. A Hidden Cobra by any other name will still cause widespread chaos on the internet.
DDoS attacks or distributed denial of service attacks are ones in which the attackers seek to take a target website or service offline by directing at it the massive amount of malicious traffic that can be generated by a botnet, which is a network of computers and other devices that have been compromised to allow for remote access. Though they declined to name specific sites or services affected, according to the US government, Hidden Cobra have been using these attacks to hit targets in the financial, media and critical infrastructure sectors in the United States as well as around the world for over seven years.
The bulletin issued by Homeland Security and the FBI provides details on the botnet or DDoS tool being used by Hidden Cobra. The botnet, dubbed DeltaCharlie, is comprised of devices that have been exploited through old and unpatched versions of Windows.
There are two main issues with Hidden Cobra’s DDoS activities. The first is that there is not yet a full enough understanding of DeltaCharlie, which means government authorities in the United States do not know how big it is or the size of distributed denial of service attack it is capable of perpetrating. Successful large-scale attacks on the financial, media and critical infrastructure sectors could be potentially crippling.
Secondly, DDoS attacks are known smokescreens for much more pervasive intrusions, and concerns about Hidden Cobra launching short, low-volume attacks and using the window in which security systems are down and security professionals are scrambling to deal with the DDoS attacks to commit a much more serious hacking have already been raised.
North Korea is hardly the only suspected state sponsor of DDoS attacks. Russia has been linked to DDoS attacks on Estonia, Georgia, Kyrgyzstan, Kazakhstan, and the Ukraine, and some have pointed the finger at Russia for attacks on candidates’ websites during the US election.
China has also long been a reported perpetrator of DDoS attacks, with the government linked to attacks on pro-democracy websites in Hong Kong, and major software development platform GitHub. These are just two alleged incidents among many.
As President Trump himself has Tweeted, “North Korea is behaving very badly,” and it isn’t just DDoS attacks that Hidden Cobra has been up to. High-profile non-DDoS attacks to which Hidden Cobra have been linked include a year-long hack on Sony Pictures, and the recent WannaCry ransomware attack that affected over 300,000 computers worldwide. This in addition to a spate of hackings and other cyberattacks on South Korea.
However, it is the DDoS attacks with which US authorities are most concerned, and with so many global and government-level websites and services apparently lacking the professional DDoS mitigation that would leave them protected against these attacks, that concern is for good reason.