Trump administration blames North Korea for malware attacks

The Department of Homeland Security and FBI called out North Korea on Tuesday, casting light on the nation’s offensive cyber operations as officials from either government scramble to salvage a meeting planned between President Trump and his North Korean counterpart, Kim Jong-un.

In a joint technical alert, DHS and FBI listed dozens of internet protocol (IP) addresses compromised by Hidden Cobra, the U.S. government’s name for a North Korean state-sponsored hacking group, identified during the course of analyzing two types of malware previously linked to Pyongyang.

“FBI has high confidence that HIDDEN COBRA actors are using the IP addresses … to maintain a presence on victims’ networks and enable network exploitation,” the alert said. “DHS and FBI are distributing these IP addresses and other [indicators of compromise] to enable network defense and reduce exposure to any North Korean government malicious cyber activity.”

“DHS and FBI recommend that network administrators review the information provided, identify whether any of the provided IP addresses fall within their organizations’ allocated IP address space and — if found — take necessary measures to remove the malware,” the alert said.

The agencies identified a total of 87 addresses compromised by the hackers, including servers and systems geolocated in 15 countries across four continents, according to the alert.

The infected IP addresses were detected during the course of the analyzing two malware types used by the North Korean government, Joanap and Brambul, the agencies said.

While security researchers have previously drawn ties between the malware families and North Korea, the technical alert appears to be the first time the U.S. government made that connection publicly.

“Joanap malware provides HIDDEN COBRA actors with the ability to exfiltrate data, drop and run secondary payloads and initialize proxy communications on a compromised Windows device,” the agencies said.

Brambul, meanwhile, is a Windows worm designed to steal user credentials from infected systems to be used in subsequent attacks, according to their alert.

Also known as Lazarus Group, Hidden Cobra has used both malware strains since 2009 to target victims in the U.S. and abroad, including media, aerospace, financial, and critical infrastructure sectors, the agencies said.

The joint alert was issued less than a week after Mr. Trump canceled a meeting previously scheduled to take place in Singapore next month with the North Korean leader. Both administrations have since dispatched top officials to New York City to discuss potentially salvaging the summit.

“We have put a great team together for our talks with North Korea. Meetings are currently taking place concerning Summit, and more,” Mr. Trump tweeted Tuesday.