US Government Identifies North Korean Hacking Tool

Tom Jowitt,
north korea

New malware from North Korea used to raise much needed funds has been identified by FBI and DHS

Authorities in the United States have this week identified malware allegedly from North Korea, which is said to be part of that country’s hacking program to raise funds from targets aboard.

The malware, dubbed ‘ElectricFish’, was identified by both the FBI and Department for Homeland Security (DHS).

The US Cyber Emergency Response Team (US-Cert) published a report warning both the security industry and the general public about the new malware on Thursday.

Malware identified

“Working with US Government partners, DHS and FBI identified a malware variant used by the North Korean government,” warned the report. “This malware has been identified as ElectricFish.”

The US Government said the malware is part of the “malicious cyber activity by the North Korean government,” a campaign it calls Hidden Cobra.

“DHS and FBI are distributing this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity,” the report added.

So how does the malware work?

Well it is said to be capable of stealing information from a victim’s computer network by bypassing security settings thanks to a malicious 32-bit Windows executable file.

“The malware implements a custom protocol that allows traffic to be funnelled between a source and a destination Internet Protocol (IP) address,” said the report. “The malware continuously attempts to reach out to the source and the designation system, which allows either side to initiate a funnelling session.”

“The malware can be configured with a proxy server/port and proxy username and password,” it added. “This feature allows connectivity to a system sitting inside of a proxy server, which allows the actor to bypass the compromised system’s required authentication to reach outside of the network.”

Funding exercise

And at least one security expert has acknowledged that the malware is part of North Korean efforts to gain much needed funds from overseas.

“The government released information on the malware so that the North Koreans won’t be able to continue using and monetising it,” said Sam Curry, chief security officer at Cybereason. “Its like cutting the head off a snake. Expect more announcements from the DHS and FBI in the future.”

“As a country, North Korea is a very poor nation and their nation state hacking capabilities help to fund budgets,” said Curry. “This is a new type of cyber sanction on North Korea. The feds are actively reducing the shelf life of these incremental improvements.”

“It’s not just a cold war but is economic in nature: the idea is to see how deep North Korea’s coffers are and to waste their investment,” Curry concluded. “That’s not a good fight to get into with the world’s largest government by GDP.”

Do you know all about security? Try our quiz!