May 19, 2020 | Policy Brief

U.S. Government Releases Reports on North Korean Hacking Tools

May 19, 2020 | Policy Brief

U.S. Government Releases Reports on North Korean Hacking Tools

The Cybersecurity and Infrastructure Security Agency, FBI, and Department of Defense jointly released three Malware Analysis Reports (MARs) on May 12 detailing North Korea’s hacking tools. These reports disclose information that both government agencies and private sector firms can employ to strengthen their cyber defenses.

The first MAR details the technical characteristics of a remote-access tool known as Copperhedge. The report discusses six variants of the Copperhedge malware, which are reportedly “capable of running arbitrary commands, performing system reconnaissance, and exfiltrating data.” These variants likely helped Hidden Cobra, a North Korean state-sponsored hacking group, target several cryptocurrency exchanges, banks, and ATMs over the past three years.

The second and third MARs detail two different Trojan malware variants that connect victim computers to compromised servers. Once the infected computer has connected with the server, Hidden Cobra hackers can remotely upload, download, delete, and execute files from the web.

The interagency collaboration that produced these MARs demonstrates the utility of cooperative efforts to attribute malicious activities to North Korea, thereby facilitating efforts to hold Pyongyang accountable. Additionally, the MARs bolster U.S. cyber defense by providing guidance to the primary industries, companies, and government agencies targeted by North Korean hackers. The alerts provide potential victims with detailed descriptions of how North Korean malware could compromise their networks, and provide the necessary direction to effectively patch their systems.

Following the MAR release, EST Security, a South Korean cyber security company, reported that North Korean hackers continued their criminal operations against South Korean cryptocurrency users amid the COVID-19 pandemic.

Pyongyang’s persistent efforts in cyberspace should be a reminder that the United States, South Korea, and other affected countries must do more than strengthen defensive measures; they should also consider offensive measures to deter this malign activity. Synchronized actions among like-minded countries may be particularly effective against North Korea.

One way to hold Pyonyang accountable is by enforcing sanctions against its hacking units and their financial enablers outside North Korea. For example, an indictment and sanctions designation of two Chinese nationals earlier this year revealed how North Korean hackers rely on foreign nationals to launder stolen cryptocurrencies. Specifically, the two Chinese nationals transferred these funds through 10 different Chinese banks.

Additionally, the United States could consider investigating foreign companies providing direct support for North Korean cyber activity. For example, TransTelecom, a Russian telecommunications company, provided North Korea with a new outbound internet connection that helped the North Korean elite increase internet activity by 300 percent since 2017. The North Korean Sanctions and Policy Enhancement Act requires the United States to sanction companies and individuals who “provide material support to conduct significant activities undermining cyber security.”

Along with sanctions, the United States and its allies should also consider cyber-enabled information operations targeting North Korea’s elite. Recorded Future, a U.S.-based cyber security company, found that North Korean political and military elites increasing have access to and are reliant on the internet. The United States could utilize this opening of the internet in North Korea to distribute information and media that have the potential to create social fissures within North Korea’s elite and undermine the legitimacy of the Kim regime.

While the threat of North Korean cyber operations is large and growing, the United States and its allies have ample opportunities to disrupt and deter the activity of these hackers and their enablers both inside and outside of North Korea.

Mathew Ha and Trevor Logan are research analysts at the Foundation for Defense of Democracies (FDD), where they both contribute to FDD’s Center on Cyber and Technology Innovation (CCTI) and Center on Economic and Financial Power (CEFP). For more analysis from Mathew, Trevor, CCTI, and CEFP, please subscribe HERE. Follow Mathew and Trevor on Twitter @Matjunsuk and @TrevorLoganFDD. Follow FDD on Twitter @FDD and @FDD_CCTI and @FDD_CEFP. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.


Blockchain and Digital Currencies China COVID-19 Cyber Cyber-Enabled Economic Warfare North Korea Russia Sanctions and Illicit Finance