"FALLCHILL": DHS, FBI Release Details On North Korean Hacking Tools

Tyler Durden's picture

As tensions between the U.S. and North Korea mount, the DHS and FBI have just issued a pair of technical alerts about cyber attacks which they say are sponsored by the North Korean government and that have been targeting the aerospace, telecommunications and financial industries since 2016.  According to the alert, North Korean hackers have used a type of malware referred to as “FALLCHILL” to gain entry to computer systems and compromise network systems.

Today, DHS and FBI released a pair of Joint Technical Alerts (TA17-318A and TA17-318B) that provide details on tools and infrastructure used by North Korea to target the media, aerospace, financial, and critical infrastructure sectors in the United States and globally.

 

The North Korean government malicious cyber activity noted in these alerts is part of a long-term campaign of cyber-enabled operations that impact the U.S. Government and its citizens. Working closely with our interagency, industry and international partners, DHS is constantly working to arm network defenders with the tools they need to identify, detect and disrupt state and non-state actors targeting the networks and systems of our country and our allies.

Per the pair of techinical alerts, the FALLCHILL malware provides hackers with wide latitude to monitor and disrupt infected networks. The malware typically gains access to systems as a file sent via other North Korean malware or when users unknowingly downloaded it by visiting sites compromised by the hackers.

FBI has high confidence that HIDDEN COBRA actors are using the IP addresses—listed in this report’s IOC files—to maintain a presence on victims’ networks and to further network exploitation. DHS and FBI are distributing these IP addresses to enable network defense and reduce exposure to any North Korean government malicious cyber activity.

 

This alert includes IOCs related to HIDDEN COBRA, IP addresses linked to systems infected with FALLCHILL malware, malware descriptions, and associated signatures. This alert also includes suggested response actions to the IOCs provided, recommended mitigation techniques, and information on reporting incidents. If users or administrators detect activity associated with the FALLCHILL malware, they should immediately flag it, report it to the DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give it the highest priority for enhanced mitigation.

 

According to trusted third-party reporting, HIDDEN COBRA actors have likely been using FALLCHILL malware since 2016 to target the aerospace, telecommunications, and finance industries. The malware is a fully functional RAT with multiple commands that the actors can issue from a command and control (C2) server to a victim’s system via dual proxies. FALLCHILL typically infects a system as a file dropped by other HIDDEN COBRA malware or as a file downloaded unknowingly by users when visiting sites compromised by HIDDEN COBRA actors. HIDDEN COBRA actors use an external tool or dropper to install the FALLCHILL malware-as-a-service to establish persistence. Because of this, additional HIDDEN COBRA malware may be present on systems compromised with FALLCHILL.

 

During analysis of the infrastructure used by FALLCHILL malware, the U.S. Government identified 83 network nodes. Additionally, using publicly available registration information, the U.S. Government identified the countries in which the infected IP addresses are registered.

KJU

These latest technical alerts follow similar updates from DHS and the FBI from earlier this summer which highlighted malware they claimed North Korean hackers were utilizing to lauch DDoS attacks in the U.S.  Per The Hill:

The agencies identified IP addresses associated with a malware known as DeltaCharlie, which North Korea uses to launch distributed denial-of-service (DDoS) attacks.

 

The alert called for institutions to come forward with any information they might have about the nation’s cyber activity, which the U.S. government refers to as “Hidden Cobra.”

 

“If users or administrators detect the custom tools indicative of HIDDEN COBRA, these tools should be immediately flagged, reported to the DHS National Cybersecurity Communications and Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and given highest priority for enhanced mitigation,” the alert reads.

 

The DHS and FBI also highlighted some vulnerabilities that North Korea has been known to exploit and recommended organizations upgrade to the latest versions of Adobe Flash Player, Microsoft Silverlight and Hangui Word Processor, or delete them altogether if the programs aren’t needed.

Of course, North Korea has routinely denied involvement in cyber attacks against other countries.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
auricle's picture

Are these the tools the NSA builds to emmulate NK tools? Very confusing. Was the FBI trained by the NSA discern the difference. 

BennyBoy's picture

 

NSA hacking tools can attribute source to any country or person.

FBI are lying idiots.

I doubt NK has ability attributed to them by the lying NSA.

GreatUncle's picture

But you know somebody who does ... 3 letters ... first letter N ...

But they made public all their tools so now it could be anyone.

Justin Case's picture

Washington recklessly accuses Russia and China of hacking while providing no evidence backing its claims.

At the same time, it’s silent about most Internet servers located in America, facilitating its espionage, including hacking to obtain unauthorized data. Washington rules mandate doing what “we” say, not what “we” do.

Russian Security Council secretary Nikolai Patrushev explained the problem, saying “(w)e have been fixing growing attempts from external forces to damage Russian information systems. Those are cases of hacking, and also unauthorized collection of data.”

“This is done with active involvement of global operators and providers, and the methods used are constantly evolving.”

“For example, the Obama administration groundlessly accuses Russia of hacking attacks, deliberately ignoring the fact that most Internet servers are located inside the US, and are used by Washington for spying and other purposes aimed at protecting that country’s dominant position in the world.”

Obama talks about combating terrorism while supporting it, making Russian/US cooperation against it impossible.

Patrushev hopes Trump will change things responsibly, Moscow and Washington cooperating in combating terrorism instead of pursuing opposite objectives for so long.

“We have…confirmation of” Obama’s administration supporting, not fighting terrorism, Patrushev explained. Changing this policy is essential for improving Russian/US relations.

If Trump governs responsibly, Moscow welcomes an ally in counterterrorism activities, information security, trade and other areas of mutual interest.

If Trump wants improved ties, “we  will be ready to resume full-format consultations with US partners of the Russian Security Council,” Patrushev explained.

“The Obama administration sought…domina(nce) (internationally, its policies amounting to) reckless schemes.”

“Unfriendly actions (violating) international law resulted in a frenzy of terrorism (causing) humanitarian disasters in certain states and regions.”

Does Trump intend changing things or continuing Obama’s reckless agenda? Will he wage endless wars or responsibly work with Russia and other nations in resolving ongoing ones?

buzzsaw99's picture

i notice they cleverly didn't mention microsoft windows even once.  lulz

Winston Churchill's picture

Microsoft is the least of your problems,it the /os's you think are safe.

The NSA has spyware in your bios and firmware so they don't care what os you use,

or if its encrypted.

coast1's picture

lol..kinda thinking the clintons sold them all the info...you know it and so do I....come on you guys

thebriang's picture

The days of believing anything "cyber" are long past.

They can attribute anything, plant anything, and blame anyone  for anything with a shit load of reputable MSM liars to back them up.

uhland62's picture

... and anyone can be a paparazzi in a tunnel in Paris when the cameras are turned the wrong way round.

The ingredients are one motorbike, two guys in leather with helmets and dark glasses, one camera of noticeable size hanging around the neck. 

shovelhead's picture

As long as they don't hack my licorice jelly bean order they can hack away.

If they fuck with my jellybeans...I'll nuke them.

Nobodys Home's picture

Your credit card ending in 1666 has been red flagged by the NSA.
We have noticed an inordinate amount of licorice jelly bean orders.
As a possible gas productant, due to new anti terror regulations, we request you respond to our request for a meeting to discuss this weapons purchase.

serotonindumptruck's picture

No State actor would be interested in what's on my 'puter, unless they're interested in several hundred gigabytes of Japanese scat porn and every ISIS/Al Qaeda beheading video that I can find.

Yeah, I'm a sick puppy.

GreatUncle's picture

Lol ... I am the sociopath bunny.

Do we have a psychopath bunny in the house?

z530's picture

Any malware variant that drops files onto the local filesystem is total amateur hour and complete garbage. With the exception of the iniital landing method, the best malware out there is fileless, runs in memory and utilizes trusted tools/apps on the OS. The FBI are a bunch of fucking retards when it comes to Infosec, so seeing them talking about NK malware is humerous.

virgule's picture

I'll second that the "technical description" in the article sounds like a lot of bollocks. I'm pretty sure a free version of AVAST would stop that!

incharge1976's picture

How much are they hacking on their refurbished IBM PCjrs?

 

 

 

 

JoseyWalesTheOutlaw's picture

Rocket Man hacking Chuck E Cheeze......

E.F. Mutton's picture

"Can we bomb them now? Huh? How about now? Soon maybe???" - John "Rocket Man" McCain

Kartolas's picture

AHAHAHAHAHAHAH They keep blaming others for exactly what they do! Bring out the guilhotines.

Nobodys Home's picture

The Russians! Umm wait..The NORKS!

You Amelicans ret toors be hacked by Jurian Assange!
Inerrigence agencies. You vely foorish! We use them now!

GreatUncle's picture

Lol that's going to piss off the Russians ... no longer No. 1 on the list

moorewasthebestbond's picture

Picture the Norks pecking away on their Mannlicher-Carcano computers.

 

Russian smiling down from the grassy knoll.

redmudhooch's picture

Maybe we shouldn't do it to others if we don't want it done to us......

Election meddling, hacking and such.

uhland62's picture

Do we even believe what these people are telling us? We can't check if it's disinfomation, fake news, or plain lies. They tell us all kinds of BS, like the data are IN the phone. No, they are not and I have got proof that they are stored on a cloud and/or server somewhere.

If you keep 1. the number and 2. provider

but 3. change address, 4. home phone number, 5. sim card and 6. handsets, the old home number will still be there after 13 years. It's not in the new phone. 

Matt Taibbi (Rolling Stones mag) said in the docu 'Cyberwar' that they meddled in the 1996 Yeltsin elections. 

911bodysnatchers322's picture

If Wikileaks has not released it, then it is a psyop. Keep in mind, these agencies have been caught lying to you not once, not twice, but well over 33 times since 1977. They've released tools that demonstrate the layers of deception in trying to frame other companies for cyber attacks which can only be used for one purpose--self-inflicted wounds to deceive your own public into giving up more of their rights and funding to an abusive security state in what is akin to a high tech protection racket

How many times must we fall for this?

Arrest Andrew McCabe now, because this is in my book, a means to distract the public from the revelations in the Sessions meeting today, which is that the Deputy Director of the FBI was caught funding the Fusion GPS Steele dossier and that the FBI used it to obtain an ill-gotten FISA warrant to spy on a lawfully elected president and his associates; being given a year they've produced nothing but a divided country and dual justice system; a highly conflicted witch hunt that not only produces nothing but is about to be themselves indicted for involvement in a maybe the biggest uranium scandal in US history, where a potential president put themselves and others in the US government at imminent risk for being directly blackmailed and controlled by our so called 'greatest adversary' instead of retaining our sovereignty under a man with both limited governance experience and that's a good thing because lifetime politicians have been ruining this country for 50 yrs now

THis is a PSYOP guys. It's become so incredibly obvious, they are generating a backstory but they are more and more inept with each iteration

OR it's possible we're getting better and better at spotting the pattern

911bodysnatchers322's picture

Forgot to mention that McCabe has been running a pakistani spy ring (imran awan and associates) that infiltrated the congress to blackmail people with blackberries and then run criminal ratline networks from highly compartmentalized doped phones

White Devil's picture

I doubt the american’ts know as much as they think they do.

onmail1's picture

And what about Stuxnet etc

USA & Israel are criminals

------------

btw thumbs up to N.Korea

 

Branded's picture

"DHS, FBI Re;ease Details on North Korean Hacking Tools"

I thought a congressional mandate limited their mission to domestic hacking of local and state elections?