"FALLCHILL": DHS, FBI Release Details On North Korean Hacking Tools

As tensions between the U.S. and North Korea mount, the DHS and FBI have just issued a pair of technical alerts about cyber attacks which they say are sponsored by the North Korean government and that have been targeting the aerospace, telecommunications and financial industries since 2016.  According to the alert, North Korean hackers have used a type of malware referred to as “FALLCHILL” to gain entry to computer systems and compromise network systems.

Today, DHS and FBI released a pair of Joint Technical Alerts (TA17-318A and TA17-318B) that provide details on tools and infrastructure used by North Korea to target the media, aerospace, financial, and critical infrastructure sectors in the United States and globally.


The North Korean government malicious cyber activity noted in these alerts is part of a long-term campaign of cyber-enabled operations that impact the U.S. Government and its citizens. Working closely with our interagency, industry and international partners, DHS is constantly working to arm network defenders with the tools they need to identify, detect and disrupt state and non-state actors targeting the networks and systems of our country and our allies.

Per the pair of techinical alerts, the FALLCHILL malware provides hackers with wide latitude to monitor and disrupt infected networks. The malware typically gains access to systems as a file sent via other North Korean malware or when users unknowingly downloaded it by visiting sites compromised by the hackers.

FBI has high confidence that HIDDEN COBRA actors are using the IP addresses—listed in this report’s IOC files—to maintain a presence on victims’ networks and to further network exploitation. DHS and FBI are distributing these IP addresses to enable network defense and reduce exposure to any North Korean government malicious cyber activity.


This alert includes IOCs related to HIDDEN COBRA, IP addresses linked to systems infected with FALLCHILL malware, malware descriptions, and associated signatures. This alert also includes suggested response actions to the IOCs provided, recommended mitigation techniques, and information on reporting incidents. If users or administrators detect activity associated with the FALLCHILL malware, they should immediately flag it, report it to the DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give it the highest priority for enhanced mitigation.


According to trusted third-party reporting, HIDDEN COBRA actors have likely been using FALLCHILL malware since 2016 to target the aerospace, telecommunications, and finance industries. The malware is a fully functional RAT with multiple commands that the actors can issue from a command and control (C2) server to a victim’s system via dual proxies. FALLCHILL typically infects a system as a file dropped by other HIDDEN COBRA malware or as a file downloaded unknowingly by users when visiting sites compromised by HIDDEN COBRA actors. HIDDEN COBRA actors use an external tool or dropper to install the FALLCHILL malware-as-a-service to establish persistence. Because of this, additional HIDDEN COBRA malware may be present on systems compromised with FALLCHILL.


During analysis of the infrastructure used by FALLCHILL malware, the U.S. Government identified 83 network nodes. Additionally, using publicly available registration information, the U.S. Government identified the countries in which the infected IP addresses are registered.


These latest technical alerts follow similar updates from DHS and the FBI from earlier this summer which highlighted malware they claimed North Korean hackers were utilizing to lauch DDoS attacks in the U.S.  Per The Hill:

The agencies identified IP addresses associated with a malware known as DeltaCharlie, which North Korea uses to launch distributed denial-of-service (DDoS) attacks.


The alert called for institutions to come forward with any information they might have about the nation’s cyber activity, which the U.S. government refers to as “Hidden Cobra.”


“If users or administrators detect the custom tools indicative of HIDDEN COBRA, these tools should be immediately flagged, reported to the DHS National Cybersecurity Communications and Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and given highest priority for enhanced mitigation,” the alert reads.


The DHS and FBI also highlighted some vulnerabilities that North Korea has been known to exploit and recommended organizations upgrade to the latest versions of Adobe Flash Player, Microsoft Silverlight and Hangui Word Processor, or delete them altogether if the programs aren’t needed.

Of course, North Korea has routinely denied involvement in cyber attacks against other countries.


thebriang Tue, 11/14/2017 - 18:28 Permalink

The days of believing anything "cyber" are long past.They can attribute anything, plant anything, and blame anyone  for anything with a shit load of reputable MSM liars to back them up.

serotonindumptruck Tue, 11/14/2017 - 18:36 Permalink

No State actor would be interested in what's on my 'puter, unless they're interested in several hundred gigabytes of Japanese scat porn and every ISIS/Al Qaeda beheading video that I can find.Yeah, I'm a sick puppy.

z530 Tue, 11/14/2017 - 18:36 Permalink

Any malware variant that drops files onto the local filesystem is total amateur hour and complete garbage. With the exception of the iniital landing method, the best malware out there is fileless, runs in memory and utilizes trusted tools/apps on the OS. The FBI are a bunch of fucking retards when it comes to Infosec, so seeing them talking about NK malware is humerous.

uhland62 redmudhooch Tue, 11/14/2017 - 21:24 Permalink

Do we even believe what these people are telling us? We can't check if it's disinfomation, fake news, or plain lies. They tell us all kinds of BS, like the data are IN the phone. No, they are not and I have got proof that they are stored on a cloud and/or server somewhere.If you keep 1. the number and 2. providerbut 3. change address, 4. home phone number, 5. sim card and 6. handsets, the old home number will still be there after 13 years. It's not in the new phone. Matt Taibbi (Rolling Stones mag) said in the docu 'Cyberwar' that they meddled in the 1996 Yeltsin elections. 

In reply to by redmudhooch

911bodysnatchers322 Tue, 11/14/2017 - 22:54 Permalink

If Wikileaks has not released it, then it is a psyop. Keep in mind, these agencies have been caught lying to you not once, not twice, but well over 33 times since 1977. They've released tools that demonstrate the layers of deception in trying to frame other companies for cyber attacks which can only be used for one purpose--self-inflicted wounds to deceive your own public into giving up more of their rights and funding to an abusive security state in what is akin to a high tech protection racket

How many times must we fall for this?

Arrest Andrew McCabe now, because this is in my book, a means to distract the public from the revelations in the Sessions meeting today, which is that the Deputy Director of the FBI was caught funding the Fusion GPS Steele dossier and that the FBI used it to obtain an ill-gotten FISA warrant to spy on a lawfully elected president and his associates; being given a year they've produced nothing but a divided country and dual justice system; a highly conflicted witch hunt that not only produces nothing but is about to be themselves indicted for involvement in a maybe the biggest uranium scandal in US history, where a potential president put themselves and others in the US government at imminent risk for being directly blackmailed and controlled by our so called 'greatest adversary' instead of retaining our sovereignty under a man with both limited governance experience and that's a good thing because lifetime politicians have been ruining this country for 50 yrs now

THis is a PSYOP guys. It's become so incredibly obvious, they are generating a backstory but they are more and more inept with each iteration

OR it's possible we're getting better and better at spotting the pattern

Branded Wed, 11/15/2017 - 00:18 Permalink

"DHS, FBI Re;ease Details on North Korean Hacking Tools"I thought a congressional mandate limited their mission to domestic hacking of local and state elections?