North Korea State-Sponsored Cyber Threat: Advisories
As the nation's cyber defense agency and national coordinator for critical infrastructure, CISA provides resources—including cybersecurity advisories written in coordination with partners—to help stakeholders build resilience against nation-state actors and other cyber threats.
Table 1: CISA and Joint CISA Advisories
| Publication Date | Title | Description |
|---|---|---|
| February 9, 2023 | #StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities | The NSA, FBI, CISA, Department of Health and Human Services, the Republic of Korea (ROK) National Intelligence Service, and the ROK Defense Security Agency issued a joint Cybersecurity Advisory to highlight ongoing ransomware activity against Healthcare and Public Health Sector organizations and other critical infrastructure sector entities. |
| July 6, 2022 | Joint FBI-CISA-Treasury CSA: North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector | The FBI, CISA, and the Department of the Treasury issued a joint Cybersecurity Advisory to provide information on Maui ransomware, which has been used by North Korean state-sponsored cyber actors since at least May 2021 to target Healthcare and Public Health (HPH) Sector organizations. |
| April 18, 2022 | Joint FBI-CISA-Treasury CSA: TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies | The FBI, CISA, and the Department of the Treasury issued a joint Cybersecurity Advisory highlighting the cyber threat associated with cryptocurrency thefts and tactics used by a North Korean state-sponsored advanced persistent threat. This group is commonly tracked by the cybersecurity industry as Lazarus Group, APT38, BlueNoroff, and Stardust Chollima. |
| February 17, 2021 | Joint FBI-CISA-Treasury CSA: AppleJeus: Analysis of North Korea's Cryptocurrency Malware MAR 10322463-1.v1: AppleJeus – Celas Trade Pro MAR 10322463-2.v1: AppleJeus – JMT Trading MAR 10322463-3.v1: AppleJeus – Union Crypto MAR 10322463-4.v1: AppleJeus – Kupay Wallet MAR 10322463-5.v1: AppleJeus – CoinGoTrade | CISA, FBI, and the Department of the Treasury released a Joint Cybersecurity Advisory and seven MARs on the North Korean government’s dissemination of malware that facilitates the theft of cryptocurrency—referred to by the U.S. Government as “AppleJeus.” |
| October 27, 2020 | Joint CISA-CNMF-FBI CSA: North Korean Advanced Persistent Threat Focus: Kimsuky | CISA, FBI, and the U.S. Cyber Command Cyber National Mission Force (CNMF) released a new Joint Cybersecurity Advisory on TTPs used by North Korean APT group Kimsuky. |
| August 26, 2020 | Joint CISA-Treasury-FBI-USCYBERCOM CSA: FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks MAR 10301706-1.v1: North Korean Remote Access Tool: ECCENTRICBANDWAGON MAR 10301706-2.v1: North Korean Remote Access Tool: VIVACIOUSGIFT MAR 10257062-1.v2: North Korean Remote Access Tool: FASTCASH for Windows | CISA, the Department of the Treasury, FBI, and U.S. Cyber Command released a joint Technical Alert and three MARs on the North Korean government’s ATM cash-out scheme—referred to by the U.S. Government as “FASTCash.” |
| August 19, 2020 | MAR 10295134.r1.v1: North Korean Remote Access Trojan: BLINDINGCAN | CISA and FBI have identified a malware variant—referred to as BLINDINGCAN—used by North Korean actors. FBI has high confidence that HIDDEN COBRA actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation. A threat group with a nexus to North Korea targeted government contractors early this year to gather intelligence surrounding key military and energy technologies. |
| May 12, 2020 | MAR 1028834-1.v1: North Korean Remote Access Tool: COPPERHEDGE | CISA, FBI, and DoD identified three malware variants used by the North Korean government. COPPERHEDGE is Manuscrypt family of malware is used by APT cyber actors in the targeting of cryptocurrency exchanges and related entities. TAINTEDSCRIBE and PEBBLEDASH are full-featured beaconing implants. |
| May 12, 2020 | U.S. Government Advisory: Top 10 Routinely Exploited Vulnerabilities | CISA, FBI, and the broader U.S. Government authored a Joint Alert with details on vulnerabilities routinely exploited by foreign cyber actors, including North Korean cyber actors. |
| April 15, 2020 | U.S. Government Advisory: Guidance on the North Korean Cyber Threat | The U.S. Departments of State, Treasury, and Homeland Security and FBI issued this Advisory as a comprehensive resource on the North Korean cyber threat for the international community, network defenders, and the public. The Advisory highlights the cyber threat posed by North Korea and provides recommended steps to mitigate the threat. |
| February 14, 2020 | MAR 10265965-1.v1: North Korean Trojan: BISTROMATH MAR 10265965-2.v1: North Korean Trojan: SLICKSHOES MAR 10265965-3.v1: North Korean Trojan: CROWDEDFLOUNDER MAR 10271944-1.v1: North Korean Trojan: HOTCROISSANT MAR 10271944-2.v1: North Korean Trojan: ARTFULPIE MAR 10271944-3.v1: North Korean Trojan: BUFFETLINE MAR 10135536-8.v4: North Korean Trojan: HOPLIGHT Note: this version of HOPLIGHT MAR updates the October 31, 2019 version, which updated April 10, 2019 version. | CISA, FBI, and DoD identified multiple malware variants used by the North Korean government. BISTROMATH looks at multiple versions of a full-featured Remote Access Trojan implant executable and multiple versions of the CAgent11 GUI implant controller/builder. SLICKSHOES is a Themida-packed dropper that decodes and drops a Themida-packed beaconing implant. CROWDEDFLOUNDER looks at Themida packed Windows executable. HOTCROSSIANT is a full-featured beaconing implant. ARTFULPIE is an implant that performs downloading and in-memory loading and execution of a DLL from a hardcoded URL. BUFFETLINE is a full-featured beaconing implant. HOPLIGHT looks at multiple malicious executable files. Some of which are proxy applications that mask traffic between the malware and the remote operators. |
| September 9, 2019 | MAR 10135536-21: North Korean Proxy Malware: ELECTRICFISH Note: this version of the ELECTRICFISH MAR updates the May 9, 2019 version. MAR 10135536-10: North Korean Trojan: BADCALL Note: this version of the BADCALL MAR updates the February 6, 2018 version: and STIX file. | CISA, FBI, and DoD identified multiple malware variants used by the North Korean government. ELECTRICFISH implements a custom protocol that allows traffic to be tunneled between a source and a destination Internet Protocol (IP) address. BADCALL malware is an executable that functions as a proxy server and implements a "Fake TLS" method.
|
| October 2, 2018 | CISA, Treasury, FBI, and U.S. Cyber Command identified malware and other IOCs used by the North Korean government in an ATM cash-out scheme—referred to by the U.S. Government as “FASTCash.” The Joint Technical Alert provides information on FASTCash and the MAR provides information on 10 malware samples related to this activity. | |
| August 9, 2018 | MAR 10135536-17: North Korean Trojan: KEYMARBLE | DHS and FBI identified a Trojan malware variant—referred to as KEYMARBLE—used by the North Korean government. KEYMARBLE is a RAT capable of accessing device configuration data, downloading additional files, executing commands, modifying the registry, capturing screen shots, and exfiltrating data. |
| June 14, 2018 | MAR 10135536-12: North Korean Trojan: TYPEFRAME | DHS and FBI identified a Trojan malware variant—referred to as TYPEFRAME—used by the North Korean government. DHS and FBI distributed this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity. This malware report contains an analysis of multiple malware samples consisting of 32-bit and 64-bit Windows executable files and a malicious Microsoft Word document that contains Visual Basic for Applications macros. |
| May 29, 2018 | CISA Alert TA18-149A: HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm | This Joint Technical Alert and MAR authored by DHS and FBI provides information, including IOCs associated with two families of malware used by the North Korean government: A remote access tool, commonly known as Joanap; and Server Message Block worm, commonly known as Brambul.
|
| March 28, 2018 | DHS and FBI identified a Trojan malware variant—referred to as SHARPKNOT—used by the North Korean government. SHARPKNOT is a 32-bit Windows executable file. When executed from the command line, the malware overwrites the Master Boot Record and deletes files on the local system, any mapped network shares, and physically connected storage devices. | |
| February 13, 2018 | DHS and FBI identified a Trojan malware variant—referred to as HARDRAIN—used by the North Korean government. | |
| December 21, 2017 | DHS and FBI identified a Trojan malware variant—referred to as BANKSHOT—used by the North Korean government. This MAR analyzes three malicious executable files. Two files are 32-bit Windows executables that function as Proxy servers and implement a "Fake TLS" method. The third file is an Executable Linkable Format file designed to run on Android platforms as a fully functioning Remote Access Trojan. | |
| November 14, 2017 | CISA Alert TA17-318A: HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL CISA Alert TA17-318B: HIDDEN COBRA – North Korean Trojan: Volgmer | These Joint Technical Alerts provide information and IOCs on malware variants used by the North Korean government to maintain a presence on victims’ networks and to further network exploitation. DHS and FBI distributed these alerts to enable network defense and reduce exposure to any North Korean government malicious cyber activity. |
| August 23, 2017 | This MAR examines the functionality of the DeltaCharlie malware variant to manage North Korea’s distributed denial-of-service (DDOS) botnet infrastructure (refer to TA17-164A). DHS distributed this MAR to enable network defense and reduce exposure to any North Korean government malicious cyber activity. | |
| June 13, 2017 | CISA Alert TA17-164A: HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure | This Joint Technical Alert provides technical details on the tools and infrastructure used by cyber actors of the North Korean government to target the media, aerospace, financial, and critical infrastructure sectors in the United States and globally. Working with U.S. government partners, DHS and FBI identified Internet Protocol addresses associated with a malware variant, known as DeltaCharlie, used to manage North Korea’s DDoS botnet infrastructure. |
| May 12, 2017 | CISA Alert TA17-132A: Indicators Associated With WannaCry Ransomware | This DHS-FBI Joint Technical Alert provides information, including IOCs on the ransomware variant known as WannaCry. The U.S. Government publicly attributed this WannaCry ransomware variant to the North Korean government. |