North Korea State-Sponsored Cyber Threat: Advisories

As the nation's cyber defense agency and national coordinator for critical infrastructure, CISA provides resources—including cybersecurity advisories written in coordination with partners—to help stakeholders build resilience against nation-state actors and other cyber threats.

Table 1: CISA and Joint CISA Advisories

Publication DateTitleDescription
July 25, 2024North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear ProgramsFBI, CNMF, CISA, DC3, and NSA—in partnership with the Republic of Korea’s National Intelligence Service (NIS) and National Police Agency (NPA), and the United Kingdom’s National Cyber Security Centre (NCSC)—released a joint Cybersecurity Advisory that highlights cyber espionage activity associated with the Democratic People’s Republic of Korea (DPRK)’s Reconnaissance General Bureau (RGB) 3rd Bureau based in Pyongyang and Sinuiju. 
February 9, 2023#StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber ActivitiesThe NSA, FBI, CISA, Department of Health and Human Services, the Republic of Korea (ROK) National Intelligence Service, and the ROK Defense Security Agency issued a joint Cybersecurity Advisory to highlight ongoing ransomware activity against Healthcare and Public Health Sector organizations and other critical infrastructure sector entities.
July 6, 2022Joint FBI-CISA-Treasury CSA: North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health SectorThe FBI, CISA, and the Department of the Treasury issued a joint Cybersecurity Advisory to provide information on Maui ransomware, which has been used by North Korean state-sponsored cyber actors since at least May 2021 to target Healthcare and Public Health (HPH) Sector organizations.
April 18, 2022Joint FBI-CISA-Treasury CSA: TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies

The FBI, CISA, and the Department of the Treasury issued a joint Cybersecurity Advisory highlighting the cyber threat associated with cryptocurrency thefts and tactics used by a North Korean state-sponsored advanced persistent threat.

This group is commonly tracked by the cybersecurity industry as Lazarus Group, APT38, BlueNoroff, and Stardust Chollima. 

February 17, 2021

Joint FBI-CISA-Treasury CSA: AppleJeus: Analysis of North Korea's Cryptocurrency Malware

MAR 10322463-1.v1: AppleJeus – Celas Trade Pro

MAR 10322463-2.v1: AppleJeus – JMT Trading

MAR 10322463-3.v1: AppleJeus – Union Crypto

MAR 10322463-4.v1: AppleJeus – Kupay Wallet

MAR 10322463-5.v1: AppleJeus – CoinGoTrade

MAR 10322463-6.v1: AppleJeus – Dorusio

MAR 10322463-7.v1: AppleJeus – Ants2Whale

CISA, FBI, and the Department of the Treasury released a Joint Cybersecurity Advisory and seven MARs on the North Korean government’s dissemination of malware that facilitates the theft of cryptocurrency—referred to by the U.S. Government as “AppleJeus.”
October 27, 2020Joint CISA-CNMF-FBI CSA: North Korean Advanced Persistent Threat Focus: KimsukyCISA, FBI, and the U.S. Cyber Command Cyber National Mission Force (CNMF) released a new Joint Cybersecurity Advisory on TTPs used by North Korean APT group Kimsuky.
August 26, 2020

Joint CISA-Treasury-FBI-USCYBERCOM CSA: FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks

MAR 10301706-1.v1: North Korean Remote Access Tool: ECCENTRICBANDWAGON

MAR 10301706-2.v1: North Korean Remote Access Tool: VIVACIOUSGIFT

MAR 10257062-1.v2: North Korean Remote Access Tool: FASTCASH for Windows

CISA, the Department of the Treasury, FBI, and U.S. Cyber Command released a joint Technical Alert and three MARs on the North Korean government’s ATM cash-out scheme—referred to by the U.S. Government as “FASTCash.”
August 19, 2020MAR 10295134.r1.v1: North Korean Remote Access Trojan: BLINDINGCANCISA and FBI have identified a malware variant—referred to as BLINDINGCAN—used by North Korean actors. FBI has high confidence that HIDDEN COBRA actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation. A threat group with a nexus to North Korea targeted government contractors early this year to gather intelligence surrounding key military and energy technologies.
May 12, 2020

MAR 1028834-1.v1: North Korean Remote Access Tool: COPPERHEDGE

MAR 1028834-2.v1: North Korean Trojan: TAINTEDSCRIBE

MAR 1028834-3.v1: North Korean Trojan: PEBBLEDASH

CISA, FBI, and DoD identified three malware variants used by the North Korean government. 

COPPERHEDGE is Manuscrypt family of malware is used by APT cyber actors in the targeting of cryptocurrency exchanges and related entities.

TAINTEDSCRIBE and PEBBLEDASH are full-featured beaconing implants.

May 12, 2020U.S. Government Advisory: Top 10 Routinely Exploited VulnerabilitiesCISA, FBI, and the broader U.S. Government authored a Joint Alert with details on vulnerabilities routinely exploited by foreign cyber actors, including North Korean cyber actors.
April 15, 2020U.S. Government Advisory: Guidance on the North Korean Cyber ThreatThe U.S. Departments of State, Treasury, and Homeland Security and FBI issued this Advisory as a comprehensive resource on the North Korean cyber threat for the international community, network defenders, and the public. The Advisory highlights the cyber threat posed by North Korea and provides recommended steps to mitigate the threat.
February 14, 2020

MAR 10265965-1.v1: North Korean Trojan: BISTROMATH

MAR 10265965-2.v1: North Korean Trojan: SLICKSHOES

MAR 10265965-3.v1: North Korean Trojan: CROWDEDFLOUNDER

MAR 10271944-1.v1: North Korean Trojan: HOTCROISSANT

MAR 10271944-2.v1: North Korean Trojan: ARTFULPIE

MAR 10271944-3.v1: North Korean Trojan: BUFFETLINE

MAR 10135536-8.v4: North Korean Trojan: HOPLIGHT Note: this version of HOPLIGHT MAR updates the October 31, 2019 version, which updated April 10, 2019 version.

CISA, FBI, and DoD identified multiple malware variants used by the North Korean government.

BISTROMATH looks at multiple versions of a full-featured Remote Access Trojan implant executable and multiple versions of the CAgent11 GUI implant controller/builder.

SLICKSHOES is a Themida-packed dropper that decodes and drops a Themida-packed beaconing implant.

CROWDEDFLOUNDER looks at Themida packed Windows executable.

HOTCROSSIANT is a full-featured beaconing implant.

ARTFULPIE is an implant that performs downloading and in-memory loading and execution of a DLL from a hardcoded URL.

BUFFETLINE is a full-featured beaconing implant.

HOPLIGHT looks at multiple malicious executable files. Some of which are proxy applications that mask traffic between the malware and the remote operators.

September 9, 2019

MAR 10135536-21: North Korean Proxy Malware: ELECTRICFISH Note: this version of the ELECTRICFISH MAR updates the May 9, 2019 version.

MAR 10135536-10: North Korean Trojan: BADCALL Note: this version of the BADCALL MAR updates the February 6, 2018 version: and STIX file.

CISA, FBI, and DoD identified multiple malware variants used by the North Korean government.

ELECTRICFISH implements a custom protocol that allows traffic to be tunneled between a source and a destination Internet Protocol (IP) address.

BADCALL malware is an executable that functions as a proxy server and implements a "Fake TLS" method.

 

October 2, 2018

CISA Alert TA18-275A - HIDDEN COBRA FASTCash Campaign

MAR 10201537: HIDDEN COBRA FASTCash-Related Malware

CISA, Treasury, FBI, and U.S. Cyber Command identified malware and other IOCs used by the North Korean government in an ATM cash-out scheme—referred to by the U.S. Government as “FASTCash.” The Joint Technical Alert provides information on FASTCash and the MAR provides information on 10 malware samples related to this activity.
August 9, 2018MAR 10135536-17: North Korean Trojan: KEYMARBLEDHS and FBI identified a Trojan malware variant—referred to as KEYMARBLE—used by the North Korean government.  KEYMARBLE is a RAT capable of accessing device configuration data, downloading additional files, executing commands, modifying the registry, capturing screen shots, and exfiltrating data.
June 14, 2018MAR 10135536-12: North Korean Trojan: TYPEFRAMEDHS and FBI identified a Trojan malware variant—referred to as TYPEFRAME—used by the North Korean government. DHS and FBI distributed this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity. This malware report contains an analysis of multiple malware samples consisting of 32-bit and 64-bit Windows executable files and a malicious Microsoft Word document that contains Visual Basic for Applications macros.
May 29, 2018

CISA Alert TA18-149A: HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm

MAR 10135536-3: HIDDEN COBRA RAT/Worm

This Joint Technical Alert and MAR authored by DHS and FBI provides information, including IOCs associated with two families of malware used by the North Korean government:

A remote access tool, commonly known as Joanap; and Server Message Block worm, commonly known as Brambul.

 

March 28, 2018

MAR 10135536.11: North Korean Trojan: SHARPKNOT

STIX file for MAR 10135536.11

DHS and FBI identified a Trojan malware variant—referred to as SHARPKNOT—used by the North Korean government. SHARPKNOT is a 32-bit Windows executable file. When executed from the command line, the malware overwrites the Master Boot Record and deletes files on the local system, any mapped network shares, and physically connected storage devices.
February 13, 2018

MAR 10135536-F: North Korean Trojan: HARDRAIN

STIX file for MAR 10135536-F

DHS and FBI identified a Trojan malware variant—referred to as HARDRAIN—used by the North Korean government.
December 21, 2017

MAR 10135536: North Korean Trojan: BANKSHOT

STIX file for MAR 10135536

DHS and FBI identified a Trojan malware variant—referred to as BANKSHOT—used by the North Korean government. This MAR analyzes three malicious executable files.

Two files are 32-bit Windows executables that function as Proxy servers and implement a "Fake TLS" method.

The third file is an Executable Linkable Format file designed to run on Android platforms as a fully functioning Remote Access Trojan.

November 14, 2017

CISA Alert TA17-318A: HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL

CISA Alert TA17-318B: HIDDEN COBRA – North Korean Trojan: Volgmer

These Joint Technical Alerts provide information and IOCs on malware variants used by the North Korean government to maintain a presence on victims’ networks and to further network exploitation. DHS and FBI distributed these alerts to enable network defense and reduce exposure to any North Korean government malicious cyber activity.
August 23, 2017

MAR 10132963: Analysis of DeltaCharlie Attack Malware

STIX file for MAR 10132963

This MAR examines the functionality of the DeltaCharlie malware variant to manage North Korea’s distributed denial-of-service (DDOS) botnet infrastructure (refer to TA17-164A). DHS distributed this MAR to enable network defense and reduce exposure to any North Korean government malicious cyber activity.
June 13, 2017CISA Alert TA17-164A: HIDDEN COBRA – North Korea’s DDoS Botnet InfrastructureThis Joint Technical Alert provides technical details on the tools and infrastructure used by cyber actors of the North Korean government to target the media, aerospace, financial, and critical infrastructure sectors in the United States and globally. Working with U.S. government partners, DHS and FBI identified Internet Protocol addresses associated with a malware variant, known as DeltaCharlie, used to manage North Korea’s DDoS botnet infrastructure.
May 12, 2017CISA Alert TA17-132A: Indicators Associated With WannaCry RansomwareThis DHS-FBI Joint Technical Alert provides information, including IOCs on the ransomware variant known as WannaCry. The U.S. Government publicly attributed this WannaCry ransomware variant to the North Korean government.