FBI, DHS to go public with suspected North Korean hacking tools

The report drops on the third anniversary of the WannaCry attack, which the U.S. blamed on North Korea.
North Korea flag
The North Korean flag. (Getty Images)

The FBI and the Department of Homeland Security are preparing to jointly expose North Korean government-backed hacking this week, CyberScoop has learned.

Threat data meant to help companies fend off hackers has already been shared with the private sector in an effort to boost cyber-defenses in critical infrastructure sectors.

The circulating information, contained in several documents known as malware analysis reports (MARs), details activity from Hidden Cobra hackers, an advanced persistent threat group that the U.S. government has previously linked with the North Korean government.

The Hidden Cobra group frequently targets financial institutions such as banks, cryptocurrency exchanges, and ATMs for financial gain, the government says. However, it was not immediately clear which specific security incidents, if any, the U.S. government sought to expose in the information sharing effort.


The documents, which sources say contains 26 malware samples, appear to be the latest piece of a broader U.S. government effort to hold North Korea accountable for malicious hacking activities, and disrupt illicit fundraising efforts out of Pyongyang.

Amid international sanctions, the Department of Justice in recent months charged two Chinese nationals for allegedly helping North Korean hackers launder stolen money, for example. Last year the Treasury Department sanctioned three North Korean-focused hacking groups for supporting the government’s missile-development program.

If the information is released on Tuesday, it would be on the third anniversary of the WannaCry attack that impacted more than 300,000 machines in 150 countries, crippling companies who were infected. The Trump administration blamed that attack on North Korea in December 2017.

Inside the reports

The first MAR details 22 malware samples, all of which appear to be a part of the same malware family, known as “Manuscrypt,” according to sources who have viewed the report.


Manuscrypt has previously been used to attack diplomatic targets in South Korea, individuals using virtual currencies, and electronic payment systems, according to prior research from Kaspersky. Attackers behind Manuscrypt — one of the groups the Treasury Department sanctioned last year — typically target global financial institutions, as well as the Society for Worldwide Interbank Financial Telecommunication (SWIFT) monetary transfer system.

The FBI and DHS have previously issued a public warning, called a US-CERT alert, about a variant of this malware, which also they call TYPEFRAME, according to Kaspersky.

But the Manuscrypt malware samples set to be disclosed this week do not appear to expose new information about suspected North Korean activities, multiple sources who have examined the reports told CyberScoop.

It’s not the first time the U.S. government has shared malware samples — under the guise of boosting defenses — that are already known to the information security community.

A spokesperson for U.S. Cyber Command, the branch of the Pentagon responsible for offensive U.S. cyber-operations against foreign hackers, acknowledged that publicly identifying hacking efforts isn’t only about data protection. Some have taken the Department of Defense’s efforts to share old information as a way of signaling to foreign governments that their malicious activity online isn’t always anonymous.


“U.S. Cyber Command persistently releases malware attributed by DHS and FBI to enable defenses across our nation,” a spokesperson said. “Publicly disclosing malicious cyber activity imposes costs on countries who actively and illegally work against U.S. interests and our partners.”

For approximately two years, Cyber Command has been uploading examples of adversarial malware online, with the intention of spreading awareness and convincing the private sector to shore up protections against foreign hackers.

It was not immediately clear if Cyber Command would be uploading the samples from the MARs to the malware-sharing repository VirusTotal, as it typically does. Approximately 20 of the samples are already on VirusTotal, sources said.

Update, May 12, 9:45am ET: DHS uploaded the documents detailing the malware, called “COPPERHEDGE,” “TAINTEDSCRIBE,” and “PEBBLEDASH,” following publication of this story on Tuesday. Cyber Command said the malware is used for phishing and remote access. Cyber Command also released the malware samples to VirusTotal on Tuesday.

Latest Podcasts