U.S. government issues new warning about North Korea-linked malware

The mitigations DHS recommends have added urgency because of the way the North Korean hackers are seizing on weak security practices.
North Korea malware

Department of Homeland Security and FBI officials are warning industry about what they say are new Trojan malware variants that North Korean-government-backed hackers have deployed as part of their global operations.

The variants employ proxy applications to mask communications between the malicious programs and their operators, DHS said in a report published Wednesday. When executed, the malware collects information on the victim machine’s operating system and its system time, and uses a public SSL certificate for secure communication with its operators, the report said. DHS has dubbed the new malware HOPLIGHT.

“This is continuing our campaign to put pressure on the DPRK as well as helping network defenders understand some of the tools and the capabilities that they are using,” Jeanette Manfra, assistant director for cybersecurity at DHS’s Cybersecurity and Infrastructure Security Agency, told CyberScoop.

The mitigations that DHS recommends – such as updating antivirus signatures and disabling file-sharing services – aren’t radical but they have added urgency because of the way the North Korean hackers are seizing on weak security practices, according to Manfra.


“The North Koreans are exploiting the fact that people aren’t doing some of these things to get access to infrastructure, to further their operations,” she said.

One of the goals of publishing the report was to “reduce the ability of the actors to continue to use this malware,” Manfra added – something she dubbed “deterrence by denial.” The department has released no less than 15 reports and advisories on suspected North Korean cyber operatives, according to Manfra.

For U.S. officials, deterring North Korean hackers, who have shown few scruples in what they target, is a work in progress. The FBI quietly told U.S. companies last October that North Korean hackers will continue to target financial institutions worldwide despite the U.S. government’s public attribution of such activity to Pyongyang.

Jon DiMaggio, a senior threat intelligence analyst at Symantec, said that, based on the U.S. government’s attribution, the new variants reinforce the notion that North Korea-linked hackers are “very quick to evolve on their malware, and they’re very quick to tailor it to fit their operations from one campaign to the next.”

Symantec plans to analyze the new variants and strengthen its antivirus signatures to further protect against the malicious activity reported by DHS, DiMaggio added.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts