Security Experts:

Connect with us

Hi, what are you looking for?


Cloud Security

North Korea’s DDoS Attacks Analyzed Based on IPs

Arbor Networks has used the IP addresses shared recently by United States authorities to analyze distributed denial-of-service (DDoS) attacks attributed to the North Korean government. The security firm believes the data may not be as useful for organizations as the U.S. hopes.

Arbor Networks has used the IP addresses shared recently by United States authorities to analyze distributed denial-of-service (DDoS) attacks attributed to the North Korean government. The security firm believes the data may not be as useful for organizations as the U.S. hopes.

Earlier this month, the United States Computer Emergency Readiness Team (US-CERT) released a technical alert on behalf of the DHS and the FBI to warn organizations of North Korea’s Hidden Cobra activities, particularly its DDoS botnet infrastructure.

Hidden Cobra, a threat actor tracked by others as Lazarus Group, is believed to be behind several high-profile attacks, including the ones targeting Sony Pictures, Bangladesh’s central bank, and banks in Poland. Links have also been found between the group and the recent WannaCry ransomware attacks.

The US-CERT report focused on a DDoS tool dubbed DeltaCharlie. The organization has shared information on exploits, malware, IP addresses, file hashes, network signatures, and YARA rules associated with Hidden Cobra in an effort to help defenders detect the group’s attacks.

Data from Arbor Networks’ ATLAS infrastructure showed that 24 of the 632 IP addresses provided by US authorities were involved in at least one DDoS attack over a 105-day period between March 1 and June 13, 2017.

The company pointed out that its ATLAS infrastructure, which relies on data shared anonymously by nearly 400 globally distributed service providers, covers roughly one-third of Internet traffic, which means the actual number of IPs involved in attacks during this period is likely higher.

According to Arbor, 16 IPs participated in more than one of the 164 attacks observed by the company. The largest attack peaked at 4.3 Gbps, which is more than enough to disrupt unprotected systems, and the longest attack lasted for 44 hours.

While the largest concentration of IP addresses in the US-CERT report were in Russia, Arbor traced the highest percentage of IPs to Saudi Arabia (6 of 24) and the United Arab Emirates (5 of 24).

The IPs monitored by Arbor were involved in DDoS attacks on most days, but there were some periods with no activity. The longest period with no activity started on April 5, shortly after North Korea launched a missile into the Sea of Japan. While it’s unclear if the two events are in any way related, experts noted that DDoS attacks are often timed with significant geopolitical events.

Of the 164 DDoS attacks observed by researchers, nearly half were aimed at the United States, followed by the U.K., Australia, France, Saudi Arabia and Singapore.

SecurityWeek has reached out to several other DDoS protection companies, but none of them could immediately provide any information on the Hidden Cobra attacks.

Arbor said it conducted an analysis due to the fact that the US-CERT report, which the company has described as vague, was not clear on whether the IPs were bots or part of command and control (C&C) infrastructure, and it also failed to clarify if the IPs were “innocent” reflectors.

Arbor’s analysis – based on the types of attacks observed – suggests that the report lists open reflectors abused by DeltaCharlie and not the actual bots.

“This lack of context makes it difficult for responders to act. Security analysts would treat a list of command-and-control servers differently from a list of bots, and differently from a list of reflectors,” experts said. “Blindly loading such indicators into security systems could potentially cause more harm than good.”

This is not the first time the cybersecurity community has criticized a joint report from the FBI and the DHS. The report released late last year on GRIZZLY STEPPE activity, better known as Cozy Bear (APT29) and Fancy Bear (APT28 and Pawn Storm), failed to demonstrate that Russia was behind the U.S. election hacks.

Related: IoT Botnets Fuel DDoS Attacks Growth

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...