The DNA of Hidden Cobra – A Look at a Nation State’s Cyber Offensive Programs

In 2018 McAfee ATR began to re-focus on identifying and tracking the operations attributed to Hidden Cobra / Lazarus group to better understand and reveal activity never seen before. In this talk we will present research conducted by McAfee Advanced Threat Research into the threat actor known as Hidden Cobra and the various operations targeting different sectors over the years.

The actor known as Hidden Cobra is thought to have been linked to the North Korean intelligence services and has been involved in numerous operations dating back to 2007. Over the course of 2018, McAfee ATR discovered several major campaigns linked to Hidden Cobra using complex and hidden implants aimed at gathering intelligence on targeted victims, disrupting their operations and generating hard currency through large crypto-currency and banking heists.

This talk will be a deep dive into the techniques, tactics and procedures of Hidden Cobra as well as the developments in this actor’s complex toolkit including several new implant frameworks. This talk goes into detail about McAfee ATR’s various investigations into Hidden Cobra and what we have learned as a result. We will also discuss the various partnerships with International law enforcement in our efforts to uncover and expose back-end operations used by Hidden Cobra. We will discuss the behind the scenes of the Operation Sharpshooter, a case that took us from an isolated incident to the exposure of a long running back-end operation.

This will be an important technical tutorial on how an isolated nation state conducts broad and extensive cyber espionage against foreign targets to reach their objectives. We will be using the case of Hidden Cobra due to the global nature of this threat group impacting many countries around the world – including targeting in Canada. In the case of Hidden Cobra, we will be covering several important aspects to their operations that is important for every cyber defender to be aware of (this information isn’t in the public domain). We will be using an intelligence driven approach to examine multiple facets of Hidden Cobra and reveal new insights. We will cover how the group is organized, how they develop code and where it is originating from. We will do a deep dive into new implant frameworks and other unique code appearing in malware from international espionage cases. This analysis will also include the novel techniques used by this adversary to collect data from victim environments to feed into the overall intelligence gathering machine.

Since Hidden Cobra operations tends to have significant code overlap, we will be reviewing the code factory system associated with this actor and how implants are using portions of this code over time from a large pool of components. We will then analyze how we can track these elements from a code DNA perspective and how using advanced link analysis we can chain distinct cyber-attacks together – making the analysts job much easier. Also, part of this talk we will provide an in-depth analysis of the cyber offensive programs attributed to the threat actor group known as Hidden Cobra. We will also be covering some of the behind the scenes analysis of back-end operations that enable the operators of Hidden Cobra to conduct continuous espionage against their targets.

Location: Track 1 Date: April 23, 2020 Time: 2:00 pm - 3:00 pm Ryan Sherstobitoff