Pivoting off Hidden Cobra Indicators
On June 13th 2017, US-CERT issued a joint Technical Alert (TA17-164A) entitled Hidden Cobra – North Korea’s DDoS Botnet Infrastructure. The alert, which was the result of analytic efforts between the Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI), included a list of IP addresses “linked to systems infected with DeltaCharlie”. DeltaCharlie is a malware originally described by a Novetta-led coalition as a DDoS tool in the arsenal of the Lazarus group . The US-CERT report refers to the Lazarus group as Hidden Cobra, and associates the groups activity with the North Korean government.
It is not clear based on the information from the report whether the IPs listed in the report were part of a command and control infrastructure or simply bots or both. It’s also not clear from the report whether some of the IPs were simply “innocent” reflectors/amplifiers. To understand whether the IP addresses listed were directly involved in DDoS attacks, we correlated them with attack information observed by Arbor’s ATLAS infrastructure. Arbor’s ATLAS infrastructure collects anonymized DDoS attack data from nearly 400 globally distributed service providers running Arbor’s Intelligent DDoS Mitigation Solutions (IDMS’s).
Summary of Attack Data
The following data points were derived from DDoS attack data reported to ATLAS in the 105-day period between 01MAR17 and 13JUN17:
|Number of IP Addresses provided in the TA17-164A alert:||632|
|Number of TA17-164A IP addresses participating in at least one DDoS attack:||24 (3.8%)|
|Number of TA17-164A IP addresses participating in more than one DDoS attack:||16|
|Total number of DDoS attacks involving at least one TA17-164A IP Address:||164|
|Largest Attack (Bandwidth):||4.30 Gbps|
|Largest Attack (Throughput):||4.25 Mpps|
|Largest Attack (Duration):||44 Hours|
Of note is here is the small peak attack bandwidth. Reflection/Amplification attacks, which are the primary attack vector used by DeltaCharlie, have been known to exceed bandwidth sizes two orders of magnitude larger than this. Of course, 4.3 Gbps is more than enough to disrupt infrastructure that does not have the appropriate defenses against DDoS attacks.
It is important to note the following:
- ATLAS data includes approximately 1/3 of Internet traffic so some attacks may not be seen in the data
- Most attack data that is shared with ATLAS is anonymized so that source or destination IP address information is not provided
Therefore, the actual percentage of hosts using TA17-164A provided IP addresses is likely higher than the 3.8% observed by ATLAS.
Geo-Location of Attacking IP Addresses
The following is the geo-location of the 24 IP addresses provided in the TA17-164A report that were observed by ATLAS to be participating in at least one DDoS attack between 01MAR17 and 13JUN17:
Note that different IP addresses may come from the same location, thus, only 16 red dots appear rather than 24.
While the largest concentration of IP addresses in the TA17-164A alert were in Volgograd, Russian Federation, the largest concentration of the subset of addresses observed by ATLAS launching DDoS attacks was in Saudi Arabia (6 of 24), followed by the United Arab Emirates (5 of 24).
Daily Attack Frequency
The following chart depicts the number of DDoS attacks per day where at least one IP address in the TA17-164A alert was observed as a source address participating in the attack:
At least one attack occurred on most days between 01MAR17 and 13JUN17. The largest span of consecutive days where no attacks occurred began on April 5th. Since DDoS activity so often correlates with geopolitical activity, it is interesting to see what was occurring around that time. In this case, we note that April 5th is the day after North Korea launched a missile into the Sea of Japan . Of course, it is pure speculation as to whether there is any correlation between these two events.
The following chart lists the top destination countries associated with the 164 reported DDoS attacks between 01MAR17 and 13JUN17 where at least one IP address in the TA17-164A alert was observed as a source address:
|Country||Number of Attacks|
|United States:||79 (48%)|
|Great Britain:||11 (7%)|
|Saudi Arabia:||6 (4%)|
Reflection/Amplification attacks were present in 67% of the reported attacks. Roughly an equal mix of LDAP and DNS based reflection/amplification. This is interesting because while DNS is a known reflection/amplification vector supported by DeltaCharlie, LDAP is not. Another nagging point of confusion is if the IP addresses in the TA17-164A alert include DeltaCharlie bots launching reflection/amplification attacks (as one might reasonably expect), then the victim would never even see those IP addresses! Instead, the victim would observe attack traffic from the open reflectors being abused by the bot. This raises the possibility that TA17-164A listed open reflectors that were simply “innocent” victims abused by DeltaCharlie or, since DeltaCharlie isn’t known to support LDAP reflection/amplification, perhaps some other bot entirely. The advisory certainly leaves some open questions.
The DDoS attack methodologies which the DeltaCharlie botnet is known to support – DNS reflection/amplification attacks, ntp reflection/amplification attacks, and chargen reflection/amplification attacks – are well-understood, and can be mitigated using intelligent DDoS mitigation systems (IDMSes) such as Arbor TMS and Arbor APS. The reflection/amplification attack vectors that are not supported by DeltaCharlie, such as the LDAP reflection/amplification attacks noted above, can also be mitigated using an IDMS such as Arbor TMS or Arbor APS. Reflection/amplification countermeasures resident in Arbor IDMS systems would be appropriate for mitigating these types of attacks.
This post describes observed DDoS activity emanating from a subset of IP addresses provided in US-CERT’s Technical Alert (TA17-164A) entitled Hidden Cobra – North Korea’s DDoS Botnet Infrastructure. It also illuminates the importance of providing context when sharing indicators. The Hidden Cobra alert is vague in its characterization of the provided IP address-based indicators. It is not clear whether the IPs listed in the report are part of a command and control infrastructure, simply bots or both. It’s not even clear that some of the IPs aren’t simply “innocent” reflectors.
This lack of context makes it difficult for responders to act. Security analysts would treat a list of command-and-control servers differently from a list of bots, and differently from a list of reflectors. This creates risk if implicitly trusting the US-CERT indicators. Blindly loading such indicators into security systems could potentially cause more harm than good . This can erode trust in times when it is needed most. Understanding and communicating context is as important as listing indicators of compromise directly.