Researchers link late-2018 'Sharpshooter' infrastructure attacks to North Korea

Analysis of a C&C server shows Lazarus Group trialled Operation Sharpshooter attacks in Africa before targeting the West

North Korea hacking

Experts have formally connected a series of attacks orchestrated last year against national critical infrastructure to the notorious North Korean hacking outfit Lazarus.

'Operation Sharpshooter', which targeted predominately defence and government-related organisations between October and November 2018, is far more extensive and complex than first understood.

Researchers with McAfee delved into a seized a command and control centre (C&C) responsible for managing the operations and tools behind the global campaign, also learning that it may have begun as early as September 2017.

Advertisement - Article continues below

"Technical evidence is often not enough to thoroughly understand a cyber attack, as it does not provide all the pieces to the puzzle," said McAfee's senior principal engineer and lead scientist Christiaan Beek.

"Access to the adversary's command-and-control server code is a rare opportunity. These systems provide insights into the inner workings of cyber attack infrastructure, are typically seized by law enforcement, and only rarely made available to private sector researchers.

"The insights gained through access to this code are indispensable in the effort to understand and combat today's most prominent and sophisticated cyber attack campaigns."

Researchers previously hinted that the attacks, which relied on fake job adverts to spread malware to company systems, may bear a strong resemblance Lazarus' 2016 backdoor Trojan, dubbed Duuzer. But they shied away from making a formal accusation due to a lack of technical indicators.

Advertisement - Article continues below

They initially found the attack was executed across 87 organisations across the world, but mainly in the US, from 25 October 2018. But an analysis of the seized C&C led them to the conclusion that the campaign has actually been underway for more than a year, and has recently pivoted to a host of new targets. These include finance, government and critical infrastructure industries mainly in Germany, Turkey, the UK and US.

Advertisement - Article continues below

The researchers also learned that Lazurus had trialled the attack mechanism that was eventually deployed across the West in the southwestern African nation of Namibia. Analysis of code and file logs uncovered a number of IP addresses originating from Windhoek in Namibia. Moreover, the researchers believe Lazarus is still conducting tests in this region.

Lazarus Group has gained notoriety for its links to several high profile cyber campaigns including the WannaCry ransomware attack that crippled the NHS in 2017.

Research and investigation by authorities and cyber security firms led to the US charging a North Korean programmer last year of conducting several cyber attacks on behalf of the administration. These included a hack against Sony Pictures in 2014 and a theft from the Bangladesh Bank to the tune of $81 million.

"As part of our research into Operation Sharpshooter between October 2018 and February 2019, we observed attacks being conducted in the UK across the Finance, Government and Telecom sectors," McAfee's Beek told IT Pro.

Advertisement - Article continues below

"This is another typical example of cyberespionage where information has been gathered for whatever malicious purposes the adversary has. As always, we would recommend that organisations do their due diligence in order to protect themselves from potential threats and once detected, correct the issues at hand.

"Furthermore, we would also like to stress that industry collaboration must be one of our biggest priorities in the face of organised adversaries with malicious intent. We at McAfee conducted pre-notifications to organizations including victims, law enforcement and CERT partners prior to publication."

McAfee is set to formally present its findings at the RSA security convention in San Francisco this week.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now



What is cyber warfare?

16 Mar 2020

10 quick tips to identifying phishing emails

16 Mar 2020
mergers and acquisitions

Panda Security to be acquired by WatchGuard

9 Mar 2020
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Most Popular

video conferencing

Zoom beams iOS user data to Facebook for targeted ads

27 Mar 2020
Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020

These are the companies offering free software during the coronavirus crisis

25 Mar 2020
Mobile Phones

Apple lifts iPhone purchase restrictions

23 Mar 2020