Researchers link late-2018 'Sharpshooter' infrastructure attacks to North Korea

Analysis of a C&C server shows Lazarus Group trialled Operation Sharpshooter attacks in Africa before targeting the West

North Korea hacking

Experts have formally connected a series of attacks orchestrated last year against national critical infrastructure to the notorious North Korean hacking outfit Lazarus.

'Operation Sharpshooter', which targeted predominately defence and government-related organisations between October and November 2018, is far more extensive and complex than first understood.

Researchers with McAfee delved into a seized a command and control centre (C&C) responsible for managing the operations and tools behind the global campaign, also learning that it may have begun as early as September 2017.

"Technical evidence is often not enough to thoroughly understand a cyber attack, as it does not provide all the pieces to the puzzle," said McAfee's senior principal engineer and lead scientist Christiaan Beek.

Advertisement
Advertisement - Article continues below

"Access to the adversary's command-and-control server code is a rare opportunity. These systems provide insights into the inner workings of cyber attack infrastructure, are typically seized by law enforcement, and only rarely made available to private sector researchers.

"The insights gained through access to this code are indispensable in the effort to understand and combat today's most prominent and sophisticated cyber attack campaigns."

Researchers previously hinted that the attacks, which relied on fake job adverts to spread malware to company systems, may bear a strong resemblance Lazarus' 2016 backdoor Trojan, dubbed Duuzer. But they shied away from making a formal accusation due to a lack of technical indicators.

They initially found the attack was executed across 87 organisations across the world, but mainly in the US, from 25 October 2018. But an analysis of the seized C&C led them to the conclusion that the campaign has actually been underway for more than a year, and has recently pivoted to a host of new targets. These include finance, government and critical infrastructure industries mainly in Germany, Turkey, the UK and US.

The researchers also learned that Lazurus had trialled the attack mechanism that was eventually deployed across the West in the southwestern African nation of Namibia. Analysis of code and file logs uncovered a number of IP addresses originating from Windhoek in Namibia. Moreover, the researchers believe Lazarus is still conducting tests in this region.

Lazarus Group has gained notoriety for its links to several high profile cyber campaigns including the WannaCry ransomware attack that crippled the NHS in 2017.

Research and investigation by authorities and cyber security firms led to the US charging a North Korean programmer last year of conducting several cyber attacks on behalf of the administration. These included a hack against Sony Pictures in 2014 and a theft from the Bangladesh Bank to the tune of $81 million.

"As part of our research into Operation Sharpshooter between October 2018 and February 2019, we observed attacks being conducted in the UK across the Finance, Government and Telecom sectors," McAfee's Beek told IT Pro.

"This is another typical example of cyberespionage where information has been gathered for whatever malicious purposes the adversary has. As always, we would recommend that organisations do their due diligence in order to protect themselves from potential threats and once detected, correct the issues at hand.

"Furthermore, we would also like to stress that industry collaboration must be one of our biggest priorities in the face of organised adversaries with malicious intent. We at McAfee conducted pre-notifications to organizations including victims, law enforcement and CERT partners prior to publication."

Advertisement
Advertisement - Article continues below

McAfee is set to formally present its findings at the RSA security convention in San Francisco this week.

Featured Resources

Application security fallacies and realities

Web application attacks are the most common vulnerability, so what is the truth about application security?

Download now

Your first step researching Managed File Transfer

Advice and expertise on researching the right MFT solution for your business

Download now

The KPIs you should be measuring

How MSPs can measure performance and evaluate their relationships with clients

Download now

Life in the digital workspace

A guide to technology and the changing concept of workspace

Download now
Advertisement

Recommended

Visit/security/28170/what-is-cyber-warfare
Security

What is cyber warfare?

20 Sep 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/business-strategy/mergers-and-acquisitions/354191/xerox-threatens-hostile-takeover-after-hp-rebuffs
mergers and acquisitions

Xerox threatens hostile takeover after HP rebuffs $30bn takeover

22 Nov 2019
Visit/security/data-breaches/354192/t-mobile-data-breach-affects-more-than-a-million-users
data breaches

T-Mobile data breach affects more than a million users

25 Nov 2019
Visit/mobile/google-android/354189/samsung-galaxy-a90-5g-review-simply-the-best-value-5g-phone
Google Android

Samsung Galaxy A90 5G review: Simply the best value 5G phone

22 Nov 2019
Visit/business-strategy/it-infrastructure/354188/tsb-payment-delays-suggest-second-it-meltdown
IT infrastructure

TSB payment delays suggest second IT meltdown

22 Nov 2019