Researchers link late-2018 'Sharpshooter' infrastructure attacks to North Korea

Analysis of a C&C server shows Lazarus Group trialled Operation Sharpshooter attacks in Africa before targeting the West

North Korea hacking

Experts have formally connected a series of attacks orchestrated last year against national critical infrastructure to the notorious North Korean hacking outfit Lazarus.

'Operation Sharpshooter', which targeted predominately defence and government-related organisations between October and November 2018, is far more extensive and complex than first understood.

Researchers with McAfee delved into a seized a command and control centre (C&C) responsible for managing the operations and tools behind the global campaign, also learning that it may have begun as early as September 2017.

"Technical evidence is often not enough to thoroughly understand a cyber attack, as it does not provide all the pieces to the puzzle," said McAfee's senior principal engineer and lead scientist Christiaan Beek.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"Access to the adversary's command-and-control server code is a rare opportunity. These systems provide insights into the inner workings of cyber attack infrastructure, are typically seized by law enforcement, and only rarely made available to private sector researchers.

"The insights gained through access to this code are indispensable in the effort to understand and combat today's most prominent and sophisticated cyber attack campaigns."

Researchers previously hinted that the attacks, which relied on fake job adverts to spread malware to company systems, may bear a strong resemblance Lazarus' 2016 backdoor Trojan, dubbed Duuzer. But they shied away from making a formal accusation due to a lack of technical indicators.

They initially found the attack was executed across 87 organisations across the world, but mainly in the US, from 25 October 2018. But an analysis of the seized C&C led them to the conclusion that the campaign has actually been underway for more than a year, and has recently pivoted to a host of new targets. These include finance, government and critical infrastructure industries mainly in Germany, Turkey, the UK and US.

The researchers also learned that Lazurus had trialled the attack mechanism that was eventually deployed across the West in the southwestern African nation of Namibia. Analysis of code and file logs uncovered a number of IP addresses originating from Windhoek in Namibia. Moreover, the researchers believe Lazarus is still conducting tests in this region.

Lazarus Group has gained notoriety for its links to several high profile cyber campaigns including the WannaCry ransomware attack that crippled the NHS in 2017.

Advertisement - Article continues below

Research and investigation by authorities and cyber security firms led to the US charging a North Korean programmer last year of conducting several cyber attacks on behalf of the administration. These included a hack against Sony Pictures in 2014 and a theft from the Bangladesh Bank to the tune of $81 million.

"As part of our research into Operation Sharpshooter between October 2018 and February 2019, we observed attacks being conducted in the UK across the Finance, Government and Telecom sectors," McAfee's Beek told IT Pro.

"This is another typical example of cyberespionage where information has been gathered for whatever malicious purposes the adversary has. As always, we would recommend that organisations do their due diligence in order to protect themselves from potential threats and once detected, correct the issues at hand.

"Furthermore, we would also like to stress that industry collaboration must be one of our biggest priorities in the face of organised adversaries with malicious intent. We at McAfee conducted pre-notifications to organizations including victims, law enforcement and CERT partners prior to publication."

McAfee is set to formally present its findings at the RSA security convention in San Francisco this week.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now
Advertisement

Recommended

Visit/security/28170/what-is-cyber-warfare
Security

What is cyber warfare?

20 Sep 2019
Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/business-strategy/mergers-and-acquisitions/354602/xerox-to-nominate-directors-to-hps-board-reports
mergers and acquisitions

Xerox to nominate directors to HP's board – reports

22 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020