WannaCry-linked cyber attacks target US government & defence

Cyber attacks linked with Lazarus Group harvest network information, IP addresses and system data

Cyber attack on company

Research from McAfee has shown that 87 companies have fallen victim to a new cyber espionage campaign which uses fake job advertisements to spread malware to company systems.

Between October and November 2018, the targeted companies, many of which are US-based and defence and government-related organisations, were tricked into downloading documents containing job descriptions sent to them by a social media account posing to be a legitimate job recruiter.

In the two-stage infiltration strategy of 'Operation Sharpshooter', the first phase was to download a Microsoft Word document laden with malicious code. Once open it would trigger a macro prompting a connection to a command and control server (C&C), at which point a second-stage implant known as 'Rising Sun' is downloaded in order to open a backdoor into the victim's system.

After an initial analysis of the operation by McAfee, it's believed that network information, the user's name, their IP address and a host of system data was stolen as a result. How sensitive the stolen data is and what it will be used for is unknown, but nuclear, defence, energy, and financial companies were all targeted.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"Operation Sharpshooter is yet another example of a sophisticated, targeted attack being used to gain intelligence for malicious actors," said Raj Samani, chief scientist and fellow at McAfee. "However, despite its sophistication, this campaign depends on a certain degree of social engineering which, with vigilance and communication from businesses, can be easily mitigated."

The attack supposedly bears a strong resemblance to Lazarus Group's 2015 backdoor trojan Duuzer, however, McAfee believes the resemblance is too strong to actually suspect Lazarus was behind the attack.

Lazarus is a prolific cyber criminal outfit suspected to have links with North Korea and, while McAfee is sceptical about the true author of this new cyber attack, the malicious documents contained Korean-language metadata, indicating that the attackers created the initial Word document using a Korean version of Word. All the documents purporting to be job descriptions were distributed by accounts using a US IP address through Dropbox.

McAfee also discovered a PDF document hosted on the same server as the job adverts, which appeared to be a questionnaire from data analytics firm NICE, designed to assess a user's understanding of anti-fraud protection and financial compliance. There's no indication that this document was used during the operation, however, it suggests the attackers have attempted to masquerade themselves as legitimate companies.

Cyber crime and espionage outfit Lazarus has gained a reputation for disruptive and politically-motivated attacks. They made the headlines earlier this year after Symantec discovered that they had been moving further towards financial crime with their FASTCash operation which affected African and Asian ATMs through which the group stole money starting in 2016.

Lazarus is also arguably best known for WannaCry, the ransomware attack that crippled NHS systems in the UK back in 2017.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020
Visit/business-strategy/mergers-and-acquisitions/354602/xerox-to-nominate-directors-to-hps-board-reports
mergers and acquisitions

Xerox to nominate directors to HP's board – reports

22 Jan 2020