WannaCry-linked cyber attacks target US government & defence

Cyber attacks linked with Lazarus Group harvest network information, IP addresses and system data

Cyber attack on company

Research from McAfee has shown that 87 companies have fallen victim to a new cyber espionage campaign which uses fake job advertisements to spread malware to company systems.

Between October and November 2018, the targeted companies, many of which are US-based and defence and government-related organisations, were tricked into downloading documents containing job descriptions sent to them by a social media account posing to be a legitimate job recruiter.

Advertisement - Article continues below

In the two-stage infiltration strategy of 'Operation Sharpshooter', the first phase was to download a Microsoft Word document laden with malicious code. Once open it would trigger a macro prompting a connection to a command and control server (C&C), at which point a second-stage implant known as 'Rising Sun' is downloaded in order to open a backdoor into the victim's system.

After an initial analysis of the operation by McAfee, it's believed that network information, the user's name, their IP address and a host of system data was stolen as a result. How sensitive the stolen data is and what it will be used for is unknown, but nuclear, defence, energy, and financial companies were all targeted.

"Operation Sharpshooter is yet another example of a sophisticated, targeted attack being used to gain intelligence for malicious actors," said Raj Samani, chief scientist and fellow at McAfee. "However, despite its sophistication, this campaign depends on a certain degree of social engineering which, with vigilance and communication from businesses, can be easily mitigated."

Advertisement - Article continues below
Advertisement - Article continues below

The attack supposedly bears a strong resemblance to Lazarus Group's 2015 backdoor trojan Duuzer, however, McAfee believes the resemblance is too strong to actually suspect Lazarus was behind the attack.

Lazarus is a prolific cyber criminal outfit suspected to have links with North Korea and, while McAfee is sceptical about the true author of this new cyber attack, the malicious documents contained Korean-language metadata, indicating that the attackers created the initial Word document using a Korean version of Word. All the documents purporting to be job descriptions were distributed by accounts using a US IP address through Dropbox.

McAfee also discovered a PDF document hosted on the same server as the job adverts, which appeared to be a questionnaire from data analytics firm NICE, designed to assess a user's understanding of anti-fraud protection and financial compliance. There's no indication that this document was used during the operation, however, it suggests the attackers have attempted to masquerade themselves as legitimate companies.

Advertisement - Article continues below

Cyber crime and espionage outfit Lazarus has gained a reputation for disruptive and politically-motivated attacks. They made the headlines earlier this year after Symantec discovered that they had been moving further towards financial crime with their FASTCash operation which affected African and Asian ATMs through which the group stole money starting in 2016.

Lazarus is also arguably best known for WannaCry, the ransomware attack that crippled NHS systems in the UK back in 2017.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now



University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Policy & legislation

Senators propose a bill aimed at ending warrant-proof encryption

24 Jun 2020

Most Popular

Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020

How to find RAM speed, size and type

24 Jun 2020

The road to recovery

30 Jun 2020