WannaCry-linked cyber attacks target US government & defence

Cyber attacks linked with Lazarus Group harvest network information, IP addresses and system data

Cyber attack on company

Research from McAfee has shown that 87 companies have fallen victim to a new cyber espionage campaign which uses fake job advertisements to spread malware to company systems.

Between October and November 2018, the targeted companies, many of which are US-based and defence and government-related organisations, were tricked into downloading documents containing job descriptions sent to them by a social media account posing to be a legitimate job recruiter.

In the two-stage infiltration strategy of 'Operation Sharpshooter', the first phase was to download a Microsoft Word document laden with malicious code. Once open it would trigger a macro prompting a connection to a command and control server (C&C), at which point a second-stage implant known as 'Rising Sun' is downloaded in order to open a backdoor into the victim's system.

After an initial analysis of the operation by McAfee, it's believed that network information, the user's name, their IP address and a host of system data was stolen as a result. How sensitive the stolen data is and what it will be used for is unknown, but nuclear, defence, energy, and financial companies were all targeted.

"Operation Sharpshooter is yet another example of a sophisticated, targeted attack being used to gain intelligence for malicious actors," said Raj Samani, chief scientist and fellow at McAfee. "However, despite its sophistication, this campaign depends on a certain degree of social engineering which, with vigilance and communication from businesses, can be easily mitigated."

The attack supposedly bears a strong resemblance to Lazarus Group's 2015 backdoor trojan Duuzer, however, McAfee believes the resemblance is too strong to actually suspect Lazarus was behind the attack.

Lazarus is a prolific cyber criminal outfit suspected to have links with North Korea and, while McAfee is sceptical about the true author of this new cyber attack, the malicious documents contained Korean-language metadata, indicating that the attackers created the initial Word document using a Korean version of Word. All the documents purporting to be job descriptions were distributed by accounts using a US IP address through Dropbox.

McAfee also discovered a PDF document hosted on the same server as the job adverts, which appeared to be a questionnaire from data analytics firm NICE, designed to assess a user's understanding of anti-fraud protection and financial compliance. There's no indication that this document was used during the operation, however, it suggests the attackers have attempted to masquerade themselves as legitimate companies.

Cyber crime and espionage outfit Lazarus has gained a reputation for disruptive and politically-motivated attacks. They made the headlines earlier this year after Symantec discovered that they had been moving further towards financial crime with their FASTCash operation which affected African and Asian ATMs through which the group stole money starting in 2016.

Lazarus is also arguably best known for WannaCry, the ransomware attack that crippled NHS systems in the UK back in 2017.

Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Leading the data race

The trends driving the future of data science

Download now

How to create 1:1 customer experiences at scale

Meet the technology capable of delivering the personalisation your customers crave

Download now

How to achieve daily SAP releases

Accelerate the pace of SAP change to support your digital strategy

Download now

Recommended

8 most secure web browsers
web browser

8 most secure web browsers

25 Sep 2020
Your essential guide to internet security
Security

Your essential guide to internet security

23 Sep 2020
How to enable private browsing on any device
privacy

How to enable private browsing on any device

22 Sep 2020
Third-party apps are tracking your WhatsApp activity
social media

Third-party apps are tracking your WhatsApp activity

21 Sep 2020

Most Popular

Windows XP source code allegedly leaked online
Microsoft Windows

Windows XP source code allegedly leaked online

25 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020