WannaCry-linked cyber attacks target US government & defence

Cyber attacks linked with Lazarus Group harvest network information, IP addresses and system data

Cyber attack on company

Research from McAfee has shown that 87 companies have fallen victim to a new cyber espionage campaign which uses fake job advertisements to spread malware to company systems.

Between October and November 2018, the targeted companies, many of which are US-based and defence and government-related organisations, were tricked into downloading documents containing job descriptions sent to them by a social media account posing to be a legitimate job recruiter.

In the two-stage infiltration strategy of 'Operation Sharpshooter', the first phase was to download a Microsoft Word document laden with malicious code. Once open it would trigger a macro prompting a connection to a command and control server (C&C), at which point a second-stage implant known as 'Rising Sun' is downloaded in order to open a backdoor into the victim's system.

After an initial analysis of the operation by McAfee, it's believed that network information, the user's name, their IP address and a host of system data was stolen as a result. How sensitive the stolen data is and what it will be used for is unknown, but nuclear, defence, energy, and financial companies were all targeted.

Advertisement - Article continues below

"Operation Sharpshooter is yet another example of a sophisticated, targeted attack being used to gain intelligence for malicious actors," said Raj Samani, chief scientist and fellow at McAfee. "However, despite its sophistication, this campaign depends on a certain degree of social engineering which, with vigilance and communication from businesses, can be easily mitigated."

The attack supposedly bears a strong resemblance to Lazarus Group's 2015 backdoor trojan Duuzer, however, McAfee believes the resemblance is too strong to actually suspect Lazarus was behind the attack.

Lazarus is a prolific cyber criminal outfit suspected to have links with North Korea and, while McAfee is sceptical about the true author of this new cyber attack, the malicious documents contained Korean-language metadata, indicating that the attackers created the initial Word document using a Korean version of Word. All the documents purporting to be job descriptions were distributed by accounts using a US IP address through Dropbox.

McAfee also discovered a PDF document hosted on the same server as the job adverts, which appeared to be a questionnaire from data analytics firm NICE, designed to assess a user's understanding of anti-fraud protection and financial compliance. There's no indication that this document was used during the operation, however, it suggests the attackers have attempted to masquerade themselves as legitimate companies.

Cyber crime and espionage outfit Lazarus has gained a reputation for disruptive and politically-motivated attacks. They made the headlines earlier this year after Symantec discovered that they had been moving further towards financial crime with their FASTCash operation which affected African and Asian ATMs through which the group stole money starting in 2016.

Lazarus is also arguably best known for WannaCry, the ransomware attack that crippled NHS systems in the UK back in 2017.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now



Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Business strategy

Huawei takes the US trade sanctions into its own hands

3 Dec 2019

Five signs that it’s time to retire IT kit

29 Nov 2019
Mobile Phones

Pablo Escobar's brother launches budget foldable phone

4 Dec 2019