An espionage campaign that appears to be targeting organisations in South Korea, the US and Canada has intriguing links to code last used by Chinese hacking group APT1 or Comment Crew, according to a report by McAfee’s advanced threat research team.
However, after a six-month investigation, researchers are undecided about whether the espionage campaign – dubbed Operation Oceansalt – means that APT1 is back in business or whether it indicates some kind of code-sharing agreement with a new, unknown group of attackers.
“This research represents how threat actors, including nation states, might collaborate on their campaigns,” the report said.
Alternatively, whoever is responsible for Operation Oceansalt has somehow gained access to the source code, which was never made public, or is deliberately using it as a false flag to point to China-based hackers or to imply cooperation between China and North Korea.
The latest campaign uses an updated version of a data reconnaissance implant used by APT1 in a campaign from 2006 to 2010 against more than 140 US companies, known as Operation Seasalt.
The researchers believe the new version could only have been created by having access to the original source code, which has been modified to make the malware more able to avoid detection.
This behaviour is in line with other nation state operations, which tend to recycle and evolve code, the researchers said.
According to the research report, Oceansalt was launched in five attack “waves” adapted to its targets. The first and second waves were spear phishing-based and began with a malicious Korean-language Microsoft Excel document created in May 2018 that acted as a downloader for the implant.
The Excel document contained information that led McAfee researchers to believe targets were linked to South Korean public infrastructure projects. In all malicious documents, embedded macros were used to contact a download server and wire the Oceansalt implant to disk.
Once connected, the implant was designed to send the IP address and computer name of the targeted machine, as well as the file path of the implant.
The third wave used a Microsoft Word document that carried the same metadata and author as the Excel documents and contained fake information related to the financials of the Inter-Korean Cooperation Fund.
Waves four and five identified a small number of targets outside South Korea, including the US and Canada, as the attackers expanded their scope.
The researchers said that while the implant was clearly designed for espionage purposes, enabling the attackers to carry out remote code execution as well as write and delete files, the overall aim of the campaign remains unclear.
In the report, the researchers considered the possibility that the five waves may be the precursor to a much larger attack because they would have had complete control over the infected machines.
Oceansalt was designed to give the attackers full control of any system it compromised and the network to which it was attached, the researchers said.
“This research represents how threat actors are continuously learning from each other and building upon their peers’ greatest innovations,” said Raj Samani, chief scientist at McAfee.
“McAfee is focused on the indicators of compromise [IoCs] presented in the report to detect, correct and protect systems, regardless of the source of these attacks, in an attempt to protect all potentially targeted organisations.”
Samani, who described Oceansalt as a “major threat campaign”, said the research team had decided to go public to make the IoCs freely available to other potentially targeted organisations after notifying targeted organisations over the past six weeks. They also notified international law enforcement agencies to ensure the report would not affect any current criminal investigations.
“There may be other organisations targeted that we did not come across in our investigation, so it would be worth checking for the IoCs we have identified,” said Samani. “If there are any hits, I would advise the organisation concerned to investigate, as the campaign may still be active.”