Olivier Le Moal - stock.adobe.co

Social engineering at the heart of critical infrastructure attack

Social engineering is the core technique used in a series of cyber attacks targeting government, defence, nuclear, energy and financial organisations around the world, which means people are key to defence

The UK is one of 24 countries targeted by a global malware campaign aimed at government, military, energy and financial sector organisations, uncovered by security firm McAfee.

Dubbed Operation Sharpshooter, the campaign hit close to 100 organisations in 24 countries between October and November 2018.

After gaining access through a phishing email masquerading as a recruitment message, Sharpshooter used an in-memory implant to download the Rising Sun implant, which is a fully functional, modular backdoor that performs reconnaissance on a victim’s network to access machine-level information, including documents, usernames, network configuration and system settings.  

Rising Sun is an evolution of the backdoor Trojan Duuzer used in the Sony cyber attack in 2014 and attacks on organisations in South Korea.

Operation Sharpshooter has numerous other technical links to the North Korean hacking group Lazarus, but McAfee researchers said these were too obvious to immediately draw the conclusion that the group was responsible for this campaign, indicating the potential use of false flags

In October and November 2018, the researchers found the Rising Sun implant in 87 organisations across the globe, mainly in the US, with most of the targeted organisations either English speaking or with an English-speaking regional office.

The discovery of this new, high-function implant is another example of how targeted attacks attempt to gain intelligence, the researchers said.

Analysis reveals that the malware moves in several steps. The initial attack vector is a document that contains a weaponised macro to download the next stage, which runs in memory and gathers intelligence. The victim’s data is sent to a control server for monitoring by the actors, who then determine the next steps. 

The researchers said it was still unclear whether the attacks they observed were a first-stage reconnaissance operation with more to come. “We will continue to monitor this campaign and will report further when we or others in the security industry receive more information,” they said.

“Despite its sophistication, Operation Sharpshooter depends on a certain degree of social engineering which, with vigilance and communication from businesses, can be easily mitigated”
Raj Samani, McAfee

Raj Samani, chief scientist and fellow at McAfee, said Operation Sharpshooter was yet another example of a sophisticated, targeted attack being used to gain intelligence for malicious actors.

“However, despite its sophistication, this campaign depends on a certain degree of social engineering which, with vigilance and communication from businesses, can be easily mitigated,” he said.

“Businesses must find the right combination of people, process and technology to effectively protect themselves from the original attack, detect the threat as it appears and, if targeted, rapidly correct systems.”

Inadequate phishing response

David Mount, director of sales and engineering for Europe at anti-phishing training firm Cofense, said the company’s research showed that 78% of European companies surveyed have experienced a security incident originating with a deceptive email.

“So it’s not surprising that targeted, socially engineered attacks like Operation Sharpshooter have been successful. With 57% saying their phishing response ranges from ineffective to mediocre, employees are often thought of as the problem regarding phishing,” he said.

“However, our simulation data trends suggest that people can actually be the strongest link in the chain. A trained user base can and will report phishing and fraud at higher rates than they fail, which is true across almost all industries and directly refutes the widely accepted assumption for many businesses.”

Organisations cannot defend against attacks they cannot see, said Mount, adding that this was “particularly relevant to Operation Sharpshooter.

“In June 2017, Cofense Intelligence published a strategic analysis covering the use of file-sharing services such as Dropbox as a tactic to bypass perimeter controls – a tactic employed by the Sharpshooter campaign. However, by conditioning users to recognise and report these kinds of attacks, organisations can strengthen this last line of defence and protect users.”

Read more about phishing


Read more on Hackers and cybercrime prevention

Data Center
Data Management