beebright - stock.adobe.com
Security firm McAfee has revealed evidence that the Operation Sharpshooter campaign exposed in 2018 is more extensive in complexity, scope and duration of operations.
The campaign used a malicious Microsoft Word document sent by email that would run a macro to download an implant, which the attackers used to conduct reconnaissance and steal data.
The UK is one of at least 24 countries targeted by the global malware campaign aimed at more than 80 government, military, energy, telecommunications and financial sector organisations.
The researchers were able to get a rare look at the workings of a nation state cyber espionage campaign after being handed a command and control server for the campaign by one of the government’s targeted.
This provided an opportunity to conduct a detailed analysis of code and data from the server responsible for the management of the operations, tools and tradecraft behind the campaign, previously thought to have run from October to November 2018.
The analysis led to the identification of several previously unknown command-and-control centres and indicates that Sharpshooter began as early as September 2017, targeted a broader set of organisations in more industries and countries, and that it is currently ongoing.
“McAfee Advanced Threat Research analysis of the command-and-control server’s code and data provides greater insight into how the perpetrators behind Sharpshooter developed and configured control infrastructure, how they distributed the malware, and how they stealthily tested campaigns prior to launch,” said Raj Samani, McAfee Fellow and chief scientist.
“This intelligence is invaluable in deepening our understanding of the adversary, which ultimately leads to better defences.”
Analysis of the new evidence has exposed striking similarities between the technical indicators, techniques and procedures exhibited in the 2018 Sharpshooter attacks, and aspects of multiple other groups of attacks attributed by the industry to North Korea’s Lazarus Group.
This includes, for example, the group’s use of similar versions of the Rising Sun implant dating back to 2017, and source code from the group’s infamous backdoor Trojan Duuzer used in the Sony cyber attack in 2014 and attacks on organisations in South Korea.
“Technical evidence is often not enough to thoroughly understand a cyber attack, as it does not provide all the pieces to the puzzle,” said Christiaan Beek, McAfee senior principal engineer and lead scientist.
“Access to the adversary’s command-and-control server code is a rare opportunity. These systems provide insights into the inner workings of cyber attack infrastructure, are typically seized by law enforcement, and only rarely made available to private sector researchers. The insights gained through access to this code are indispensable in the effort to understand and combat today’s most prominent and sophisticated cyber attack campaigns.”
Having begun approximately a year earlier than previously evidenced and still ongoing, these attacks appear to now focus primarily on financial services, government and critical infrastructure, according to the researchers.
The largest number of recent attacks primarily target Germany, Turkey, the UK and the US. Previous attacks focused on telecommunications, government and financial sectors, primarily in the US, Switzerland, Israel and others, including the UK.
Analysis of the new evidence also revealed that Operation Sharpshooter shares multiple design and tactical overlaps with several campaigns, such as a similar fake job recruitment campaign conducted in 2017 that the industry attributes to the Lazarus Group.
Although there were links to Lazarus, researchers were unwilling to confirm that the North Korean group was responsible, citing the possibility that the obvious links were being used as false flags to hide the identity of another attacker, but now the link appears to be more certain and the level of confidence is said to be much higher.
In December 2017, the UK and US governments said the Lazarus Group was responsible for the WannaCry attacks that hit organisations around the globe in May 2017.
McAfee said analysis of the command-and-control server code and file logs also uncovered a network block of IP addresses originating from the city of Windhoek in Namibia. This led McAfee researchers to suspect that the actors behind Sharpshooter may have tested their implants and other techniques in this area of the world prior to launching their broader campaign of attacks.
The attackers have been using a command-and-control infrastructure with the core backend written in Hypertext Preprocessor (PHP) and Active Server Pages (ASP). The code appears to be custom and unique to the group and McAfee’s analysis reveals it has been part of their operations since 2017.
The Sharpshooter attackers used a “factory-like” process, the researchers said, where various malicious components that make up Rising Sun were developed independently outside of the core implant functionality. These components appear in various implants dating back to 2016, which is one indication that the attackers have access to a set of developed functionalities at their disposal.
After the initial discovery of Operation Sharpshooter, McAfee researchers said the malware gained access to target networks through a phishing email masquerading as a recruitment message.
At the time, Samani said despite its sophistication, the campaign depended on a certain degree of social engineering which, with “vigilance and communication” from businesses, could be mitigated.
“Businesses must find the right combination of people, process and technology to effectively protect themselves from the original attack, detect the threat as it appears and, if targeted, rapidly correct systems,” he said.