A well-known hacking group connected to North Korea is allegedly behind a cyber espionage campaign targeting government, defence, nuclear, energy and financial organisations from around the world, according to a McAfee report that was published on Sunday (March.3rd).
The Lazarus Group, a hacking group linked to North Korea, continues to carry out these attacks in what McAfee calls ‘Operation Sharpshooter’.
The security firm, which discovered the operation in December 2018, believes that the campaign started in September 2017 and that it is “more extensive in complexity, scope, and duration of operations” than it previously anticipated.
At that time, McAfee said the campaign had targeted more than 80 government, military, energy, telecommunications, and financial sector organisations.
C2 server data
The researchers were able to attribute the attack to the Lazarus group because an unnamed government organisation provided “command and control server data”, to McAfee.
The data revealed, “striking similarities” between the “technical indicators, techniques, and procedures exhibited in these 2018 Sharpshooter attacks, and aspects of multiple other groups of attacks attributed by the industry to the Lazarus Group”, according to McAfee’s report.
McAfee found that an in-memory implant was used by the group to download a secondary component, a backdoor called Rising Sun which used the same source code as the Duuzer Trojan, malware used in a 2016 campaign that was carried out by the Lazarus Group.
Duuzer was also connected to the recent 2016 Sony hack, for which a North Korean intelligence officer was charged by the US Department of Justice (DoJ). The same officer was also linked to the WannaCry ransomware outbreak in 2017.
Having begun approximately a year earlier than previously evidenced and still ongoing, these attacks appear now to focus primarily on financial services, government, and critical infrastructure, McAfee said.
The largest number of recent attacks primarily target Germany, Turkey, the UK, and the US. Previously attacks focused on telecommunications, government and financial sectors, primarily in the US, Switzerland, Israel, and others, including the UK.
“Shares multiple design and tactical overlaps”
Analysis of the new evidence also revealed that Operation Sharpshooter “shares multiple design and tactical overlaps” with previous attacks attributed to Lazarus, such as fake job recruitment campaigns conducted in 2017.
The C2’s infrastructure has a core back-end written in Hypertext Preprocessor (PHP) and Active Server Pages (ASP), which has been active since 2017, and the code appears to be “custom and unique to the group” McAfee said.
Researchers also found a set of IP addresses originating from the city of Windhoek, Located in the African nation of Namibia. This led McAfee Advanced Threat Research analysts to suspect that the actors behind the Sharpshooter campaign may have tested their implants and other tools in this part of the world before going global.
The researcher said hackers used a “factory-like” process where various components that make up Rising Sun were developed independently outside of the core implant functionality. “These components appear in various implants dating back to 2016, which is one indication the attackers have access to a set of developed functionalities at their disposal,” researchers said.
“Technical evidence is often not enough to thoroughly understand a cyber-attack, as it does not provide all the pieces to the puzzle,” said Christiaan Beek, McAfee senior principal engineer, and lead scientist.
“Access to the adversary’s command-and-control server code is a rare opportunity. These systems provide insights into the inner workings of cyber-attack infrastructure, are typically seized by law enforcement, and only rarely made available to private sector researchers. The insights gained through access to this code are indispensable in the effort to understand and combat today’s most prominent and sophisticated cyber-attack campaigns.”