A North Korean APT hacking group has been linked with “high confidence” to a previously discovered global cyber espionage campaign targeting critical infrastructure around the world.
Thanks to new evidence collected by researchers after analyzing a command-and-control (C2) server seized by law enforcement that was involved in the espionage campaign.
The cyber espionage campaign dubbed Operation Sharpshooter, which targeted government, defense, nuclear, energy, and financial organizations worldwide was discovered by McAfee security researchers in December 2018.
Even after discovering numerous technical connections to the North Korean Lazarus hacking group, researchers were unable to immediately attribute the campaign at the time due to the possibility of false flags.
Researchers Analysed Sharpshooter’s Command Server
Now, according to a press release shared with The Hacker News, an analysis of the seized code and command-and-control (C2) server has enabled researchers to comprehend the inner workings of the global cyber espionage campaign, leading them to the conclusion that the North Korean state-sponsored hacking group is behind Operation Sharpshooter.
Lazarus Group, also known as Hidden Cobra and Guardians of Peace, is believed to be supported by the North Korean government and has been linked to the global WannaCry ransomware attack of 2017, the 2016 SWIFT Banking hack, and the 2014 Sony Pictures hack.
The analysis also revealed that the global espionage campaign began a year earlier than previously believed, in September 2017, and is still ongoing.
Newly-discovered evidence suggests that Sharpshooter has widened its focus to include critical infrastructure, with the most recent attacks targeting Germany, Turkey, the United Kingdom, and the United States.
Global Cyber-Espionage Campaign: Operation Sharpshooter
The global espionage campaign spreads via Dropbox-sent malicious documents containing a weaponized macro. After being opened and downloaded, the macro uses embedded shellcode to inject the Sharpshooter downloader into Microsoft Word’s memory.
For further exploitation, this in-memory implant then covertly downloads the second-stage Rising Sun malware, which utilizes source code from the Lazarus Group’s backdoor Trojan Duuzer, which was first distributed in 2015 against South Korean organizations.
The Rising Sun malware then performs reconnaissance on the victim’s network by gathering and encrypting data, such as the computer name, IP address, and native system information of the victim’s devices, among other information.
“It is uncommon to have access to the adversary’s command-and-control server’s source code. These systems, which offer insight into the inner workings of cyber attack infrastructure, are typically seized by law enforcement and are rarely made available to private sector researchers “said McAfee’s senior principal engineer and chief scientist, Christiaan Beek.
“Access to this code is indispensable for understanding and combating the most prominent and sophisticated cyber attack campaigns of the present day.”
In addition, an examination of the C2 server and file logs revealed an African connection, as the researchers discovered a network block of IP addresses originating from a city in the African nation of Namibia.
“This led McAfee Advanced Threat Research analysts to suspect that the actors behind Sharpshooter tested their implants and other techniques in this region of the world before launching their larger attack campaign,” the researchers say.
The attackers’ C2 infrastructure utilizes a PHP and ASP backend that “appears to be custom and unique to the group” and has been a part of the Lazarus operations since 2017.
