Researchers have confirmed the Operation Sharpshooter APT campaign uncovered in December 2018 is likely the work of North Korean hackers, and has been active for a year longer than previously thought.
McAfee revealed today that it was given a rare insight into the inner workings of such a group after a government entity handed over code and data from a key command-and-control (C&C) server.
This helped it conclude that the campaign was more complex, wide-ranging and long-lasting than at first thought.
In fact, it’s believed to have begun in September 2017 and is still active today, focusing on finance, government and critical infrastructure targets primarily in Germany, Turkey, the UK and US.
McAfee first revealed its analysis of Operation Sharpshooter in December last year, claiming it targeted government, defense, nuclear, energy and financial organizations — infecting 87 of them with a modular backdoor implant known as Rising Sun.
This malware, which enabled the hackers to perform reconnaissance and info-stealing, shared code from 2015 backdoor Trojan Duuzer, used in the notorious attack on Sony Pictures Entertainment carried out by North Korean hackers.
However, there were suspicions initially that links to Pyongyang may have been a deliberate false flag strategy.
These were dismissed by the new evidence, with the security vendor now even more confident of the connection to the hermit nation’s notorious Lazarus Group. For example, the campaign uses a fake job recruitment lure attributed to the group.
Those initial phishing emails contain a weaponized macro-based document which, if opened, will covertly download the second-stage Rising Sun malware.
The group is also using custom code written in PHP and ASP to maintain its C&C infrastructure, and appears to be testing some implants and techniques in African prior to launching them elsewhere.
McAfee also described the development of Rising Sun components as “factory like,” with modules produced independently outside of the core functionality.
“Technical evidence is often not enough to thoroughly understand a cyber-attack, as it does not provide all the pieces to the puzzle,” said Christiaan Beek, McAfee senior principal engineer and lead scientist.
“Access to the adversary’s C&C server code is a rare opportunity. These systems provide insights into the inner workings of cyber-attack infrastructure, are typically seized by law enforcement, and only rarely made available to private sector researchers. The insights gained through access to this code are indispensable in the effort to understand and combat today’s most prominent and sophisticated cyber-attack campaigns.”