Introduction:
A recent breakthrough by security experts has exposed those behind an extensive cyber-espionage campaign called Operation Sharpshooter. Among the critical infrastructures it has been targeting is one discovered by McAfee last December. A thorough examination of a seized command and control (C2) server revealed that this activity is related to North Korean APT hacking group, which has provided insights into the operations and implications of this advanced cyber threat.
The Origins of Operation Sharpshooter:
Some security researchers at McAfee discovered Operation Sharpshooter in 2018 after which it became a global menace to government, defense, energy, financial institutions as well as nuclear. Though North Korea could have been responsible for it, there was a possibility of false flags that made it difficult to clearly pinpoint the involvement of any particular country.
Linking to North Korean APT Group:
The examination of the impounded server for command and control has produced vital proof that Operation Sharpshooter is connected with Lazarus Group, which is a known North Korean government-sponsored hacking group. Hidden Cobra or Guardians of Peace are other aliases for this group, where it has attacked various targets such as WannaCry ransomware attack in 2017 and Sony Pictures hack case in 2014.
Operation Sharpshooter: Global Cyber-Espionage Campaign
The global espionage campaign spreads by sending malicious documents containing a weaponized macro to targets via Dropbox. Once opened and downloaded, the macro leverages embedded shellcode to inject the Sharpshooter downloader into the memory of Microsoft Word.
For further exploitation, this in-memory implant then covertly downloads the second-stage Rising Sun malware, which uses source code from the Lazarus Group's backdoor Trojan Duuzer, malware first circulated in 2015 targeting organizations in South Korea.
The Rising Sun malware then performs reconnaissance on the victim’s network by gathering and encrypting data, including victim devices' computer name, IP address data, native system information and more.
"Access to the adversary’s command-and-control server code is a rare opportunity. These systems provide insights into the inner workings of cyber attack infrastructure, are typically seized by law enforcement, and only rarely made available to private sector researchers," said Christiaan Beek, McAfee senior principal engineer, and lead scientist.
"The insights gained through access to this code are indispensable in the effort to understand and combat today’s most prominent and sophisticated cyber attack campaigns."
Moreover, analysis of the C2 server and file logs also revealed an African connection, as the researchers uncovered a network block of IP addresses originating from a city located in the African nation of Namibia.
"This led McAfee Advanced Threat Research analysts to suspect that the actors behind Sharpshooter may have tested their implants and other techniques in this area of the world prior to launching their broader campaign of attacks," the researchers say.
The C2 infrastructure used by the attackers has a core backend written in Hypertext Preprocessor (PHP), and Active Server Pages (ASP), which "appears to be custom and unique to the group" and has been part of the Lazarus operations since 2017.
Expansion and Targets:
Operation Sharpshooter's scope has evolved since its discovery, with recent attacks targeting critical infrastructure in Germany, Turkey, the United Kingdom, and the United States. This expansion indicates a strategic shift towards more impactful targets beyond the initial focus on telecommunications, government, and financial sectors.
Tactics and Techniques:
The modus operandi of Operation Sharpshooter involves the distribution of malicious documents containing weaponized macros via Dropbox. Upon opening these documents, victims unwittingly execute a series of actions leading to the injection of malware into the memory of Microsoft Word. This malware, dubbed Rising Sun, facilitates further exploitation by gathering sensitive data and performing reconnaissance within the victim's network.
Insights from Command-and-Control Server Analysis:
Access to the seized command-and-control server has provided unprecedented insights into the infrastructure and operations of the cyber espionage campaign. Analysis revealed the utilization of PHP and ASP scripts, indicating a custom backend infrastructure tailored to the Lazarus Group's objectives. Additionally, traces of activity originating from Namibia suggest preliminary testing of attack techniques in the region before launching broader assaults.
Conclusion:
The attribution of Operation Sharpshooter to a North Korean APT group underscores the persistent and evolving nature of cyber threats targeting critical infrastructure worldwide. This revelation serves as a reminder of the importance of collaborative efforts between cybersecurity researchers, law enforcement agencies, and organizations to mitigate the impact of such sophisticated attacks. As cyber adversaries continue to innovate, staying vigilant and proactive in defense strategies is imperative to safeguarding digital assets and infrastructure.
Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
.gif)
Nice Article
ReplyDeletelike it. Keep it up.
ReplyDeleteGood job
ReplyDeleteImpressive
ReplyDelete🎊🎊🎊 Everyone facing same issues 🎊🎊🎊
ReplyDelete