Researchers link late-2018 'Sharpshooter' infrastructure attacks to North Korea

Abstract image showing a cyber criminal silhouetted against a North Korean flag
(Image credit: Shutterstock)

Experts have formally connected a series of attacks orchestrated last year against national critical infrastructure to the notorious North Korean hacking outfit Lazarus.

'Operation Sharpshooter', which targeted predominately defence and government-related organisations between October and November 2018, is far more extensive and complex than first understood.

Researchers with McAfee delved into a seized a command and control centre (C&C) responsible for managing the operations and tools behind the global campaign, also learning that it may have begun as early as September 2017.

"Technical evidence is often not enough to thoroughly understand a cyber attack, as it does not provide all the pieces to the puzzle," said McAfee's senior principal engineer and lead scientist Christiaan Beek.

"Access to the adversary's command-and-control server code is a rare opportunity. These systems provide insights into the inner workings of cyber attack infrastructure, are typically seized by law enforcement, and only rarely made available to private sector researchers.

"The insights gained through access to this code are indispensable in the effort to understand and combat today's most prominent and sophisticated cyber attack campaigns."

Researchers previously hinted that the attacks, which relied on fake job adverts to spread malware to company systems, may bear a strong resemblance Lazarus' 2016 backdoor Trojan, dubbed Duuzer. But they shied away from making a formal accusation due to a lack of technical indicators.

They initially found the attack was executed across 87 organisations across the world, but mainly in the US, from 25 October 2018. But an analysis of the seized C&C led them to the conclusion that the campaign has actually been underway for more than a year, and has recently pivoted to a host of new targets. These include finance, government and critical infrastructure industries mainly in Germany, Turkey, the UK and US.

The researchers also learned that Lazurus had trialled the attack mechanism that was eventually deployed across the West in the southwestern African nation of Namibia. Analysis of code and file logs uncovered a number of IP addresses originating from Windhoek in Namibia. Moreover, the researchers believe Lazarus is still conducting tests in this region.

Lazarus Group has gained notoriety for its links to several high profile cyber campaigns including the WannaCry ransomware attack that crippled the NHS in 2017.

Research and investigation by authorities and cyber security firms led to the US charging a North Korean programmer last year of conducting several cyber attacks on behalf of the administration. These included a hack against Sony Pictures in 2014 and a theft from the Bangladesh Bank to the tune of $81 million.

"As part of our research into Operation Sharpshooter between October 2018 and February 2019, we observed attacks being conducted in the UK across the Finance, Government and Telecom sectors," McAfee's Beek told IT Pro.

"This is another typical example of cyberespionage where information has been gathered for whatever malicious purposes the adversary has. As always, we would recommend that organisations do their due diligence in order to protect themselves from potential threats and once detected, correct the issues at hand.

"Furthermore, we would also like to stress that industry collaboration must be one of our biggest priorities in the face of organised adversaries with malicious intent. We at McAfee conducted pre-notifications to organizations including victims, law enforcement and CERT partners prior to publication."

McAfee is set to formally present its findings at the RSA security convention in San Francisco this week.

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.