WannaCry-linked cyber attacks target US government & defence

Cyber attack on company

Research from McAfee has shown that 87 companies have fallen victim to a new cyber espionage campaign which uses fake job advertisements to spread malware to company systems.

Between October and November 2018, the targeted companies, many of which are US-based and defence and government-related organisations, were tricked into downloading documents containing job descriptions sent to them by a social media account posing to be a legitimate job recruiter.

In the two-stage infiltration strategy of 'Operation Sharpshooter', the first phase was to download a Microsoft Word document laden with malicious code. Once open it would trigger a macro prompting a connection to a command and control server (C&C), at which point a second-stage implant known as 'Rising Sun' is downloaded in order to open a backdoor into the victim's system.

After an initial analysis of the operation by McAfee, it's believed that network information, the user's name, their IP address and a host of system data was stolen as a result. How sensitive the stolen data is and what it will be used for is unknown, but nuclear, defence, energy, and financial companies were all targeted.

"Operation Sharpshooter is yet another example of a sophisticated, targeted attack being used to gain intelligence for malicious actors," said Raj Samani, chief scientist and fellow at McAfee. "However, despite its sophistication, this campaign depends on a certain degree of social engineering which, with vigilance and communication from businesses, can be easily mitigated."

The attack supposedly bears a strong resemblance to Lazarus Group's 2015 backdoor trojan Duuzer, however, McAfee believes the resemblance is too strong to actually suspect Lazarus was behind the attack.

Lazarus is a prolific cyber criminal outfit suspected to have links with North Korea and, while McAfee is sceptical about the true author of this new cyber attack, the malicious documents contained Korean-language metadata, indicating that the attackers created the initial Word document using a Korean version of Word. All the documents purporting to be job descriptions were distributed by accounts using a US IP address through Dropbox.

McAfee also discovered a PDF document hosted on the same server as the job adverts, which appeared to be a questionnaire from data analytics firm NICE, designed to assess a user's understanding of anti-fraud protection and financial compliance. There's no indication that this document was used during the operation, however, it suggests the attackers have attempted to masquerade themselves as legitimate companies.

Cyber crime and espionage outfit Lazarus has gained a reputation for disruptive and politically-motivated attacks. They made the headlines earlier this year after Symantec discovered that they had been moving further towards financial crime with their FASTCash operation which affected African and Asian ATMs through which the group stole money starting in 2016.

Lazarus is also arguably best known for WannaCry, the ransomware attack that crippled NHS systems in the UK back in 2017.

Connor Jones
News and Analysis Editor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.