Global hacking campaign takes aim at finance, defence and energy companies

Targets around the world are in the sights of a cyber espionage operation, which could have links to North Korea.
Written by Danny Palmer, Senior Writer

A global hacking operation is targeting government departments, defence, telecoms and other high-tech organisations around the world in what appears to be the first stage of a cyber espionage campaign.

Dubbed Operation Sharpshooter by researchers at McAfee, the new campaign has only been active for a matter of weeks, but hit 87 organisations in 24 countries during October and November alone, with the aim of the operation seemingly being intelligence gathering.

While organisations across the globe have been targeted by the campaign, analysis by McAfee suggests that victims are predominantly in the US.

Organisations in South America, Europe, the Middle East, India, Australia and Japan, among others have also fallen victim to the campaign -- in most cases they're English-speaking or have an English-speaking regional office.

The main focus of the attackers appears to be defence and government departments but businesses in the telecommunications, energy, nuclear and financial sectors have also been targeted in the espionage campaign.

Researchers note that the attacks display many of the hallmarks of the Lazarus Group, a hacking group working on behalf of the interests of North Korea -- but say that alone isn't enough to confirm attribution.

"Technical indicators solely being used to determine attribution are fraught with difficulty, subsequently we have to consider that this could well be an attack with false flags to point to the Lazarus group," Raj Samani, chief scientist and fellow at McAfee told ZDNet.

The operation began on October 25, with a series of phishing emails masquerading as recruitment emails sent to a number of targets. All of the malicious Word documents share the author name -- Richard -- and contain job descriptions for positions at various companies.

The documents contain a malicious macro that leverages embedded shellcode to inject a downloader for the Sharpshooter malware into the memory of Word. This then serves as a downloader for the second stage of the campaign: implanting Rising Sun.

SEE: Can Russian hackers be stopped? Here's why it might take 20 years (TechRepublic cover story) | download the PDF version

Rising Sun is a modular backdoor that performs reconnaissance on the victim's network, providing the attackers with access to machine-level information including documents, usernames, network configuration and system settings, information about which is sent to a command and control server.

The malware can also execute various commands, get additional files and is capable of clearing memory and deleting activity.

"Operation Sharpshooter is yet another example of a sophisticated, targeted attack being used to gain intelligence for malicious actors," said Samani.

"However, despite its sophistication, this campaign depends on a certain degree of social engineering which, with vigilance and communication from businesses, can be easily mitigated."

Analysis of Rising Sun suggests that it shares code and configuration data with Duuzer, a family of trojan malware used in the Sony hack -- an incident which the United States holds North Korea responsible for.

However, the decryption scheme of Rising Sun is different, suggesting it could potentially be an evolution of Duuzer. If it is, it wouldn't be the first example of North Korean hackers re-using old code to build new attacks -- as McAfee has previously noted.

Whoever it is behind Operation Sharpshooter, it seems unlikely that this is the end of the campaign. "Regardless of the security solution being used, organizations should update their systems. Equally organizations may want to run the IoCs in their environments," said Samani.


Editorial standards