Analysis of a command-and-control (C2) server awarded to researchers by law enforcement after seizure has provided valuable information on the threat actors behind a global hacking campaign.
Dubbed "Operation Sharpshooter" by McAfee cybersecurity researchers, the campaign was first uncovered in December 2018.
Operation Sharpshooter targets government departments, telecoms, energy, defense, and other organizations worldwide. The attack wave predominantly focuses on targets in the United States, but victims in areas including Russia, the UK, Australia, and other English-speaking countries have also been traced.
Defense and government departments were the central focus of the hacking ring, which the cybersecurity researchers, at first, could only tenuously link to North Korean threat actors by way of the Lazarus Group.
Lazarus is a well-known cyberespionage ring believed to be a state-sponsored -- and state-funded -- which focuses on surveillance and the gathering of valuable intelligence.
McAfee found that an in-memory implant was used by Operation Sharpshooter operators to download a secondary component, a backdoor called Rising Sun which used the same source code as the Duuzer Trojan, malware used in a 2016 campaign conducted by the Lazarus Group.
Duuzer was also connected to the infamous Sony hack, for which a North Korean intelligence officer was charged by the US Department of Justice (DoJ). The same officer was linked to the 2017 WannaCry ransomware outbreak.
In what is an unusual move, government officials seized a C2 server and then gave the researchers access to the asset, which then provided the team with the code and data required for stronger attribution to Lazarus.
This analysis led to the discovery of multiple C2 campaigns linked to Operation Sharpshooter, as well as the suggestion that attacks started far earlier than December 2018 -- with traces of evidence stemming back as far as September 2017.
McAfee says that the campaign, which is ongoing, now appears to have pivoted from a focus on government entities to expand to financial services and critical infrastructure, with the most recent attacks taking place against targets in Germany, Turkey, the UK, and United States.
The seized server has also provided improved visibility into how Operation Sharpshooter operates. The campaign "shares multiple design and tactical overlaps" with past attacks attributed to Lazarus, such as fake job recruitment phishing schemes.
The C2's infrastructure has a core backend written in Hypertext Preprocessor (PHP) and Active Server Pages (ASP) which has been active since 2017 and "appears to be custom and unique to the group," McAfee says.
In addition, the seized C2 has revealed an African connection. A network block of IP addresses found in the C2's server code and logs were traced back to a city in Namibia, which the researchers believe could indicate the attackers tested their implants and other tools in this part of the world before going global.
TechRepublic: Why ransomware attacks are growing more targeted
When it comes to Rising Sun, in particular, McAfee says there is a kind of 'factory' setup in place in which individual components of the malware are developed independently before being bolted-on to the main payload. Some of these components and implants have timestamps dating back to 2016.
"Technical evidence is often not enough to thoroughly understand a cyber attack, as it does not provide all the pieces to the puzzle," says Christiaan Beek, McAfee senior principal engineer, and lead scientist. "Access to the adversary's command-and-control server code is a rare opportunity. These systems provide insights into the inner workings of cyberattack infrastructure, are typically seized by law enforcement, and only rarely made available to private sector researchers."