March 4, 2019 at
Links have been traced back to the Lazarus Group of North Korea. These links were discovered from an analysis made on the server.
Recently, law enforcement awarded researchers the job of analyzing a command-and-control (C2) server. In the process, valuable information was retrieved by the researchers. The information has to do with the entities behind a worldwide campaign of hacking. The campaign was initially discovered in December 2018. McAfee cybersecurity researchers dubbed the campaign “Operation Sharpshooter.”
The targets of Operation Sharpshooter are defense, energy, telecoms, government departments, and other establishments all over the world. The wave of attack primarily focuses on United States-based targets. However, victims in other areas have also been traced. Such areas equally affected comprise of Australia, UK, Russia, and other countries where English is spoken.
The Central Focus of the Hack
The central focus of the hacking ring was government and defense departments. At first, the cybersecurity researchers could only slightly link to threat actors of North Korean origin. The Lazarus Group was how this link was established. Lazarus is a cyber-espionage ring that is well-known. They are believed to be state-funded and state-sponsored. They are also known to focus on gathering valuable intelligence as well as surveillance.
McAfee discovered that operators of Operation Sharpshooter made use of an in-memory implant. They used this implant to download Rising Sun which is a secondary component. Rising Sun is a backdoor. It is quite similar to the same malware known as Duuzer Trojan. Recall that the Lazarus group conducted a campaign in 2016 using this same Duuzer Trojan. It is instructive to note that this Duuzer Trojan and the Rising Sun have the same source code.
A connection was also made of the notorious Sony hack to Duuzer. You would recall that an intelligence officer from North Korea was indicted by the Department of Justice of the United States (DoJ) for this same Sony hack. Linked also to the 2017 WannaCry ransomware outbreak is this same officer.
What did Government do that was Unusual?
A C2 server was seized by officials of the government. This was seen as an unusual move. The researchers were granted access to the asset after the seizure. The team was able to get a lot of data and code. This was all that they needed to make a powerful connection to the role of Lazarus.
During their examination, several C2 campaigns were discovered. These campaigns all have links to Operation Sharpshooter. In addition, they discovered suggestions that as far back as December 2018 these attacks had already started. In fact, there are evidence traces which go as far as September 2017.
An Ongoing Campaign, according to McAfee
McAfee has stated that it is an ongoing campaign. According to them, it now appears that they have turned away from focusing on entities of government to expand to critical infrastructure and financial services. Targets in the United States, the UK, Turkey, and Germany have been most recently attacked.
Improved visibility into how Operation Sharpshooter operates has now been provided. This visibility was gotten from the seized server. Past attacks attributed to Lazarus “shares multiple designs and tactical overlaps” with this campaign. Such campaigns include schemes which involve job recruitment phishing that are fake.
The infrastructure of the C2 has a core backend written in Active Server Pages (ASP) and Hypertext Preprocessor (PHP). Since 2017 these have been active. McAfee says that it “appears to be custom and unique to the group.”
Also, an African connection has been revealed in the seized C2. IP addresses in a network block were discovered in the server code of the C2. A city in Namibia was where the logs were traced back to. The researchers believe this could point to how the attackers tested their other tools and implants locally. Afterward, they went global with their attack.
A sort of ‘factory’ setup is believed by McAfee to be in place. They make this assertion true particularly when it comes to Rising Sun. This setup is how the malware and its individual components are independently developed. Afterward, they are then implanted onto the primary payload. Timestamps which date back to 2016 are on these implants and components.
Concluding thoughts on the incidence from McAfee
The lead scientist and senior principal engineer of McAfee is Christiaan Beek. According to him “technical evidence is often not enough to thoroughly understand a cyber-attack, as it does not provide all the pieces of the puzzle.” He went on to add that “Access to the adversary’s command-and-control server code is a rare opportunity. These systems provide insights into the inner workings of cyber-attack infrastructure, are typically seized by law enforcement, and only rarely made available to private sector researchers.”