Government

Hacking campaign on nuclear, defense sectors shares Lazarus Group tools, report says

“Operation Sharpshooter” has numerous technical links to the group of suspected North Korean government hackers blamed for the 2014 breach at Sony Pictures and other well-publicized attacks, according to McAfee researchers.

By Jeff Stone

December 12, 2018

Hackers behind a new campaign of cyberattacks that have targeted international critical infrastructure facilities are using malicious code linked to North Korea, according to research published Wednesday.

Researchers from McAfee said “Operation Sharpshooter” has numerous technical links to the Lazarus Group, the group of suspected North Korean government hackers blamed for the 2014 breach at Sony Pictures and other well-publicized attacks.

Operation Sharpshooter used a hacking tool called “Rising Sun” to target 87 organizations, mostly in the U.S., between October and November of this year, McAfee said. The cybersecurity vendor did not flatly tie this campaign to the North Korean government.

“Attributing an attack to any threat group is often riddled with challenges, including potential ‘false flag’ operations by other threat actors,” the research states. “Technical evidence alone is not sufficient to attribute this activity with high confidence. However, based on our analysis, this operation shares multiple striking similarities with other Lazarus Group attacks[.]”

The Rising Sun tool is an evolution of a Lazarus-made tool called Duuzer, which circulated in 2015 and was used against South Korea, McAfee said. The email campaign began Oct. 25 with a series of messages that appeared to be from a sender named Richard. Hackers sent English-language emails that appeared to contain job description for positions at unknown companies, though the messages in fact the contained malware that would infect a recipient’s machine.

Firms operating in the nuclear, defense, energy and financial sectors were targeted.

“We have not previously observed this implant,” McAfee said. “Based on our telemetry, we discovered that multiple victims … have reported these indicators.”

The operation comes at roughly the same time researchers have blamed the Lazarus Group for a number of other incidents. The North Korean hackers have been especially focused on cryptocurrency exchanges to help the government subvert sanctions, CyberScoop reported last month. Such attacks “will continue unabated, regardless of the U.S. government public attribution of North Korea,” the FBI said in an October advisory obtained by CyberScoop.

Hacking campaign on nuclear, defense sectors shares Lazarus Group tools, report says

More Like This

House passes bill to limit personal data purchases by law enforcement, intelligence agencies

With a mysterious surveillance target identified, calls for Congress to change course

Biden executive order seeks to cut China off from Americans’ sensitive data

Top Stories

Mandiant: Notorious Russian hacking unit linked to breach of Texas water facility

‘Large volume’ of data stolen from UN agency after ransomware attack

More Scoops

North Korean hacking ops continue to exploit Log4Shell

Latest North Korean hack targeting cryptocurrency shows troubling evolution, experts say

Supply chain cyberattack with possible links to North Korea could have thousands of victims globally

Chinese hackers targeted U.S. political reporters just ahead of Jan. 6 attack, researchers say

Treasury updates Lazarus Group sanctions with digital currency address linked to Ronin Bridge hack

Alleged North Korean hackers scouted crypto exchange employees before stealing currency, researchers say

Suspected North Korean hackers set up fake company to target researchers, Google says

Latest Podcasts

How Troy Hunt knows if you’ve been hacked and Washington tries to understand AI

Why pig butchering is the worst kind of online scam

How the FBI fights ransomware

Rumman Chowdhury on AI red-teaming; a Sisense supply chain attack

Government

Technology

Threats

Geopolitics