Hackers are targetting critical infrastructure providers, including nuclear power and defense agencies, in what may be a state-sponsored attack that's hiding behind North Korean code.
Discovered by McAfee and dubbed "Sharpshooter", the operation has been running since November, largely focusing on US-based or English-speaking companies and agencies around the world with an emphasis on nuclear, defense, energy, and financial businesses.
It appears that, for now, the hacking operation is focused mostly on reconnaissance and harvesting sensitive information from the infected machines. McAfee did not note any behavior related to damaging or sabotaging infrastructure.
As with most well-organized cyber-raids, the Sharpshooter operation goes after key members of the targeted companies with phishing emails that are tightly targeted, in this case pretending to be from a job recruiting agency seeking English-speaking applicants, we were told today.
The emails contain poisoned Word documents (researchers note the version used to craft them was Korean-localized) that then look to install the first piece of malware: an in-memory module that dials up a control server.
Once connected to the control server, the infected PC then downloads and executes a secondary malware payload known as Rising Sun. The Rising Sun malware does most of the heavy lifting in the campaign, monitoring network activity as well as collecting information from the infected machine that is then encrypted and sent back to the control servers.
McAfee noted that the attack, particularly the malware payload used, borrows heavily from source code used by Lazarus Group, a North Korean hacking operation blamed for attacks on both infrastructure and financial agencies.
'Desperate' North Korea turns to bank hacking sprees to rake in much-needed doshREAD MORE
That doesn't however, mean that the group is behind the operation. In fact, McAfee says it strongly suspects the connections to be a red herring.
"Operation Sharpshooter’s numerous technical links to the Lazarus Group seem too obvious to immediately draw the conclusion that they are responsible for the attacks, and instead indicate a potential for false flags," McAfee explained.
It would not be unheard of for another group or government to be borrowing source code from Lazarus. Earlier this year researchers showed how the US government's own attack tools had been torn down, repackaged, and sent back into the wild against new targets.
Because of this, McAfee says that, for now, it will hold off on any speculation as to who might be behind the attack. ®