Operation Sharpshooter cyber espionage campaign linked with North Korea - McAfee

North Korea-linked campaign more extensive in complexity and scope than previously thought

Security researchers at McAfee have claimed that the Operation Sharpshooter cyber espionage campaign, first exposed in December last year, is likely the work of a North Korean APT hacking group.

McAfee's Advanced Threat Research team arrived at the conclusion after thoroughly analysing the code and data from a vital command-and-control (C2) server, which was handed to the researchers by a government law enforcement agency.

The researchers also found that the Operation Sharpshooter campaign was "more extensive in complexity, scope and duration of operations" than previously thought.

Operation Sharpshooter was first disclosed by McAfee Advanced Threat Research. At that time, McAfee team found that hackers penetrated the networks of defence and infrastructure entities using a primary in-memory implant which enabled them to download a backdoor, called 'Rising Sun'.

Security experts identified campaign's malware in more than 85 organisations worldwide, mostly based in the US, Israel, Switzerland, and some European countries.

The researchers also found that the code of 'Rising Sun' was similar to the code from 2015 backdoor Trojan Duuzer, which was used by North Korean Lazarus Group to breach networks of Sony Pictures Entertainment. However, the researchers didn't immediately attribute the campaign to North Korean hackers due to likelihood of false flags.

Lazarus Group, which is also referred to by the name Hidden Cobra, is linked with the 2016 SWIFT Banking attack and the 2017 WannaCry ransomware attack.

McAfee's latest analysis reveals that Operation Sharpshooter started in September 2017. More recently, attacker launched several C2 campaigns to target financial, nuclear, defence, telecom and energy firms based in the US, UK, Germany and Turkey.

According to McAfee, the core backend of C2's infrastructure is written in PHP and ASP and appears to be unique to the group.

Interestingly, the researchers also uncovered Operation Sharpshooter's African connection by tracing IP addresses in the server logs back to Windhoek city in Namibia. The team believes hackers likely tested their tools first in Africa before attacking organisations globally.

"Access to the adversary's command-and-control server code is a rare opportunity," said Christiaan Beek, lead scientist at McAfee.

"The insights gained through access to this code are indispensable in the effort to understand and combat today's most prominent and sophisticated cyber-attack campaigns," he added.