Ongoing global cyber espionage campaign broader than previously known

A detailed analysis of code and data from a command-and-control server responsible for the management of the operations, tools and tradecraft behind the Operation Sharpshooter campaign has revealed evidence that this global cyber espionage campaign is more extensive in complexity, scope and duration of operations.

This content was provided to McAfee for analysis by a government entity that is familiar with McAfee’s published research on this malware campaign.

The analysis led to identification of multiple previously unknown command-and-control centers, and suggest that Sharpshooter began as early as September 2017, targeted a broader set of organizations, in more industries and countries and is currently ongoing.

Operation Sharpshooter

McAfee first uncovered Operation Sharpshooter in December 2018, and found it targeting more than 80 organizations across critical industries including the telecommunications, energy, government and defense sectors.

Analysis of the new evidence has exposed striking similarities between the technical indicators, techniques and procedures exhibited in these 2018 Sharpshooter attacks, and aspects of multiple other groups of attacks attributed by the industry to the Lazarus Group. This includes, for example, the Lazarus group’s use of similar versions of the Rising Sun implant dating back to 2017, and source code from the Lazarus Group’s infamous 2016 backdoor Trojan Duuzer.

Having begun approximately a year earlier than previously evidenced and still ongoing, these attacks appear to now focus primarily on financial services, government and critical infrastructure. The largest number of recent attacks primarily target Germany, Turkey, the United Kingdom and the United States. Previous attacks focused on telecommunications, government and financial sectors, primarily in the United States, Switzerland, and Israel, and others.

Other findings

• Hunting and spearphishing. Operation Sharpshooter shares multiple design and tactical overlaps with several campaigns, for example a very similar fake job recruitment campaign conducted in 2017 that the industry attributes to Lazarus Group.
• African connection. Analysis of the command-and-control server code and file logs also uncovered a network block of IP addresses originating from the city of Windhoek, located in the African nation of Namibia. This led McAfee Advanced Threat Research analysts to suspect that the actors behind Sharpshooter may have tested their implants and other techniques in this area of the world prior to launching their broader campaign of attacks.
• Maintaining access to assets. The attackers have been using a command-and-control infrastructure with the core backend written in Hypertext Preprocessor (PHP) and Active Server Pages (ASP). The code appears to be custom and unique to the group and McAfee’s analysis reveals it has been part of their operations since 2017.
• Evolving Rising Sun. The Sharpshooter attackers used a factory-like process where various malicious components that make up Rising Sun have been developed independently outside of the core implant functionality. These components appear in various implants dating back to 2016, which is one indication that the attackers have access to a set of developed functionalities at their disposal.

“Technical evidence is often not enough to thoroughly understand a cyber attack, as it does not provide all the pieces to the puzzle,” said Christiaan Beek, McAfee senior principal engineer and lead scientist. “Access to the adversary’s command-and-control server code is a rare opportunity. These systems provide insights into the inner workings of cyberattack infrastructure, are typically seized by law enforcement, and only rarely made available to private sector researchers. The insights gained through access to this code are indispensable in the effort to understand and combat today’s most prominent and sophisticated cyber attack campaigns.”