Hacking campaign on nuclear, defense sectors shares Lazarus Group tools, report says
Hackers behind a new campaign of cyberattacks that have targeted international critical infrastructure facilities are using malicious code linked to North Korea, according to research published Wednesday.
Researchers from McAfee said “Operation Sharpshooter” has numerous technical links to the Lazarus Group, the group of suspected North Korean government hackers blamed for the 2014 breach at Sony Pictures and other well-publicized attacks.
Operation Sharpshooter used a hacking tool called “Rising Sun” to target 87 organizations, mostly in the U.S., between October and November of this year, McAfee said. The cybersecurity vendor did not flatly tie this campaign to the North Korean government.
“Attributing an attack to any threat group is often riddled with challenges, including potential ‘false flag’ operations by other threat actors,” the research states. “Technical evidence alone is not sufficient to attribute this activity with high confidence. However, based on our analysis, this operation shares multiple striking similarities with other Lazarus Group attacks[.]”
The Rising Sun tool is an evolution of a Lazarus-made tool called Duuzer, which circulated in 2015 and was used against South Korea, McAfee said. The email campaign began Oct. 25 with a series of messages that appeared to be from a sender named Richard. Hackers sent English-language emails that appeared to contain job description for positions at unknown companies, though the messages in fact the contained malware that would infect a recipient’s machine.
Firms operating in the nuclear, defense, energy and financial sectors were targeted.
“We have not previously observed this implant,” McAfee said. “Based on our telemetry, we discovered that multiple victims … have reported these indicators.”
The operation comes at roughly the same time researchers have blamed the Lazarus Group for a number of other incidents. The North Korean hackers have been especially focused on cryptocurrency exchanges to help the government subvert sanctions, CyberScoop reported last month. Such attacks “will continue unabated, regardless of the U.S. government public attribution of North Korea,” the FBI said in an October advisory obtained by CyberScoop.