McAfee research explores command and control of the Sharpshooter nation-state driven campaign
- Published: Tuesday, 05 March 2019 09:06
McAfee has used the RSA Conference USA as a platform to reveal evidence that the Operation Sharpshooter campaign exposed in 2018 is more extensive in complexity, scope and duration of operations than first believed. McAfee Advanced Threat Research conducted a detailed analysis of code and data from a command-and-control server responsible for the management of the operations, tools and tradecraft behind this global cyber espionage campaign. This content was provided to McAfee for analysis by a government entity that is familiar with McAfee’s published research on this malware campaign. The analysis led to identification of multiple previously unknown command-and-control centers / centres, and suggests that Sharpshooter began as early as September 2017, targeted a broader set of organizations, in more industries and countries, than first thought: and is currently ongoing.
“McAfee Advanced Threat Research analysis of the command-and-control server’s code and data provides greater insight into how the perpetrators behind Sharpshooter developed and configured control infrastructure; how they distributed the malware; and how they stealthily tested campaigns prior to launch,” said Raj Samani, McAfee Fellow and chief scientist. “This intelligence is invaluable in deepening our understanding of the adversary, which ultimately leads to better defenses.”
In December 2018, McAfee Advanced Threat Research first uncovered Operation Sharpshooter, a global cyber espionage campaign targeting more than 80 organizations across critical industries including the telecommunications, energy, government and defense / defence sectors. Analysis of the new evidence has exposed striking similarities between the technical indicators, techniques and procedures exhibited in these 2018 Sharpshooter attacks, and aspects of multiple other groups of attacks attributed by the industry to the Lazarus Group. This includes, for example, the Lazarus group’s use of similar versions of the Rising Sun implant dating back to 2017, and source code from the Lazarus Group’s infamous 2016 backdoor Trojan Duuzer.
“Technical evidence is often not enough to thoroughly understand a cyber attack, as it does not provide all the pieces to the puzzle,” said Christiaan Beek, McAfee senior principal engineer and lead scientist. “Access to the adversary’s command-and-control server code is a rare opportunity. These systems provide insights into the inner workings of cyber attack infrastructure, are typically seized by law enforcement, and only rarely made available to private sector researchers. The insights gained through access to this code are indispensable in the effort to understand and combat today’s most prominent and sophisticated cyber attack campaigns.”
Having begun approximately a year earlier than previously evidenced and still ongoing, these attacks appear to now focus primarily on financial services, government and critical infrastructure. The largest number of recent attacks primarily target Germany, Turkey, the United Kingdom and the United States. Previous attacks focused on telecommunications, government and financial sectors, primarily in the United States, Switzerland, and Israel, and others.
Other findings include:
Hunting and spear phishing. Operation Sharpshooter shares multiple design and tactical overlaps with several campaigns, for example a very similar fake job recruitment campaign conducted in 2017 that the industry attributes to Lazarus Group.
African connection. Analysis of the command-and-control server code and file logs also uncovered a network block of IP addresses originating from the city of Windhoek, located in the African nation of Namibia. This led McAfee Advanced Threat Research analysts to suspect that the actors behind Sharpshooter may have tested their implants and other techniques in this area of the world prior to launching their broader campaign of attacks.
Maintaining access to assets. The attackers have been using a command-and-control infrastructure with the core backend written in Hypertext Preprocessor (PHP) and Active Server Pages (ASP). The code appears to be custom and unique to the group and McAfee’s analysis reveals it has been part of their operations since 2017.
Evolving Rising Sun. The Sharpshooter attackers used a factory-like process where various malicious components that make up Rising Sun have been developed independently outside of the core implant functionality. These components appear in various implants dating back to 2016, which is one indication that the attackers have access to a set of developed functionalities at their disposal.