RSA CONFERENCE 2019 — San Francisco — Evidence from a command-and-control server has linked a massive campaign against sensitive industries and government agencies to the Lazarus Group, a North Korean state-sponsored operator, cybersecurity firm McAfee announced at the RSA Conference this week.
After gaining access to code and data from the C&C server, McAfee researchers analyzed the evidence and concluded that the campaign — which they dubbed Operation Sharpshooter —started a year earlier than previously thought and targeted a larger group of organizations. In a previous analysis, published in December 2018, McAfee researchers hesitated to connect the campaign to the activities of the Lazarus Group.
"Operation Sharpshooter’s numerous technical links to the Lazarus Group seem too obvious to immediately draw the conclusion that they are responsible for the attacks, and instead indicate a potential for false flags," the company's researchers stated at the time. "Our research focuses on how this actor operates, the global impact, and how to detect the attack. We shall leave attribution to the broader security community."
With the additional evidence from the server used by the attackers to manage their network of compromised systems, McAfee's researchers found that the Sharpshooter campaign used the same software implants and malicious code as the Lazarus Group.
The report highlighted the increasing sophistication as well as the ubiquity of cyber-operations from North Korea, which uses attacks to steal funds, collect intelligence and punish rivals. North Korean groups are among the most brazen state-sponsored attackers, said Tom Kellerman, chief cybersecurity officer with Carbon Black.
"They finally have an A-team, thanks to the tech transfer from Russia," Kellerman said.
An interesting piece of the puzzle is that early attacks focused on networks in Namibia, leading McAfee researchers to conclude that the Sharpshooter group may have used the African nation as a testing ground for its software implants and attack code.
Financial Services, Government Bear Brunt of Attacks
Getting access to the command-and-control server gave McAfee researchers the evidence needed to connect Operation Sharpshooter to the Lazarus Group, Christiaan Beek, McAfee senior principal engineer and lead scientist, said in a statement.
"Access to the adversary’s command-and-control server code is a rare opportunity," Beek said. "These systems provide insights into the inner workings of cyberattack infrastructure, are typically seized by law enforcement, and only rarely made available to private sector researchers."
The most recent attacks mainly focused on financial services, government agencies, and critical infrastructure, McAfee stated. The attackers primarily targeted Germany, Turkey, the United Kingdom and the United States. Earlier attacks had also focused on telecommunications companies and had included Israel as one of the primary targets.
In a survey of financial services CISOs, Carbon Black found that two-thirds of respondents had faced more cyberattacks in the last 12 months than the same period the prior year. While social engineering attacks remain the most common — with 79% of firms encountering highly targeted phishing attacks — 32% of firms detected attacks coming from third parties, such as suppliers and partners.
In addition, destructive attacks against financial institutions — a hallmark of many North Korean operations — have become more common, with a quarter of all attacks having a component that destroys or encrypts data.
"You see this transition now from bank heists to a hostage situations," Kellerman said. "These attacks are not being leveraged at the beginning of the attack, but at the end … They want to be punitive on their way out, because they know they are being reacted to."
Needed: Subtler Incident Response
Much of this is a reaction to incident responders trying to stop attackers and clean up compromised servers and workstations, Kellerman said. About a third of institutions surveyed experienced some form of counter incident-response reaction from attackers, either destroying data or using a sleep cycle to wake up secondary command-and-control channels.
"We are being too loud in how we conduct incident response, and we are being a bit too cocky by immediately terminate command and control," he said. "This really highlights our need to become better at how we conduct the ultimate investigation."
Attackers are also using sophisticated techniques such as steganography — hiding data in images or other file types — as either a secondary command-and-control channel or as a way of delivering additional malware payloads to the targeted server.
"Embedding multiple content types within a single file … has been a common technique seen in many malware droppers for some time," Carbon Black stated in its report. "This technique is used to evade detection on the network wire and on the endpoint as well has hide content on disk in familiar file types such as images."
- Lazarus Group Builds its First Mac OS X Malware
- Attack Campaign Targets Financial Firms Via Old But Reliable Tricks
- Emotet Malware Gets More Aggressive
- Inside the North Korean Hacking Operation Behind SWIFT Bank Attacks
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.