Malware “Operation Sharpshooter” Discovered Targeting Critical Global Assets
Hackers have targeted dozens of government and defence firms around the world as part of a malicious cyberspying campaign dubbed “Operation Sharpshooter.”
According to cybersecurity firm, McAfee, cybercriminals have infiltrated several companies around the globe with malicious malware that extracted information from their systems.
Yesterday, the company released research which revealed that crafty hackers had launched a cyber infiltration campaign, dubbed Operation Sharpshooter. This campaign mainly targeted English-speaking organisations around the world.
The campaign went after defence, nuclear, energy and financial organisations in the US, UK, Canada, Australia, New Zealand, Russia, India and elsewhere, however, the bulk of attacks focused on the US.
Between October and November, the hackers targeted individuals at 87 companies using social media; masquerading as recruitment campaigns to entice them to open the malicious document.
Once opened, another program called Rising Sun was installed, opening a backdoor that provided the hackers with the ability to extract intelligence and send it on to a control server. This campaign gave the hackers access to usernames, documents, IP addresses, network configuration and system settings data.
Raj Samani, chief scientist and fellow at McAfee, said: “We know that this campaign was intended to conduct espionage, indeed it was only recently launched.
“The question of the ultimate purpose remains to be seen. In many cases such attacks are a precursor for something else, however we are hopeful that identifying and sharing the details will prevent the true nature of the campaign from being carried out.”
Red Flag Operation?
The attack draws code from the notorious Lazarus Group’s 2015 backdoor Trojan Duuzer, which was used in the infamous Sony Pictures Entertainment hack in 2014 and the 2017 WannaCry ransomware attack.
The Lazarus Group is a cybercrime collective that has been associated with North Korea because it drew from the source code of a hack that targeted South Korean Firms.
However, McAfee has concluded that the attack was “too obvious” for it to be the work of the group but added that the attack could be a false flag operation aimed at diverting attention toward the group.
Samani said: “The original malicious documents were hosted in the U.S. In terms of attribution, certainly there are similarities with tactics and code previously attributed to the Lazarus Group, however we are conscious that this may be an intentional tactic to make it appear so.
At this time McAfee has not identified how much data has been stolen, but says it will continue to monitor the campaign and report further information as and when they discover more details. It has not disclosed which companies have been affected but highlighted that the 87 firms were spread across 24 countries.