Key Findings

• Command-and-control server data and code analyzed by McAfee reveals
  inner workings of global cyber espionage campaign
• Server data and code reveals evidence of year-long campaign pre-dating
  previously reported 2018 activity
• Ongoing campaign primarily targets finance, government and critical
  infrastructure globally

SAN FRANCISCO–(BUSINESS WIRE)–RSA Conference USA 2019 – McAfee today revealed evidence
that the Operation
Sharpshooter campaign exposed in 2018 is more extensive in
complexity, scope and duration of operations. McAfee Advanced Threat
Research conducted a detailed analysis of code and data from a
command-and-control server responsible for the management of the
operations, tools and tradecraft behind this global cyber espionage
campaign. This content was provided to McAfee for analysis by a
government entity that is familiar with McAfee’s published research on
this malware campaign. The analysis led to identification of multiple
previously unknown command-and-control centers, and suggest that
Sharpshooter began as early as September 2017, targeted a broader set of
organizations, in more industries and countries and is currently ongoing.

“McAfee Advanced Threat Research analysis of the command-and-control
server’s code and data provides greater insight into how the
perpetrators behind Sharpshooter developed and configured control
infrastructure; how they distributed the malware; and how they
stealthily tested campaigns prior to launch,” said Raj Samani, McAfee
Fellow and chief scientist. “This intelligence is invaluable in
deepening our understanding of the adversary, which ultimately leads to
better defenses.”

In December 2018, McAfee Advanced Threat Research first uncovered
Operation Sharpshooter, a global cyber espionage campaign targeting more
than 80 organizations across critical industries including the
telecommunications, energy, government and defense sectors. Analysis of
the new evidence has exposed striking similarities between the technical
indicators, techniques and procedures exhibited in these 2018
Sharpshooter attacks, and aspects of multiple other groups of attacks
attributed by the industry to the Lazarus Group. This includes, for
example, the Lazarus group’s use of similar versions of the Rising Sun
implant dating back to 2017, and source code from the Lazarus Group’s
infamous 2016 backdoor Trojan Duuzer.

“Technical evidence is often not enough to thoroughly understand a cyber
attack, as it does not provide all the pieces to the puzzle,” said
Christiaan Beek, McAfee senior principal engineer and lead scientist.
“Access to the adversary’s command-and-control server code is a rare
opportunity. These systems provide insights into the inner workings of
cyberattack infrastructure, are typically seized by law enforcement, and
only rarely made available to private sector researchers. The insights
gained through access to this code are indispensable in the effort to
understand and combat today’s most prominent and sophisticated cyber
attack campaigns.”

Having begun approximately a year earlier than previously evidenced and
still ongoing, these attacks appear to now focus primarily on financial
services, government and critical infrastructure. The largest number of
recent attacks primarily target Germany, Turkey, the United Kingdom and
the United States. Previous attacks focused on telecommunications,
government and financial sectors, primarily in the United States,
Switzerland, and Israel, and others.

Other Findings

• Hunting and spearphishing. Operation Sharpshooter shares
  multiple design and tactical overlaps with several campaigns, for
  example a very similar fake job recruitment campaign conducted in 2017
  that the industry attributes to Lazarus Group.
• African connection. Analysis of the command-and-control server
  code and file logs also uncovered a network block of IP addresses
  originating from the city of Windhoek, located in the African nation
  of Namibia. This led McAfee Advanced Threat Research analysts to
  suspect that the actors behind Sharpshooter may have tested their
  implants and other techniques in this area of the world prior to
  launching their broader campaign of attacks.
• Maintaining access to assets. The attackers have been using a
  command-and-control infrastructure with the core backend written in
  Hypertext Preprocessor (PHP) and Active Server Pages (ASP). The code
  appears to be custom and unique to the group and McAfee’s analysis
  reveals it has been part of their operations since 2017.
• Evolving Rising Sun. The Sharpshooter attackers used a
  factory-like process where various malicious components that make up
  Rising Sun have been developed independently outside of the core
  implant functionality. These components appear in various implants
  dating back to 2016, which is one indication that the attackers have
  access to a set of developed functionalities at their disposal.

About McAfee

McAfee is the device-to-cloud cybersecurity company. Inspired by the
power of working together, McAfee creates business and consumer
solutions that make our world a safer place. www.mcafee.com

About McAfee Labs and Advanced Threat Research

McAfee Labs and McAfee Advanced Threat Research are a leading source for
threat research, threat intelligence, and cybersecurity thought
leadership. With data from over a billion sensors across key threats
vectors—file, web, message, and network— McAfee Labs and McAfee Advanced
Threat Research deliver real-time threat intelligence, critical
analysis, and expert thinking to improve protection and reduce risks.

McAfee® and the McAfee logo are trademarks of McAfee, LLC or its
subsidiaries in the United States and other countries. Other marks and
brands may be claimed as the property of others.

Contacts

Taylor Dunton
McAfee
[email protected]