Security firm links extensive cyber espionage campaign to North Korean hacker group

A prominent hacking group tied to North Korea is believed to be behind an extensive cyber espionage campaign that has targeted key sectors, including government, defense, energy and critical infrastructure organizations, security firm McAfee revealed Sunday.

The hacking group Lazarus continues to carry out these attacks in what McAfee calls “Operation Sharpshooter.”

The firm, which says it discovered the operation in December 2018, believes the campaign could’ve started as early as September 2017 and that it is “more extensive in complexity, scope and duration of operations” than previously believed. At the time, McAfee said they had found that roughly 80 organizations across a series of key industries were targeted. {mosads}

The firm says it was able to attribute the cyber espionage campaign to the Lazarus Group because a government entity provided “command-and-control” data to McAfee for analysis — data that revealed “technical indicators and procedures that overlap between the two,” according to McAfee’s report.

“Until now, there wasn’t enough technical evidence for the threat research team to confidently attribute the attacks to Lazarus, but due to the non-typical access McAfee had to the data on the seized control servers the adversaries used, confidence levels are now much higher,” the report says.

Christiaan Beek, McAfee senior principal engineer and lead scientist, called this access to command-and-control server code as a “rare opportunity.”

“These systems provide insights into the inner workings of cyberattack infrastructure, are typically seized by law enforcement, and only rarely made available to private sector researchers. The insights gained through access to this code are indispensable in the effort to understand and combat today’s most prominent and sophisticated cyber attack campaigns,” Beek said in a statement.

The Lazarus Group has also shifted its attacks and largely gone after finance, government and critical infrastructure entities around the world, according to the research. Most of the targets were located in the U.S., the U.K., Germany and Turkey.

There was also evidence of them carrying out some attacks in Africa.

“Analysis of the command-and-control server code and file logs uncovered a network block of IP addresses originating from the city of Windhoek in Namibia, Africa, leading McAfee to believe this is where Lazarus is now testing implants in the region prior to broader attacks,” the report says.

McAfee researchers say this group was able to breach major organizations by using “unadvanced” and run-of-the-mill spearphishing attacks, in which emails containing malware were “masked as extremely convincing job recruitments, to gain access to systems.” 

The Lazarus Group, which is considered to be both active and sophisticated, has carried out a series of high-profile cyberattacks.

U.S. authorities blamed Lazarus Group for the 2014 cyberattack that devastated Sony Pictures Entertainment, costing the studio millions of dollars and smearing its reputation in a high-profile hack.

The entertainment company stoked anger within the North Korean government over its production of “The Interview,” a controversial comedy in which two American men attempted to kill North Korean leader Kim Jong Un.

Lazarus Group is also believed to be behind the WannaCry attacks that caused major disruptions and affected institutions across the globe.