Govt. Cyberattacks May Be Linked To Lazarus Group

Govt. Cyberattacks May Be Linked to Lazarus Grp.

Dozens of companies around the world were infiltrated by hackers using malicious software programmed to steal information, according to a report by CNBC.

The cybersecurity firm McAfee released research on Dec. 12 illustrating the campaign, called Operation Sharpshooter. The deviant campaign targeted defense and government organizations.

The attacks ran from October through November. The hackers targeted 87 entities using phishing methods through social media. The messages were disguised as recruitment campaigns to entice users to open them.

Once a user opened the message, a program called “Rising Sun” was installed. The program gave hackers backdoor access and allowed the criminals to steal information. The hackers got IP addresses, usernames, and network and system settings data.

Raj Samani, a chief scientist at McAfee, said they’re still figuring out what the hackers ultimately wanted. “We know that this campaign was intended to conduct espionage – indeed, it was only recently launched. The question of the ultimate purpose remains to be seen,” he said. “In many cases, such attacks are a precursor for something else; however, we are hopeful that identifying and sharing the details will prevent the true nature of the campaign from being carried out.”

The attack could be linked to the Lazarus Group, a collective of cybercriminals that’s been associated with North Korea, as the source code of the attack drew from the group’s 2015 hack of South Korea. It’s not a certainty, though, and McAfee researchers think it might be too obvious, and that the Lazarus connection is a false flag meant to divert attention from the true perpetrators.

“The original malicious documents were hosted in the U.S.,” Samani said. “In terms of attribution, certainly there are similarities with tactics and code previously attributed to the Lazarus Group – however, we are conscious that this may be an intentional tactic to make it appear so.”

McAfee’s report didn’t identify companies by name, but did say that the attack affected 87 companies across 24 countries, including the U.S., U.K. and Russia.