- The infiltration campaign — called “Operation Sharpshooter” — targeted defense and government organizations, McAfee says.
- Cybercriminals sent messages to individuals at 87 companies disguised as recruitment campaigns to get them to open a malicious document, the cybersecurity firm says.
- That in turn spawned another malicious program that gave hackers the ability to extract intelligence and send it on to a control server, according to McAfee.
Hackers infiltrated dozens of companies around the world with advanced malicious software that extracted information from their systems, according to McAfee.
Research released by the cybersecurity firm on Wednesday showed that the infiltration campaign — called “Operation Sharpshooter” — targeted defense and government organizations.
The report said that between October and November, the cybercriminals targeted individuals at 87 companies using social media, sending them messages disguised as recruitment campaigns to get them to open a malicious document.
Once opened, another program called “Rising Sun” was installed, opening a “backdoor” portal that gave hackers the ability to extract intelligence and send it on to a control server. Attackers gained access to usernames, IP addresses, network configuration and system settings data.
“We know that this campaign was intended to conduct espionage, indeed it was only recently launched. The question of the ultimate purpose remains to be seen,” Raj Samani, chief scientist and fellow at McAfee, told CNBC via email on Wednesday.
“In many cases such attacks are a precursor for something else, however we are hopeful that identifying and sharing the details will prevent the true nature of the campaign from being carried out.”
It appears the attack could be linked to the Lazarus Group, a cybercrime collective that has been associated with North Korea by various cybersecurity firms, because it drew from the source code of a hack that targeted South Korean firms in 2015. However, McAfee researchers said it appeared “too obvious” to conclude that Lazarus was responsible, adding the attack could be a “false flag” aimed at diverting attention toward the notorious organization.
“The original malicious documents were hosted in the U.S.,” Samani said. “In terms of attribution, certainly there are similarities with tactics and code previously attributed to the Lazarus Group, however we are conscious that this may be an intentional tactic to make it appear so.”
Lazarus has been connected to a spate of high-profile cyberattacks, including the 2014 Sony Pictures hack and last year’s WannaCry ransomware attack that crippled numerous businesses and institutions around the world.
McAfee’s Samani said that data have been stolen from the companies as a result of the hack, but the scale of theft is not yet known.
“We can confirm they have been targeted and certainly many victims have clicked onto the malicious documents and downloaded malware,” Samani said. “However it is unclear how much data was stolen at this stage.”
The McAfee report did not identify any companies affected by the cyberattack, but highlighted that 87 firms across 24 countries — including the U.S., the U.K. and Russia — had been impacted.
“We will continue to monitor this campaign and will report further when we or others in the security industry receive more information,” researchers at McAfee wrote in a blog post.
Date: December 18, 2018