North Korean hacking attempts actively targeting US businesses and “critical infrastructure” continued even while President Trump met with North Korean dictator Kim Jong Un in Hanoi this past week, according to a report published by cybersecurity firm McAfee on Sunday.
McAfee says it found that the attacks, which have targeted “nuclear, defense, energy, and financial companies,” began as early as September 2017 and are still ongoing.
The report indicates that the attacks were part of a coordinated effort known as Operation Sharpshooter, first discovered by McAfee Advanced Threat Research in December 2018. They emerged around the same time tensions between the US and North Korea were flaring, with President Trump referring to Kim as “Rocket Man” and North Korea launching yet another a ballistic missile over Japan.
The New York Times reports that McAfee researchers gained access to one of the main computer servers used to carry out the attacks, thanks to an unnamed foreign law enforcement agency:
The McAfee researchers said they watched, in real time, as the North Koreans attacked the computer networks of more than a hundred companies in the United States and around the globe. Last month, they expanded their targets to companies in Turkey, operating from a block of internet addresses traced to Namibia, one of the few countries that still maintains friendly relations with Pyongyang.
“They are very, very, very active. It’s been nonstop,” said Raj Samani, McAfee’s chief scientist. “We’ve seen them hit in excess of 100 victims.”The New York Times
The majority of the attacks was in the United States and mostly consisted of targets in Houston, a center of oil and gas industry, and New York, a finance hub. The Times goes on to note that other major targets included “London, Madrid, Tokyo, Tel Aviv, Rome, Bangkok, Taipei, Seoul and Hong Kong,” while “Russia and mainland China, two countries that have maintained cordial relations with North Korea, were relatively untouched.”
McAfee believes the attacks are linked to a well-known cybercrime organization known as the Lazarus group. Per its report, analysis has indicated “striking similarities” between the procedures and techniques of the Operation Sharpshooter attacks and those attributed to the Lazarus group, including, for example, “the Lazarus group’s use of similar versions of the Rising Sun implant dating back to 2017, and source code from the Lazarus Group’s infamous 2016 backdoor Trojan Duuzer.”
Bitcoin Magazine explains that the Lazarus group, also known as HIDDEN COBRA, is the world’s largest crypto hacking syndicate and is behind the Sony hack in 2014 and the Wannacry ransomware outbreak, as well as numerous instances of military espionage and attacks on South Korean businesses. World-renowned cybersecurity unit Group-IB reported in October 2018 that the state-sponsored organization has stolen $571 million in cryptocurrency since January 2017 over a series of 14 different attacks.
McAfee’s analysis showed that in the latest rounds of attacks, hackers would imitate legitimate industry job recruiters and send targets emails promoting job opportunities. When the victims opened an attachment or link embedded in the spoofed emails, the attackers would gain control of their devices via tools such as “Rising Sun” malware.
North Korea has recently become a leading threat in matters of cybersecurity, but as CNN points out, its focus is on obtaining cash in light of crippling economic sanctions, as opposed to the intelligence operations conducted by most other countries engaging in this type of warfare.
Nevertheless, false flag hacks have occurred in the past, notably in the case of the 2018 Olympics hack, which is believed to have been carried out by Russians trying to make it appear as though North Korea was to blame.
Likely with this in mind, Raj Samani, McAfee’s chief scientist, cautioned CNN that its findings should not be taken as conclusive by themselves:
“McAfee believes that such digital forensic evidence must be complemented by traditional evidence from law enforcement and government agencies to make such assertions. That said, McAfee is obligated to report technical similarities between attacks and campaigns to provide its customers cyber threat intelligence they can use to protect themselves from current and future attacks.”