Recent analysis by cybersecurity experts has established a compelling connection between a global cyber espionage campaign, known as Operation Sharpshooter, and a North Korean advanced persistent threat (APT) group. The investigators have concluded this attribution with a high degree of confidence, following the examination of evidence from a command-and-control (C2) server captured by law enforcement.

Operation Sharpshooter primarily targets organizations in critical sectors, including government, defense, nuclear energy, and financial institutions globally. The campaign was initially identified in December 2018 by McAfee researchers. At that time, although there were several technical indicators suggesting links to the infamous Lazarus hacking group, definitive attribution was compromised by concerns over potential misinformation and false flags.

Through a recent communiqué from McAfee shared with The Hacker News, it has been emphasized that the analysis of the compromised C2 infrastructure provided crucial insights into the operational mechanisms of this global espionage effort. This new evidence has confirmed that the Lazarus Group, often referred to as Hidden Cobra or Guardians of Peace, is indeed behind these sophisticated cyber operations. This group has a history of high-profile cyber attacks, including the 2017 WannaCry ransomware attack and the notorious Sony Pictures breach in 2014.

Interestingly, the analysis indicated that the scope of Operation Sharpshooter began earlier than previously recognized, dating back to September 2017. While prior activity largely focused on telecommunications and financial sectors in countries such as the United States, Switzerland, and Israel, the recent findings highlight a troubling expansion of targets, with significant attacks now also aimed at critical infrastructure in Germany, Turkey, the United Kingdom, and the United States.

The espionage campaign utilizes a deceptively simple method for infiltration. Targets receive malicious documents harboring a weaponized macro through cloud platforms like Dropbox. When users open these documents, the embedded code launches the Sharpshooter downloader into the memory of Microsoft Word, facilitating a secondary payload of Rising Sun malware. This malware, which reportedly incorporates code from the Lazarus Group’s backdoor Trojan Duuzer, gathers extensive network information from the compromised systems.

The Rising Sun malware is designed for reconnaissance, collecting and encrypting critical data such as the device’s IP address, computer name, and system details—all vital for further exploits. Notably, the analysis also uncovered a connection to Africa, specifically an IP address block traced back to Namibia, indicating that the actors may have tested their strategies in this region before executing their wider attack campaign.

Experts assert that understanding the adaptations and tools used by adversaries like the Lazarus Group is crucial in developing defensive strategies. As stated by Christiaan Beek, a senior engineer at McAfee, gaining access to the C2 server code presents a unique opportunity for researchers. This knowledge is pivotal for countering sophisticated attack campaigns that are becoming increasingly prevalent.

The backend infrastructure employed by these attackers is reportedly built on PHP and ASP frameworks, which are believed to be custom-engineered. This C2 architecture has been instrumental in the Lazarus Group’s operations since at least 2017, indicating a level of persistence and sophistication that underscores the need for continuous vigilance in cybersecurity practices.

For business owners, the implications are clear: the threat landscape is evolving, and recent developments signal a pressing need for enhanced security measures. The tactics observed in Operation Sharpshooter, including initial access techniques and data collection strategies, align well with the MITRE ATT&CK framework, emphasizing the necessity of proactive defenses in light of these sophisticated cyber espionage efforts.