McAfee: Oops, our bad. Sharpshooter malware was the Norks' Lazarus Group the whole time

Access to C'n'C server data shows state hackers weren't smart enough for false flags

McAfee (the antivirus firm, not John the dodgy "playboy") reckons the Sharpshooter malware campaign it uncovered in late 2018 is the work of North Korean hacking crew the Lazarus Group.

Thanks to data from a command-and-control server that was "provided to McAfee for analysis by a government entity that is familiar with McAfee's published research on this malware campaign", researchers were able to link Sharpshooter to earlier Lazarus Group activity from 2017.

The latest malware effort appears, according to McAfee, to be focused on "finance, government and critical infrastructure around the globe, primarily in Germany, Turkey, UK and the US".

Its attribution of Sharpshooter to the Lazarus Group today is a reversal of its previous position in December 2018, when McAfee said the "numerous technical links to the Lazarus Group seem too obvious to immediately draw the conclusion that they are responsible for the attacks", warning of the potential for "false flags".

McAfee's initial discovery of Sharpshooter came with the alarming news that the malware campaign's operators were targeting Anglosphere nuclear energy and defence companies. Although the malware borrowed heavily from source code used by Lazarus, the company stopped short of attributing it to the group.

Today McAfee clarified that, with senior principal engineer Christiaan Beek saying: "Technical evidence is often not enough to thoroughly understand a cyber attack, as it does not provide all the pieces to the puzzle.

"Access to the adversary's command-and-control server code is a rare opportunity. These systems provide insights into the inner workings of cyberattack infrastructure, are typically seized by law enforcement, and only rarely made available to private sector researchers."

"Analysis of the command-and-control server code and file logs also uncovered a network block of IP addresses originating from the city of Windhoek, located in the African nation of Namibia," the company said. "This led McAfee Advanced Threat Research analysts to suspect that the actors behind Sharpshooter may have tested their implants and other techniques in this area of the world prior to launching their broader campaign of attacks."

In 2017 Russia's Kaspersky Lab carried out some in-depth research into the Lazarus Group, finding at the time that their usual method of operating is to carry out quiet reconnaissance of target networks before developing malware tailored towards compromising financial institutions. ®

Sponsored: Becoming a Pragmatic Security Leader




Biting the hand that feeds IT © 1998–2019