According to a December 12 blog post by McAfee, the global hack had nuclear, defense, energy and financial companies in the crosshairs. Between October and November, the hacking group targeted people at 87 companies through social media by sending them what appeared to be "recruitment" messages to lure them into clicking on malicious documents.
"This campaign, Operation Sharpshooter, leverages an in-memory implant to download and retrieve a second-stage implant — which we call Rising Sun — for further exploitation. According to our analysis, the Rising Sun implant uses source code from the Lazarus Group's 2015 backdoor Trojan Duuzer in a new framework to infiltrate these key industries," the McAfee blog post states, referencing Lazarus Group, a cybercrime group that may be linked to North Korea.
Once the Rising Sun program was installed on a computer, hackers were able to obtain access to usernames, IP addresses, network configuration and system settings data.
"This actor has used recruiting as a lure to collect information about targeted individuals of interest or organizations that manage data related to the industries of interest," McAfee reported, adding that the malware contains a "weaponized macro to download the next stage, which runs in memory and gathers intelligence." The victim's data is then transferred to a control server.
"Operation Sharpshooter's numerous technical links to the Lazarus Group seem too obvious to immediately draw the conclusion that they are responsible for the attacks, and instead indicate a potential for false flags," the blog post adds.
In 2016, Lazarus Group was believed to be involved in the theft of $1 billion from the Bangladesh Bank, which FBI investigators called "the biggest cyber-heist in history," Sputnik previously reported.
In addition, the US Department of Justice believes Lazarus Group was behind the 2014 cyberattack on Sony Pictures Entertainment, in which confidential data about Sony employees and their families, correspondence between employees, information about salaries at the company and copies of then-unreleased Sony films were stolen and released to the public.
In 2017, Lazarus Group allegedly spread the WannaCry 2.0 virus, which affected more than 230,000 people in 150 countries. The cyberattack targeted computers running the Microsoft Windows operating system by encrypting user data and then demanding ransom money in the form of bitcoin cryptocurrency in exchange for decrypting the target's files.