Researchers Granted Server by Gov Officials Link Sharpshooter Attacks to North Korea (Mar 4, 2019)
The threat actor campaign called “Operation Sharpshooter,” first discovered by McAfee researchers in December 2018, is now more-likely attributed to the Democratic People’s Republic of Korea (DPRK)-sponsored threat group, “Lazarus Group.” Operation Sharpshooter targets industries such as energy, defense, government departments, and telecoms around the world with a particular focus on the US. Researchers found additional evidence on servers given to them by law enforcement officials in an in-memory implant that was found to download a backdoor called “Rising Sun.” The backdoor was identified to use the same source code as the “Duuzer” trojan that was used by Lazarus Group in a 2016 campaign, and it is this connection that leads researchers to believe that the group is responsible for Operation Sharpshooter, among other campaigns.
Recommendation: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spear phishing and how to identify such attempts.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.