Delaware, USA – March 5, 2019 – More indisputable proof of the notorious Lazarus group being responsible for the ‘Operation Sharpshooter’ cyber espionage campaign in late 2018 has been published by McAfee. ‘Operation Sharpshooter’ targeted critical infrastructures, financial and governmental sectors worldwide but most notably in the US, Turkey, and Germany. The initial analysis revealed that a victim server was compromised from IP addresses in London but such evidence scarcely ever points at the veritable threat actors’ origin, as well as other technical details do not, giving the ground for the false flag attack speculations. The vivid example of such longtime assumptions is the Olympic Destroyer attack.
McAfee researchers had a unique opportunity to analyze the code and data from the command-and-control server used in the operation. The access to the C2 server made it possible to discover implants of a new version of Rising Sun backdoor used in the attack, and to clear up the connections’ IP addresses in Namibia. Three upgrade versions of Rising Sun pointedly demonstrate the evolvement of the backdoor from Duuzer original source code that is the core Lazarus tool. It is worth noting that Lazarus APT consists of several hacker groups that perform operations in the interests of the North Korean government. They conduct both financially motivated attacks and cyber espionage campaigns worldwide. To identify the sophisticated attacks of advanced threat actors at the early stages of the Cyber Kill Chain, you can use the updated version of the APT Framework rule pack: https://my.socprime.com/en/integrations/apt-framework-arcsight