San Francisco, Calif.:  McAfee reveals evidence that the Operation Sharpshooter campaign exposed in 2018 is more extensive in complexity, scope and duration of operations. McAfee Advanced Threat Research conducted a detailed analysis of code and data from a command-and-control server responsible for the management of the operations, tools and tradecraft behind this global cyber espionage campaign. This content was provided to McAfee for analysis by a government entity that is familiar with McAfee’s published research on this malware campaign. The analysis led to identification of multiple previously unknown command-and-control centers, and suggest that Sharpshooter began as early as September 2017, targeted a broader set of organizations, in more industries and countries and is currently ongoing.

“McAfee Advanced Threat Research analysis of the command-and-control server’s code and data provides greater insight into how the perpetrators behind Sharpshooter developed and configured control infrastructure; how they distributed the malware; and how they stealthily tested campaigns prior to launch,” said Raj Samani, McAfee Fellow and chief scientist. “This intelligence is invaluable in deepening our understanding of the adversary, which ultimately leads to better defenses.”

In December 2018, McAfee Advanced Threat Research first uncovered Operation Sharpshooter, a global cyber espionage campaign targeting more than 80 organizations across critical industries including the telecommunications, energy, government and defense sectors. Analysis of the new evidence has exposed striking similarities between the technical indicators, techniques and procedures exhibited in these 2018 Sharpshooter attacks, and aspects of multiple other groups of attacks attributed by the industry to the Lazarus Group. This includes, for example, the Lazarus group’s use of similar versions of the Rising Sun implant dating back to 2017, and source code from the Lazarus Group’s infamous 2016 backdoor Trojan Duuzer.

“Technical evidence is often not enough to thoroughly understand a cyber-attack, as it does not provide all the pieces to the puzzle,” said Christiaan Beek, McAfee senior principal engineer and lead scientist. “Access to the adversary’s command-and-control server code is a rare opportunity. These systems provide insights into the inner workings of cyberattack infrastructure, are typically seized by law enforcement, and only rarely made available to private sector researchers. The insights gained through access to this code are indispensable in the effort to understand and combat today’s most prominent and sophisticated cyber attack campaigns.”

Having begun approximately a year earlier than previously evidenced and still ongoing, these attacks appear to now focus primarily on financial services, government and critical infrastructure.  The largest number of recent attacks primarily target Germany, Turkey, the United Kingdom and the United States. Previous attacks focused on telecommunications, government and financial sectors, primarily in the United States, Switzerland, and Israel, and others.