Operation Sharpshooter targets infrastructure around the world

Security researchers discovered a new cyberattack campaign -- Operation Sharpshooter -- targeting critical infrastructure organizations around the globe.

Ryan Sherstobitoff, senior analyst for major campaigns, and Asheer Malhotra, senior security researcher, both at McAfee, said Operation Sharpshooter has been detected targeting 87 organizations -- including nuclear, defense, energy and financial companies -- in October and November. Although attacks have been seen around the world, the researchers said the targets were "predominantly in the Unites States."

The attacks were launched using phishing emails with attached malicious Microsoft Word documents designed to look like job recruitment letters for unknown companies. The documents loaded a downloader into the memory of Word and the downloader retrieved the second-stage implant, which McAfee called Rising Sun.

"Our discovery of this new, high-function implant is another example of how targeted attacks attempt to gain intelligence. The malware moves in several steps. The initial attack vector is a document that contains a weaponized macro to download the next stage, which runs in memory and gathers intelligence," Sherstobitoff and Malhotra wrote in their report. "The victim's data is sent to a control server for monitoring by the actors, who then determine the next steps."

The Rising Sun implant used source code from the infamous Lazarus Group -- the group behind major attacks like WannaCry and the Sony hack -- but the researchers don't believe the Lazarus actors were involved.

"Operation Sharpshooter's numerous technical links to the Lazarus Group seem too obvious to immediately draw the conclusion that they are responsible for the attacks, and instead indicate a potential for false flags," the researchers said. "Our research focuses on how this actor operates, the global impact, and how to detect the attack. We shall leave attribution to the broader security community."

The researchers also noted that it is unclear whether there will be more attacks related to Operation Sharpshooter or if this campaign was "a first-stage reconnaissance operation."

Anthony James, chief marketing officer of CipherCloud, said phishing campaigns like Operation Sharpshooter remain "a reliable and competent attack vector which the attackers are successfully using to compromise targeted organizations."

"Yes, you can guard and reduce the probability of successful social engineering attacks using techniques like phishing, but you cannot eliminate them all. Attackers will gain access to your internal networks," James said. "It becomes critical to protect data, guard against the commonly expected threats and have the visibility to detect them and rapidly shut them down."

Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies, said that while phishing emails can often be caught by spam filters, "when an attack is sophisticated like this, even large companies are susceptible."

"Phishing is one of the oldest techniques in the book; we have all at some point received a phishing email," Galloway said. "Phishing emails play on a person's emotions, providing a level of incentive for opening a file or clicking on a link. Because of the psychological element, the risk associated with phishing emails is greatly reduced by ongoing user awareness training."

Colin Bastable, CEO of Lucy Security, said it is "possible to defend against and mitigate losses from successful attacks" like Operation Sharpshooter.

"Phishing attacks evolve very quickly: This looks like a trial run, and it will escalate and spread metastatically," Bastable said. "To successfully defend against such attacks, you must secure people and systems in a holistic model and allow them to evolve together as a single unit. The siloed approach -- security systems on one side, people testing and awareness training on the other -- is the wrong approach. It is also wrong to focus on decreasing intrusion rates because it only takes one intrusion to ruin a CISO's day."