Operation Sharpshooter is one of the most significant cyberattacks orchestrated by the North Korean-based adversary known as Lazarus Group. Conducted between October and November 2018, the operation targeted multiple sectors, particularly finance, energy, and defense, affecting over 80 organizations worldwide, with a primary impact on the United States. This blog post will explore the operation’s details, attack methods, and its broader implications. We will also discuss how AttackIQ Flex can help organizations test their defenses against this cyberattack campaign.

Attack Vector and Initial Compromise

The attack began with the delivery of a malicious Microsoft Office document, which was designed to deploy the Rising Sun implant on the victim’s system. This implant sought persistence by creating an entry in the Startup folder, ensuring the malware would execute each time the system restarted. The use of a benign-seeming Office document is a common tactic in modern cyberattacks, as it leverages trust in widely used productivity tools to evade detection.

Once the Rising Sun implant was established, the attack moved to its second stage, focusing on gathering detailed information about the victim’s system environment. The implant collected data from various sources, such as running processes, disk information, and network configurations. This data was then encrypted and exfiltrated back to the adversary’s infrastructure, allowing them to gain a comprehensive understanding of the target’s systems and networks.

In the later stages of the attack, the Rising Sun implant continued its data collection efforts. It sought in-depth information about available files, directories, and peripheral devices connected to the compromised system. This extensive reconnaissance allowed the adversaries to identify valuable data and potential points of further compromise.

The final stage of the operation involved establishing communication with the adversary’s command and control (C2) infrastructure. This connection enabled the attackers to remotely control the compromised system and deploy additional malware or conduct further malicious activities as desired.

Impact and Legacy

Operation Sharpshooter was a targeted attack that highlighted the Lazarus Group’s capabilities and ambitions. By focusing on sectors critical to national security and economic stability, the group demonstrated its strategic intentions and the threat it poses globally. These industries are essential for the functioning of any modern society and economy. The successful compromise of these sectors can lead to data breaches, disruption of operations and significant financial loss.

How AttackIQ Flex Can Help

To help organizations defend against sophisticated cyberattacks such as Operation Sharpshooter, AttackIQ offers a Flex Package specifically designed to test and validate defenses against this campaign. AttackIQ Flex offers a user-friendly platform for running tests against your environment, allowing you to measure and improve your cybersecurity readiness. The Lazarus Group- Operation Sharpshooter package allows organizations to:

• Assess Security Controls: Evaluate the effectiveness of security controls in place by simulating the tactics, techniques, and procedures (TTPs) used in Operation Sharpshooter.
• Identify Gaps: Discover potential gaps in your security posture that adversaries could exploit.
• Remediation Guidance: Receive quick remediation guidance so you can adjust controls in minutes, not days.

Scenarios Included in Flex Package:

• File and Directory Discovery Script
• Get Disk Information from diskdrive
• System Network Configuration Discovery
• Download 2018-10 Operation Sharpshooter Rising Sun to Memory
• System Information Discovery Script
• Process Discovery
• Data Staged Script
• Obtain Hostname using “hostname” Command
• Query Registry Script
• Lazarus Group’s Rising Sun Initial C2 Request using HTTP POST
• Download 2018-10 Lazarus Group Operation Sharpshooter Malicious Office Document to Memory
• Multilayer Encryption of Personal Data using AES 256 CBC
• Persistence Through Startup Folder
• Save 2018-10 Lazarus Group Operation Sharpshooter Malicious Office Document to File System
• Save 2018-10 Operation Sharpshooter Rising Sun to File System
• Get Disk Information from logicaldisk
• System Owner/User Discovery Script

Takeaways & Outlook

Operation Sharpshooter was a significant and far-reaching cyberattack that underscored the evolving threat posed by state-sponsored adversaries like the Lazarus Group. It revealed the group’s sophisticated capabilities and targeted approach towards critical sectors such as finance, energy, and defense, raising awareness about the potential impacts of such attacks on national security and economic stability.

The operation’s legacy extends beyond its immediate effects, prompting organizations to bolster their cybersecurity defenses and enhance collaboration and information sharing. This increased vigilance and proactive approach to security testing and controls have led to improvements in threat detection, response, and mitigation. Moreover, the emergence of solutions like AttackIQ Flex has empowered organizations to test their security controls more efficiently and effectively.

Sign up for AttackIQ Flex today!