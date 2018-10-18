MPOWER 2018 – McAfee, the device-to-cloud cybersecurity
company, today at MPOWER 2018 released a report announcing the discovery
of a new cyber espionage campaign targeting South Korea, the United
States and Canada. The new campaign uses a data reconnaissance implant
last used in 2010 by the hacker group APT1, or Comment Crew, a Chinese
military-affiliated group accused of launching cyber-attacks on more
than 141 U.S. companies from 2006 to 2010.
The actors of this new campaign have not been identified; however, they
reused code from implants seen last in 2010 by Comment Crew, which
conducted offensive cyber operations against the U.S. dubbed Operation
Seasalt. The new campaign, which McAfee has named Operation Oceansalt,
is based on its similarity to Seasalt.
The report, “Operation
Oceansalt Attacks South Korea, U.S. and Canada with Source Code from
Chinese Hacker Group,” suggests that the development of the
Oceansalt implant would not have been possible unless the actors behind
it had direct access to Comment Crew’s 2010 Seasalt source code.
However, McAfee’s Advanced Threat Research team found no evidence that
the source code from Comment Crew was ever made public, raising the
question of who is ultimately responsible for Oceansalt.
McAfee found that Oceansalt was launched in five attack “waves” adapted
to its targets. The first and second waves of the attack were
spearfishing based and began with a malicious Korean-language Microsoft
Excel document created and saved in May 2018, acting as downloaders of
the implant. Authored by a user named “Lion,” the Excel file contained
information leading McAfee to believe targets were related to South
Korean public infrastructure projects. A third round of malicious
documents, this time in Microsoft Word, carried the same metadata and
author as the Excel documents. The Word document contained fake
information related to the financials of the Inter-Korean Cooperation
Fund. Waves four and five identified a small number of targets outside
of South Korea – including the U.S. and Canada – as the attackers
expanded their scope.
As for implications and impact, these attacks may be a precursor to a
much larger attack given the control the attackers have over their
infected victims. Oceansalt gives the attackers full control of any
system they manage to compromise and the network to which it is
connected. Given the potential collaboration with other threat actors,
considerably more assets are open and available to act upon.
“This research represents how threat actors are continuously learning
from each other and building upon their peers’ greatest innovations,”
said Raj Samani, chief scientist at McAfee. “Whoever is ultimately
responsible for the Oceansalt attack is not marketing their initiatives,
but now taking action and bringing attacks to life. McAfee is focused on
the indicators of compromise presented in this report to detect,
correct, and protect systems, regardless of the source of these attacks.”
To download the entire report, visit https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf
