McAfee has discovered a new cyber-espionage campaign that targets United States, Canada and South Korea as uses codes that were last used by Chinese military-affiliated hacker group APT1, or Comment Crew.
From the years 2006 to 2010, APT1 was accused of launching cyber attacks, dubbed operation Seasalt, against more than 141 US companies. The security firm has dubbed the recent attacks Oceansalt.
According to McAfee’s latest report, ‘Operation Oceansalt attacks South Korea, US and Canada with source code from Chinese hacker group’ that was presented at MPower 2018, the recent campaign wouldn’t be possible unless the hackers behind it had direct access to the original Seasalt attack source code.
“McAfee’s Advanced Threat Research team found no evidence that the source code from Comment Crew was ever made public, raising the question of who is ultimately responsible for Oceansalt,” the company stated.
The Oceansalt attack was comprised of five attack waves. The first and second one were implanted via a Korean-language Microsoft Excel file that was created in May 2018. According to McAfee, the attack was aimed at South Korean infrastructure projects.
The third wave used a malicious Microsoft Word document that carried the same metadata and the same author (Lion) from the Excel document used in the first and second waves.
“Oceansalt gives the attackers full control of any system they manage to compromise and the network to which it is connected.”
This document had fake financial information of Inter-Korean cooperation fund. The fourth and fifth was targeted towards USA and Canada.
“These attacks may be a precursor to a much larger attack given the control the attackers have over their infected victims. Given the potential collaboration with other threat actors, considerably more assets are open and available to act upon.”
“This research represents how threat actors are continuously learning from each other and building upon their peers’ greatest innovations,” said Raj Samani, chief scientist at McAfee.
“Whoever is ultimately responsible for the Oceansalt attack is not marketing their initiatives, but now taking action and bringing attacks to life. McAfee is focused on the indicators of compromise presented in this report to detect, correct, and protect systems, regardless of the source of these attacks,” he concluded.
You can read the entire McAfee report here.