LAS VEGAS — McAfee researchers have discovered a series of cyber-attacks targeting South Korea, the U.S. and Canada, but it’s the remnants of a nearly decade-old source code found within the latest campaign that is setting off the alarm bells.
It’s unlike anything Raj Samani has seen before, McAfee’s chief scientist told reporters during a press conference at the company’s MPower conference in Vegas.
“The reemergence of a threat actor that hasn’t been seen for eight years is very significant,” said Samani. “We haven’t seen this before.”
Researchers are unsure about the motivations behind the cyber attacks and their intended targets. What is clear, however, is that researchers discovered traces of old code, last used in 2010 by the hacker group APT1, also known as Comment Crew, in a series of attacks targeting South Korea in May 2018. The New York Times reported in 2013 that Comment Crew “drained terabytes of data” from companies such as Coca-Cola, but its main focus was almost always critical infrastructure – gas lines, power grids and waterworks. At the time, security researchers said Comment Crew had targeted a company with remote access to “more than 60 per cent of oil and gas pipelines in North America.”
The first and second waves of the latest attack were spear phishing based, said Samani, and they began with a malicious Korean-language Microsoft Excel document created in May that targeted individuals associated with public infrastructure projects. Samani indicated the ensuing waves in August were similar in nature and targeted the U.S. and Canada specifically.
Comment Crew, a Chinese military affiliated group, has been accused of launching cyber attacks on more than 140 U.S. companies from 2006 to 2010. These campaigns were dubbed Operation Seasalt, and the recently discovered ones have been named Operation Oceansalt due to the similarities between the two.
Ryan Sherstobitoff, McAfee’s senior analyst for major campaigns, explained that Oceansalt gives attackers full control of any system it manages to compromise, in addition to the network those systems are connected to.
“They can get pretty much anything as far as the content on a hard drive,” explained Sherstobitoff, adding the latest attacks might actually be a precursor to a much larger one.
One of the most important questions on his mind, however, is how the people responsible for the latest campaign obtained such a dangerous source code. “It raises the question when our team didn’t find any evidence that the source code was ever leaked: How did a Korean-speaking actor, or an actor familiar with the Korean language, get a hold of this code?”
Samani was quick to say they weren’t placing the blame on any country in particular, but such a large-scale attack that seemingly evolved from an older version of itself, is cause for serious concern.
“This research represents how threat actors are continuously learning from each other and building upon their peers’ greatest innovations,” he said, pointing specifically to Oceansalt’s enhanced encryption and obfuscation capabilities.
McAfee researchers first approached law enforcement, and organizations potentially compromised by the cyber attack, approximately five weeks ago, said Samani. They’ve been working closely together since then to not only mitigate Oceansalt’s impact, but also find those responsible.
“We’re very conscious about the type of information we release,” he said. “We do so in a tactical manner that ensures we don’t compromise an ongoing investigation.”