A cyberattack campaign called Operation Sharpshooter was identified by the McAfee Advanced Threat Research team and Malware Operations Group in late 2018. The attack included an implant called Rising Sun that targeted defense, energy, financial and nuclear-related companies in 87 organizations across the globe. Most of the targeted entities were in the United States.
The attack begins with a phishing email presenting a job opportunity and recruiting advertisement to an unknown company. This entices the uninitiated reader to open the malicious Microsoft Word file. When opened, the Word document loads a downloader into memory, and then the downloader retrieves a second-stage malware — McAfee called it Rising Sun — from a control server.
The Rising Sun implant first conducts reconnaissance on the targeted computer. According to the McAfee report, the implant collects the following data from the target computer, which it then sends back to the control server:
- “Network adapter info
- Computer name
- User name
- IP address information
- Native system information
- OS product name from registry.”
The Rising Sun implant then performs data encryption and exfiltration of information on the target computer. The stolen data is posted to a web address.
This implant is not a casual attack, however. According to McAfee, it also has 14 backdoor capabilities, including:
- Executing selected commands.
- Getting drive information, such as the drive type, total bytes on the disk, the name of the volume, etc.
- Launching a process from a Windows binary.
- Getting process information and enumerating all the processes currently running on the target.
- Terminating specified processes.
- Getting file times — file creation time, as well as the time of the last read/write/execute operations.
- Reading and exfiltrating contents of files specified by the control server.
- Clearing process memory by overwriting memory with junk bytes — McAfee’s term.
- Writing a file from the control server to the target’s disk.
- Deleting files specified by the control server.
- Getting more information about and enumerating all the files in directories the control server selected.
- Connecting to a specified network IP address over a specified port.
- Changing file attributes.
- Moving files to different locations.
Users don’t know all of the effects of this high-functioning implant; however, it is a powerful means for the attacker to gather intelligence from the target computer and then decide the next steps based on the data and information collected.
The targets — Critical infrastructure
Operation Sharpshooter targets critical infrastructure around the world. However, let’s consider what that target community really looks like.
Despite the popular misconception that critical infrastructure is just the electric grid, it is really much broader.
Critical infrastructure can be described as the cyber and physical systems and assets that are vital to a country and society, such that their destruction or reduced capability would have a major negative impact on the society’s economic security, public health and safety.
The U.S. Department of Homeland Security identifies 16 critical infrastructure sectors. The United Kingdom identifies 13 areas.
Operation Sharpshooter was focused on selected critical infrastructure sectors — but only a few. Consider all the opportunities presented to an attacker who is trying to disrupt critical infrastructure and key resources (CIKR) and a nation’s economy. Security leaders in any of these CIKR sectors need to consider their organization a target.
Defending against threats to critical infrastructure
Operation Sharpshooter begins as a phishing attack that appeals to the individual’s desire to make more money or change careers; these are basic desires of which the attacker takes advantage.
A key defense to such a threat to critical infrastructure is education. Train your staff to be suspicious of emails that are from unknown senders, have attachments or appear to be too good to be true. The concept of think before you click needs to be reiterated and reinforced to your users and employees. Many phishing emails begin with “Dear Customer,” or another generic greeting; therefore, you need to be increasingly alert.
As part of this education, require or at least strongly encourage users to inform the service desk or security team of any suspected phishing attacks. Some organizations have installed a special GUI button in their email clients that the user can press to alert security to the email.
Some companies have also hired outside consultants to do phishing tests. With this option, controlled and realistic-looking phishing emails/attachments are sent to unsuspecting users in the company to test their response. It is one way to determine the weak links in a company and then remediate accordingly.
Another proactive action a security organization can take with regard to Operation Sharpshooter is to use firewall rules to block access to the control servers associated with the cyberattack. Blocking communication with the control server is one means of defense.
Operation Sharpshooter is a fairly simple attack with a complicated array of options contained in the downloader. The attacker can use this tool to break into an unsuspecting user’s computer and then harvest and extract information as dictated by the command server operator.
There are many ways to defend against these types of threats to critical infrastructure, but it is crucial that you educate your users on phishing attacks and techniques. Also, the security organization needs to stay on top of threats as best they can and be suspicious of unusual traffic — both ingress and egress — and attachments, which can be a powerful attack vector. The more you know, the better prepared you can be.