Security firm warns of new global campaign targeting critical infrastructure

A hacking group is aggressively targeting critical infrastructure in a new global campaign, a security firm revealed on Wednesday.

The campaign, known as Operation Sharpshooter, has gone after key industries including nuclear, defense, energy and financial groups by using a malicious implant that has links, according to McAfee Labs.


Operation Sharpshooter uses an implant called Rising Sun, which leverages a malicious source code linked to another prominent hacking group — the Lazarus Group — that is widely believed to be based out of North Korea.

While their cyber tools overlap, the cybersecurity firm cautioned against linking the newest campaign to the Lazarus Group, warning of potential "false flags." U.S. officials have blamed the group in the past for cyber espionage operations as well as a series of high-profile cyberattacks, including the 2014 cyberattack against Sony Pictures Entertainment.

"Operation Sharpshooter’s numerous technical links to the Lazarus Group seem too obvious to immediately draw the conclusion that they are responsible for the attacks, and instead indicate a potential for false flags," researchers at McAfee found, stating that they will leave "attribution to the broader security community."

"According to our analysis, the Rising Sun implant uses source code from the Lazarus Group’s 2015 backdoor Trojan Duuzer in a new framework to infiltrate these key industries," it added.

The group begins by sending a compromised document that "contains a weaponized macro" and from there, once downloaded, it will send the victim's data "control server for monitoring by the actors" in order to determine the next steps.

The firm noted that they have not previously observed this implant.