Some of the code used a decade ago by a threat group that attacked more than 140 US companies over a four-year period has resurfaced in a number of campaigns that primarily target South Korean organizations, but has also expanded to include the US and Canada, according to researchers with McAfee.
The report, "Operation Oceansalt Attacks South Korea, U.S. and Canada with Source Code from Chinese Hacker Group," which was released this week at the MPower 2018 show in Las Vegas, finds that the Oceansalt implant includes code from a campaign called Operation Seasalt, which targeted US organizations between 2006 and 2010. The traces of the source code from Seasalt, which was run by the group APT1 -- also known as Comment Crew -- hadn't been seen since 2010 until this year, when campaigns using some of the code were detected in South Korea.
APT1 hadn't been heard from since it was exposed in a report in 2013 outlining attacks in the US.
"This report detailed the inner workings of Comment Crew and its cyber offensive capabilities," according to McAfee's report, written by researches Ryan Sherstobitoff and Asheer Malhortra. "The consequences of releasing this public report forced the group to either make changes to their techniques or cease their activity altogether. Until this analysis, we had observed no new activity related to Comment Crew since they were exposed, but now we find portions of their implant code appearing in new operations targeting South Korea."
Cybercriminals reusing code from other campaigns is not unusual -- McAfee and Intezer recently outlined code reuse among an array of North Korea-based malware groups like Lazarus, Hidden Cobra and Group 123 -- but what's different here is that as far as McAfee researchers can tell, the source code from APT1 was never made public. (See Researchers Show That Code Reuse Links Various North Korean Malware Groups.)
The bad actors behind Oceansalt are unknown.
In their report, the researchers said it's unlikely that the Oceansalt campaigns mean that APT1 has returned, but that somehow those behind the attacks have gained access to it. They suggest it could be a code-sharing arrangement between two actors or that a hacker has gained access to the code from someone involved in the APT1 operations. It also could be a false-flag operation to make it appear that China and North Korea are collaborating on the Oceansalt attacks.
"We have not seen this group prior, and therefore determined this to be a significant finding as a result," Raj Samani, chief scientist at McAfee and a McAfee Fellow, told Security Now in an email. "Certainly code reuse is normal practice; indeed one of our previous publications shows with attacks attributed to [North Korea], for example, this has been done. However, this one is two different threat actor groups, and in particular using code from many years before."
Samani added that there is a "growing trend of threat actors beginning to collaborate more. This is not only between nation-states but in fact we have seen this in the criminal environments. For example, the GandCrab [ransomware] crew are developing relationships with other groups."
McAfee researchers have found five Oceansalt attack waves that have been tailored to their targets. The bad actors initially used spear-phishing attacks that leveraged two infected Microsoft Excel documents written in Korean that acted as downloaders of the malware that included parts of the code from APT1.
The targets were involved with public infrastructure projects in the country.
A malicious file that is part of Operation OceanSalt
(Source: McAfee Labs)
There was a second round of malicious documents that included the same metadata and author -- called "Lion" -- as the Excel documents but were housed in Microsoft Word docs. This wave was first aimed at the Inter-Korean Cooperation Fund and initially appeared on May 31 in South Korea. However, organizations in the US and Canada involved in investment, banking and agriculture have since been hit by the attack, the researchers said.
They said it was possible that the attacks in North America are part of a campaign separate from that in South Korea. The threat of Oceansalt is significant.
"These attacks might be a precursor to a much larger attack that could be devastating given the control the attackers have over their infected victim," the analysts wrote. "The impact of these operations could be huge: Oceansalt gives the attackers full control of any system they manage to compromise and the network it is connected to. A bank's network would be an especially lucrative target. Further, the code overlaps with that from a previously reported advanced state-sponsored group. The overlap suggests a close collaboration between members of a state-sponsored group and the current actors in conducting cyber operations."
— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.