Illustration: Sarah Grillo/Axios
North Korea appears to have helmed a hacking campaign previously identified as "Operation Sharpshooter," according to a new report from McAfee, who first reported on the attacks in December.
The big picture: McAfee originally believed the attacks showed so much evidence they were from North Korea that it might indicate a different actor trying to frame Pyongyang. But the company's researchers now say that analysis of code and data from an intermediary server indicates the attacks really did originate from North Korea.
Details: According to the new report, the Sharpshooter campaign dated back to at least September 2017, a year earlier than was previously known.
- Sharpshooter pivoted its targeting during the year it has been active. It currently appears to target financial services, government and critical infrastructure, with a primary focus on Germany, Turkey, the U.K. and the U.S. Earlier hacking mainly targeted telecommunications, government and financial sectors, largely in the U.S., Switzerland and Israel.
The intrigue: The motive behind the attacks isn't known, but North Korea's interest is traditionally in espionage — which would have been increasingly important to fine-tune negotiating strategies during talks with the United States — and with various forms of theft.
- Axios has reported that North Korea might one day pivot to stealing intellectual property to bolster local industry.
- But even if the Sharpshooter attacks may have provided technical access to intellectual property, as reported in the New York Times, neither the new report nor any previous research on North Korea offers any evidence that IP was stolen in an act of commercial espionage.
Other interesting notes from the report:
- The malware was built in a "factory" approach, with new components developed separately and in tandem.
- The attackers appear to have conducted test campaigns in the city of Windhoek, Namibia, before taking the campaign global. This might give the U.S. a window into other attacks in the works, the same way that the U.S. sees Russian attacks against Ukraine as clues to what Russia might do next.