Hackers are using bogus job adverts to lure employees of nuclear, defence, energy and finance firms into downloading malware.
The malware has already been used to infiltrate 87 organisations around the world, primarily in the US, but also in the UK, France and Germany.
Researchers at McAfee said the malware uses source code from a backdoor, known as Trojan Duuzer, which has previously been attributed to the North Korea-linked Lazarus Group.
Lazarus has been blamed for some of the most high profile cyber attacks of the last decade, including last year’s WannaCry ransomware virus. But in a blog, the researchers clarified that the “numerous technical links to [Lazarus] seem too obvious to immediately draw the conclusion that they are responsible for the attacks, and indicate a potential for false flags”.
First observed on 25 October, the malware has been distributed through Microsoft Word documents via Dropbox. The Word documents contain Korean-language metadata, indicating they were created in a Korean-language version of the software.
The malware – dubbed Operation Sharpshooter by McAfee – “leverages an in-memory implant to download and retrieve a second-stage implant—which we call Rising Sun—for further exploitation,” the researchers wrote.
McAffee said it was not yet clear whether or not the attack represented a “first-stage reconnaissance operation” and that it would continue to monitor the situation.
Commenting on the campaign, Sam Curry – chief security officer at Cybereason – said that it was “no surprise” critical infrastructure providers had come under attack.
“For the last decade, utilities and power companies have been among the least well protected of all critical infrastructure providers; and this is only now changing as regulations and attention are increasing,” he added. “It should be expected that cyber criminals will always look for assets, both identity and bot resources; and nation states will always look to expand their influence and reach, grow their exploit stockpiles and hone their skills.”
Earlier this year, the EU rolled out new regulation aimed at bolstering the cyber resilience of critical infrastructure providers. Under the new rules, those which fail to adopt effective security measures could face fines of up to £17m.