back to article It is with a heavy heart that we must inform you hackers are targeting 'nuclear, defense, energy, financial' biz

Hackers are targetting critical infrastructure providers, including nuclear power and defense agencies, in what may be a state-sponsored attack that's hiding behind North Korean code. Discovered by McAfee and dubbed "Sharpshooter", the operation has been running since November, largely focusing on US-based or English-speaking …

  1. GnuTzu Bronze badge
    Megaphone

    Now That We Know About It

    If they've gotten anywhere before this discovery, that will be news. If they get anywhere after this bit of news, then somebody's going to really have to answer for it.

    1. Aqua Marina Silver badge

      Re: Now That We Know About It

      Surely it’s time to start unplugging the lan cable from anything that is critical. If it’s good enough for Battlestar Galactica, it’s good enough for me!

      1. Crisp Silver badge
        Boffin

        Re: Now That We Know About It

        The problem with hackers is that they look like us now...

  2. veti Silver badge

    So who owns the control servers that the slurp gets sent to?

    That might give us a clue.

    1. robidy

      Really, that's no guarantee...a compromised server accessed via an anonymous vpn..or three...job done, how do you find them.

      I trust you don't work in tech security.

      1. Pen-y-gors Silver badge

        Be fair, it's a clue, not a clear answer.

        Once you know the control server you infiltrate and monitor that. If a VPN connects see if you can poison the VPN client to detect/trace where the connection is from. That may give another clue. And so on. Who knows, if you're lucky, you may be able to send a little present down the VPN!

  3. bombastic bob Silver badge
    Facepalm

    emails contain poisoned Word documents

    ...

    facepalm. see icon.

    It's time for corporate firewall appliances to aggressively strip off any MS Office document attachments, particularly those that contain scripts, and for company policies to dictate and enforce "never open or preview them". If it can't be sent as plain text or something WITHOUT script in it, don't allow it to be received.

    it's been what, TWO DECADES since the first word macro virus?

    The Wikipedia page on Macro viruses states that the Melissa virus was from 1999.

    1. Version 1.0 Silver badge

      Re: emails contain poisoned Word documents

      This is NOT news - I've been seeing these hack attempts for years. Our mail-server holds all emails that have a suspect attachment - *.ace, *.ade, *.adp, *.bat, *.chm, *.cmd, *.com, *.cpl, *.crt, *.doc, *.docx, *.exe, *.gz, *.hlp, *.hta, *.htm, *.html, *.inf, *.ins, *.isp, *.js, *.lnk, *.mdb, *.mde, *.msc, *.msi, *.msp, *.mst, *.pcd, *.pi, *.pif, *.reg, *.scr, *.sct, *.shs, *.uue, *.vbe, *.vbs, *.wsc, *.wsf, *.wsh, *.xls, *.xlsx, *.rtf, *.rar, *.dot, *.jar, *.arj, *.lzh, *.iso, *.xz, *.xlxs, *.r0*, *.r1*. *.r2*, *.z

      Problem partially solved ... I'm thinking of adding *.pdf to the list but for the moment I've remove Adobe Reader from every computer and installed a third-party reader.

      1. Anonymous Coward
        Anonymous Coward

        Re: emails contain poisoned Word documents

        What about the macro enabled *.xlam, *.xlsm, *.xltm

        1. Michael Wojcik Silver badge

          Re: emails contain poisoned Word documents

          What about the macro enabled *.xlam, *.xlsm, *.xltm

          Or the old "encrypted zip archive with the password in the message body" dodge, well-loved by people bypassing email filtering for less-malicious (if still often foolish) purposes.

          The whole point of spearphishing is to run a con on a specific target. Anyone who's studied that sort of confidence game knows that various counter-intuitive factors actually tend to improve the success rate. One is asking the victim to help initially, rather than offering a reward - victims who do so tend to fall prey to a version of the sunk costs fallacy, or a related one of acquired responsibility. Another is making it slightly more difficult for the victim to participate in the con (e.g. by having to open a password-protected zip file) - another version of the sunk-costs trap.

          That's not to say that there's no value in filtering many of the file patterns associated with unsafe formats. Defense in depth.

          1. Pen-y-gors Silver badge

            Re: emails contain poisoned Word documents

            The whole point of spearphishing is to run a con on a specific target.

            Exactly. Carefully crafted for the target(s). Ideally, for a specific person, but a small group can be effective too.

            <war story mode on>

            Some years ago one of our clients who we had developed a website for (to do with uses for timber) had an email from a customer saying there was a virus on the website. Instant panic mode, check everything, absolutely clean. Scratch head. Then look at email in more detail - wrong domain name. Someone had registered a .com version of our .co.uk site, grabbed our entire site (not exactly difficult), and cloned it onto the .com, with added sprinkles.

            We suspect they then had a nicely crafted email referring to some recent interesting pieces of news in the burning trees industry, and sent it to a smallish number of people in organisations and businesses interested in burning trees. A fair proportion would probably follow the links, see a plausible site, and leave none the wiser, while something nasty started to nose around their network.

            And that's even without Office attachments. No matter what we do, highly intelligent scumbags will craft new ways of conning people. Even if we provide people with non-network connected tablets using a 4G data connection for all web access, they will still get conned and reveal a password to a 'Windows Security Team member' via email.

          2. Anonymous Coward
            Anonymous Coward

            Re: emails contain poisoned Word documents

            Or just employ a hipster into a tech director role. They'll fool for phishing e-mails ALL the time.

      2. robidy

        Re: emails contain poisoned Word documents

        Interesting post.

        Docx and xlsx don't have the same exploit risk as doc and xls.

        Hence doc being the transmission vector of choice for miscreants.

        I'd consider allowing docx and xlsx and analyse my logs to see if they supported that hypothsis...while still blocking encrypted ones.

    2. Anonymous Coward
      Anonymous Coward

      Re: emails contain poisoned Word documents

      Are you for real?

      If you suggested to any client-facing business that it should block or hold any email including a .doc or .docx attachment you would, at best, be laughed out of the room.

      Communication with your clients is essential, and they primarily use .pdfs for uneditable content, and Word for editable content.

      You may hate it, but that's the truth.

      1. Anonymous Coward
        Anonymous Coward

        Re: emails contain poisoned Word documents

        We're doing pretty much that. 250 employees, more than 10.000 customers and we don't let anything but the few allowed attachments through.

        For every email blocked, the user gets a message and if they decide they need that email or attachment we check it and if legit and virus-free the email will be delivered.

        It's about 15 minutes a day for 2 techs to do this. Most emails don't get unblocked because the user doesn't need them. And most customers or other businesses have started to either send pdf files or just not send files.

        For businesses we regularly exchange files with there's a 'cloud' storage solution in place.

  4. AK565

    The problem is that you can't fix stupid. Most people believe they already know far more than most people about damn near everything. The glaring lack of any supporting evidence for this belief is irrelevant in their minds, such that they have.

    Most simply won't accept the idea that someone from IT might know a tad more about hw, sw, and security than they do.

    All you can do is keep them from accessing anything that might cause damage.

    1. Smoking Man

      [Quote]

      All you can do is keep them from accessing anything that might cause damage.

      [/Quote]

      That's why we hide them in a larger office named "Management".

  5. HollyHopDrive

    Training

    Whilst the large bank I work for is generally useless with IT, the two things they do to mitigate this are mark all external emails very clearly at the top and secondly send test emails with a payload randomly to employees to see who reports it as phishing and who opens it blindly. Those who open it get immediately sent on a “re-education” course.

    Oh, and external email is only given on a needs basis, not by default.

    Whilst not perfect it’s certainly a blummin good way to catch out the stupid and try and do something about it.

    1. Anonymous Coward
      Anonymous Coward

      Re: Training

      Good idea, sending training phish emails, in fact why not check and see if these Korean infrastructural attack phish emails could have been sent by someone under false attribution. There are nation state ‘fake-other nation state” malware tools around.

      From my reading of the actual South Korean news about their steadily improving relations with North Korea, that’s the sort of counter-narrative news that might definitely result in some sort of ‘anti’ news from your local centralised intelligence agents.

      Bigging up the foreign threat bigly = continue big budget times $$$

  6. CAPS LOCK Silver badge

    Can one of you know-it-alls please explain...

    ... how the source code is available? No source obfuscation in the binary? IDK...

    1. Michael Wojcik Silver badge

      Re: Can one of you know-it-alls please explain...

      Obfuscation only gets you so far, and malware is often assembled out of verbatim chunks of other malware, so you can apply automated sequence matching or more code-specific algorithms such as entry-point fingerprinting.

      Also, if the Word document in question used macros, those are delivered in source form to the victim.

  7. Pen-y-gors Silver badge

    There is a solution to dodgy e-mail attachments.

    1. Set up a desktop on AWS or similar.

    2. Require all users to access said desktop via VNC (special version, file transfer disabled)

    3. Require all users to only access e-mail using webmail of some sort via a browser on the remote desktop, with attachments being viewed via browser plugins.

    4. Wipe and re-install remote desktop every hour.

    There's probably still some holes in this, but it's more useable than 'ban the interwebs'.

  8. sisk Silver badge

    I wonder if this has anything to do with the massive uptick we've seen in infected Word docs and PDFs trying to come in over the last month. So massive, in fact, that we started quarantining all Word docs and PDFs coming in from outside our domain as dealing with the ones that needed to be released was taking less effort than dealing with the ones that somehow slipped past all our filters. I've been working under the assumption that we were being targeted (though I couldn't figure out why anyone would make that sort of effort to break into a school district's systems), but if there's been a major campaign going on maybe not.

  9. steviebuk Silver badge

    What's the point

    Just got up North and you can just walk up to the nuclear facility unchallenged. I'm 99% sure I read an article a few years back where this happened. I annoyingly can't find the story now.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019