North Korea: New access to a seized server has shed some light on the previously identified Sharpshooter campaign. The campaign was originally listed as unidentified after following an investigation into the operation. Although a number of indicators pointed to North Korean ties to the operation, researchers initially believed them to be too obvious and felt that they were false flags meant to mislead investigators. This new revelation came after researchers were provided with access to a seized command-and-control (C2) server which was found to be tied to the campaign. The campaign was originally believed to have begun in late October of 2018, however, analysis of the C2 server indicates that the campaign actually goes as far back as September of 2017 and targeted a much broader set of targets than originally indicated.
Analyst Notes
While fully understanding the scope of a campaign can be difficult when analyzing it after the fact, without access to its C2 infrastructure the discovery of the significantly longer timeline and wider spread indicates that Lazarus Group has possibly increased the level of stealth with which they are able to carry out their operations.
