Sharpshooter

Sharpshooter is a threat actor that has been identified as a significant cybersecurity risk. The operation was initially discovered in December 2018, where it used a unique implant framework to infiltrate global defense and critical infrastructure sectors, including nuclear, defense, energy, and financial companies. Initially, it was believed that the operation began in October 2018. However, new findings from command-and-control server data and code analysis suggest that Sharpshooter's activities started as early as September 2017. This indicates a broader and more prolonged campaign than previously thought, with targets spanning various industries and countries. The technical indicators, techniques, and procedures exhibited by Sharpshooter bear striking similarities to those of other attack groups, particularly the Lazarus Group, hinting at a possible connection. For instance, the Rising Sun, which shares tactics, techniques, and procedures (TTPs) with Lazarus group, was observed in attacks before the discovery of Sharpshooter. Further analysis of Sharpshooter's code from a command and control (C2) server provided additional evidence linking it to North Korea's Lazarus threat actor. Sharpshooter's operations continue to be active and pose a significant threat. Unobfuscated connections were found from IP addresses in Windhoek, a city in Namibia, Africa, indicating a potential base of operations. Despite the initial disclosure and ongoing research into Sharpshooter, the extent of its complexity, scope, and duration of operations remains extensive. Therefore, continuous monitoring and investigation are necessary to mitigate the risks associated with this threat actor.