Sharpshooter

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
Sharpshooter is a threat actor that has been identified as a significant cybersecurity risk. The operation was initially discovered in December 2018, where it used a unique implant framework to infiltrate global defense and critical infrastructure sectors, including nuclear, defense, energy, and financial companies. Initially, it was believed that the operation began in October 2018. However, new findings from command-and-control server data and code analysis suggest that Sharpshooter's activities started as early as September 2017. This indicates a broader and more prolonged campaign than previously thought, with targets spanning various industries and countries. The technical indicators, techniques, and procedures exhibited by Sharpshooter bear striking similarities to those of other attack groups, particularly the Lazarus Group, hinting at a possible connection. For instance, the Rising Sun, which shares tactics, techniques, and procedures (TTPs) with Lazarus group, was observed in attacks before the discovery of Sharpshooter. Further analysis of Sharpshooter's code from a command and control (C2) server provided additional evidence linking it to North Korea's Lazarus threat actor. Sharpshooter's operations continue to be active and pose a significant threat. Unobfuscated connections were found from IP addresses in Windhoek, a city in Namibia, Africa, indicating a potential base of operations. Despite the initial disclosure and ongoing research into Sharpshooter, the extent of its complexity, scope, and duration of operations remains extensive. Therefore, continuous monitoring and investigation are necessary to mitigate the risks associated with this threat actor.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Rising Sun
1
Rising Sun is a malicious software (malware) that shares significant similarities with the Lazarus Group’s Duuzer implant. It uses source code from the Duuzer backdoor, a malware first used in a 2015 campaign that targeted South Korean organizations, primarily in manufacturing. The Rising Sun malwar
Lazarus Group
1
The Lazarus Group, a notorious threat actor believed to be linked to North Korea, has been attributed with a series of significant cyber-attacks over the past few years. The group's malicious activities include the exploitation of digital infrastructure, stealing cryptocurrency, and executing large-
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Implant
Operation Sh...
Espionage
Reconnaissance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Sharpshooter Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
6 months ago
A guide to the most important characters in Sarah J. Maas' 'Crescent City' series
MITRE
a year ago
Op 'Sharpshooter' Connected to North Korea's Lazarus Group
MITRE
a year ago
RSAC 2019: New Operation Sharpshooter Data Reveals Higher Complexity, Scope | Threatpost