{"id":108178,"date":"2020-11-05T08:00:16","date_gmt":"2020-11-05T16:00:16","guid":{"rendered":"\/blogs\/?p=108178"},"modified":"2025-03-31T20:25:18","modified_gmt":"2025-04-01T03:25:18","slug":"operation-north-star-summary-of-our-latest-analysis","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/operation-north-star-summary-of-our-latest-analysis\/","title":{"rendered":"Operation North Star: Summary Of Our Latest Analysis"},"content":{"rendered":"

McAfee\u2019s Advanced Threat Research (ATR) today released research that uncovers previously undiscovered information on how Operation North Star evaluated its prospective victims and launched attacks on organizations in Australia, India, Israel and Russia, including defense contractors based in India and Russia.<\/p>\n

McAfee\u2019s initial research into Operation North Star<\/a> revealed a campaign that used social media sites, spearphishing and weaponized documents to target employees working for organizations in the defense sector. This early analysis focused on the adversary\u2019s initial intrusion vectors, the first stages of how an implant was installed, and how it interacted with the Command and Control (C2) server.<\/p>\n

By deepening its investigation into the inner workings of North Star\u2019s C2, McAfee ATR can now provide a unique view into not only the technology and tactics the adversary used to stealthily execute his attacks but also the kinds of victims he targeted.<\/p>\n

The latest research probed into the campaign\u2019s backend infrastructure to establish greater perspective into how the adversary targeted and assessed his victims for continued exploitation, and how he used a previously unknown implant called Torisma to execute this exploitation.<\/p>\n

McAfee\u2019s findings ultimately provide a unique view into a persistent cyber espionage campaign targeting high value individuals in possession of high value defense sector intellectual property and other confidential information.<\/p>\n

VECTORS & INFRASTRUCTURE<\/strong><\/h2>\n

Most analysis of cyber campaigns is typically reliant upon the dissection of malware and the telemetry of cyber defenses that have come into contact with those campaigns. McAfee\u2019s analysis of Operation North Star complemented these elements by dissecting the C2 infrastructure that operated the campaign. In doing so, we gained a holistic view of its operations that is rarely available to threat researchers.<\/p>\n

Attackers often send out many spearphishing emails to many potential targets rather than precisely targeting the highest value individuals. Once the victim opens a message and infects himself, the malware will try to fully exploit his system. But this broad, less precise approach of infecting many is \u201cnoisy\u201d in that it is likely to be identified if these infections are happening at scale across an organization (let alone around the world). \u00a0Cyber defenses will eventually be able to recognize and stop it.<\/p>\n

In the case of Operation North Star, the attackers researched their specific target victims, developed customized content to lure them, engaged them directly via LinkedIn mail conversations, and sent them sophisticated attachments that infected them in a novel way using a template injection tactic.<\/p>\n

The campaign used legitimate job recruitment content from popular U.S. defense contractor websites to lure specific victims into opening malicious spear phishing email attachments. Notably, the attackers compromised and used legitimate web domains hosted in the U.S. and Italy to host their command and control capabilities. These otherwise benign domains belonged to organizations in a wide variety of fields, from an apparel manufacturer, to an auction house, to a printing company, to an IT training firm.<\/p>\n

Using these domains to conduct C2 operations likely allowed them to bypass some organizations\u2019 security measures because most organizations do not block trusted websites.<\/p>\n

The first stage implant was delivered by DOTM files which, once established on a victim\u2019s system, gathered information on that system such as disk information, free disk space information, computer name and logged in username and process information. It would then use a set of logic to evaluate the victim system data sent back by this initial implant to determine whether to install a second-stage implant called Torisma. All the while, it operated to achieve its objectives while minimizing the risk of detection and discovery.<\/p>\n

General process flow and component relationship<\/p>\n

Torisma is a previously undiscovered, custom-developed, second-stage implant focused on specialized monitoring of high value victims\u2019 systems. Once installed, it would execute custom shellcode and run a custom set of actions depending on the victim systems\u2019 profiles. The actions included active monitoring of the systems and execution of payloads based on observed events. For instance, it would monitor for an increase in the number of logical drives and Remote Desktop Sessions (RDS).<\/p>\n

What is clear is that the campaign\u2019s objective was to establish a long-term, persistent espionage campaign focused on specific individuals in possession of strategically valuable technology from key countries around the world.<\/p>\n

VICTIMS & IMPACT<\/strong><\/h2>\n

McAfee\u2019s early analysis of Operation North Star\u2019s spearphishing messages were written in Korean and exhibited mentions of topics specific to South Korean politics and diplomacy. But our latest analysis of North Star\u2019s C2 log files enabled us to identify targets beyond South Korea:<\/p>\n

 <\/p>\n