McAfee discovered a new cyber espionage campaign linked to Chinese state-sponsored hacking group APT1. That group has been accused of launching attacks on more than 141 U.S. companies between 2006 and 2010.
A report by the security company’s threat research team doesn’t say who is behind the new campaign, which targets organizations in the U.S., Canada, and South Korea. But it says they reused code from implants last seen in 2010 by APT1 in an attack dubbed Operation Seasalt. McAfee names this new campaign Operation Oceansale because it’s similar to Seasalt.
The report follows a U.S. Department of Homeland Security (DHS) alert earlier this month that warned nation-states are attempting to steal companies’ intellectual property by infiltrating managed service provider (MSP) networks. This threat also has ties to Chinese state-sponsored hackers.
The McAfee report, “Operation Oceansalt Attacks South Korea, U.S. and Canada with Source Code from Chinese Hacker Group,” says the Oceansalt implant would not have been possible unless the actors behind it had direct access to the Seasalt source code.
The attackers targeted Korean-speaking individuals in the investment, banking, and agriculture industries via spearfishing with malicious Korean-language documents related to South Korean infrastructure and financial data. The documents act as downloaders of the implant, and they give the attackers full control of any system they manage to compromise and the network to which it is connected.
McAfee says financial theft is a possible motive. “These attacks might be a precursor to a much larger attack that could be devastating given the control the attackers have over their infected victims,” the report says. “The impact of these operations could be huge: Oceansalt gives the attackers full control of any system they manage to compromise and the network it is connected to. A bank’s network would be an especially lucrative target.”
New Enterprise Security Products
McAfee released the new threat research this week at its Mpower 2018 conference in Las Vegas. The company also added new products to its Mvision enterprise security portfolio.
This includes an endpoint detection and response (EDR) product called Mvision EDR. And it rebranded and enhanced its cloud access security broker (CASB), acquired from Skyhigh Networks earlier this year, as Mvision Cloud. The new capabilities includes an integrated data loss prevention policy engine across endpoints, networks, and the cloud. It gives users a single pane of glass to manage and report data loss prevention (DPL) incidents.
“We are bringing device and cloud together with a unified DPL,” said Raja Patel, vice president and general manager of McAfee’s Corporate Security Products. “This provides unified visibility between endpoint, network, and cloud, and it’s our first true integrated proof point on device-to-cloud security.”
The new endpoint product helps security teams move faster to detect and remediate threats, Patel said. Cloud-based analytics use the Mitre ATT&CK framework to find and prioritize suspicious behaviors. This helps analysts more quickly understand the risk severity and then either dismiss, respond to, or investigate the threat.
It also uses artificial intelligence (AI) to automate investigations and evidence gathering. McAfee says its own internal security team up-skilled junior security analysts using this tool and saw a 15x reduction in time to investigate.
“And all that gets put into a common management fabric with ePO,” Patel said, referring to McAfee’s software-as-a-service- (SaaS) based management platform.
The product updates reflect enterprise’s growing attack surface, which stretches from edge to cloud, Patel said. “Our customers are continuing to evolve their environment, and on the device side that means they are using more … device styles,” he said. “The perimeter is no longer the best place to do security and expect full coverage. Customers are also leveraging more … SaaS-based services, so that becomes another control point. What to protect is literally moving back to the device and the cloud.”