McAfee: New attack uses source code from long-inactive group

Raj Samani, chief scientist at McAfee

Raj Samani, chief scientist at McAfee

LAS VEGAS — At its Mpower event here, McAfee outlined its research into an attack that it says may be the first case of a known nation-state threat group’s code being used by another nation-state threat group.

The security company spent six months researching what it calls Operation Oceansalt, an attack it saw through much of this year that it says is a changed and enhanced version of the code used in attacks by China-backed APT1 or Comment Crew in a reconnaissance attack nearly a decade ago. 

Raj Samani, chief scientist at McAfee, said the Oceansalt was first seen in early May, with a Korean-language document containing macros that borrowed from Seasalt, which was used for corporate espionage between 2009 and 2010. It reappeared later than month, he said, with another campaign, using another infected document in Korean, this time targeting public infrastructure in South Korea.

Both of these attacks were written in such a way that it was clear the attacker was natural in the Korean language, and had a strong understanding of the structure and nature of higher education and public infrastructure in that nation. 

The attack would resurface in August, when it was used to hit a small number of companies in Canada and the United States, primarily in the financial and agricultural industries, Samani said.

The attack is shrouded in some level of mystery, Samani said, because McAfee has found no evidence that the original creators of the code were marketing or otherwise sharing the source code of their earlier attack, leaving the open question of how a seemingly third party came into possession of the code. Ryan Sherstobitoff, senior analyst for major campaigns at McAfee, said that the use of the same variables in the original and new attack code suggested the authors of the new attack had access to both the original attack’s source code and the development environment in which it was created.

While both Samani and Sherstobitoff said it was McAfee policy not to directly attribute active attacks to any given actor, they said the reappearance of the long-dormant code suggested one of three possibilities.

  • The original Comment Crew group, which was “publicly outed” in 2013 and hasn’t been heard from since is back;
  • A new attacker has gained access to the original Comment Crew code and modified it for their own means suggesting perhaps the first collaboration between two nation-level attackers, namely China and North Korea; or
  • It’s a “false flag” designed to make it look like China and North Korea are working together to attack South Korea.

Either of the latter two are entirely plausible, especially given the geopolitical situation with the two Koreas working towards some degree of reconciliation, in which public infrastructure plays a large role.

But there are a lot of questions left. While Samani says McAfee knows it has intercepted early-stage actions in the attack, in which it infects systems and sends information back to a command and control server which the attacker can use to determine if the infected system is of value in forming future attacks. What those future attacks might look like? Samani won’t speculate.

“We’ve seen the espionage portion of the attack, but we don’t know what the goal of the attack was,” Samani said. “Hopefully, we’ll never know because the campaign is stopped” as the result of its discovery, he added.

There’s no way of telling the motivation of the attack, particularly in light of the later attacks in the U.S. and Canada, Samani said, adding that security researchers are usually “handed a 200-piece puzzle with eight pieces in the box.”

The new attack is a significant enhancement of the original, Sherstobitoff said, showing a new encryption system and new obfuscation techniques, but was doubtless based on the same code. 

The idea of nation state attackers reusing code is nothing new, as Samani points out that last year’s massive WannaCry attack reused some previous code. But that was code originally authored by the same attack group. If McAfee’s assertions around Oceansalt are correct, it would be the first time one nation state has attained code from another nation state actor.

“You might be witnessing a code-sharing agreement between two nation states — one that has the old code, and one that has perfectly fluent Korean-language skills,” Samani said.

McAfee says it has shared its finding on the attacks with law enforcement at appropriate levels, and has shared details of the attack with companies it knows were compromised.

Robert Dutt

Robert Dutt is the founder and head blogger at He has been covering the Canadian solution provider channel community for a variety of publications and Web sites since 1997.