Oceansalt cyberattack campaign's roots traced to “Comment Crew” Chinese hacker group activity from 2010

A new data reconnaissance campaign targeting Korean-speaking users has now spread to US and Canada. The threat actors involved in these campaigns are linked to the Chinese military. The campaign was found majorly targeting South Korea in the month of May, where five waves of campaigns were launched targeting various organization in the country.

McAfee’s Advanced Threat research team discovered this campaign. The team also published an extensive report named “Operation Oceansalt Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group” on Thursday, about the new campaign which majorly focuses on cyberespionage and data reconnaissance.

The group is found to use a new implant specially crafted for data reconnaissance operations, which was clearly not identified previously in any other campaigns. Further examination of the implant also revealed that the source code used is based on the Comment Crew hacker group’s “Seasalt” source code.

Comment Crew Hacker group

The name “Comment Crew” was earned by the group when they used HTML comments to hide communication to C&C servers in their attacks. Usually, the attack vector used by Comment Crew included spear phishing campaigns containing specially crafted malicious documents. Some of the malicious documents were titled as “Army Plans Conference On New GCV Solicitation.pdf,” or “Chinese Oil Executive Learning From Experience.doc.”

When active, the group was also rumored to have stolen terabytes of data from reconnaissance attacks.

Distribution vector

The newer “Oceansalt” campaign was also found to use the same attack methods as the “Comment Crew” group. The initial attack vector used was spear phishing, combined with two malicious Korean-language Microsoft Excel documents acting as downloaders for the implant. The hackers appear to have knowledge of the South Korean public infrastructure and related financials, showing a clear indication that the attacker’s focus was infrastructure, said the researchers.

Other identified scenarios include malicious documents spreading Trojan.Ecltys, Backdoor.Barkfork, and Trojan.Downbot, among others, all focused on cyberespionage.

Five different campaign waves

The Oceansalt campaign started targeting victims from South Korean and began spreading globally as different waves of campaigns. The distribution URLs for the implants were fairly consistent for the malicious documents; it appears the actor hacked a number of South Korean websites to host the implant code, said the McAfee report.

The first wave targeted victims involved in higher education in South Korea or who attended various educational institutes. In the second wave targeting South Korean public infrastructure, the malicious implant was hosted on a website that belonged to a legitimate music teacher’s organization, which was not connected to the threat actors in any way.

The malicious document used in the third wave, which targeted Inter-Korean Cooperation, included Word documents that appear to be created at the same time as the attacks on South Korean infrastructure started.

However, the fourth and fifth wave of attacks targeted victims from outside South Korea, including the U.S and Canada.

“This operation has focused on targets in South Korea and other countries with new malware that has roots in Comment Crew activity from 2010. McAfee continues to monitor the threat landscape in Asia and around the world to track the evolution of this groups and changes to their techniques,”” said researchers.