A group of hackers that have links to the North Korea government used servers in Thailand to carry out large scale cyber espionage and malware attacks, according to a new report.
Earlier this week, cyber security firm McAfee released new details on the global hacking campaign, dubbed Operation GhostSecret.
Researchers say the campaigns were carried out to steal important information from critical infrastructure, telecommunications, finance, health care and entertainment organisations from all over the world.
“The campaign is extremely complicated, leveraging a number of implants to steal information from infected systems and is intricately designed to evade detection and deceive forensic investigators,” McAfee wrote in a post on Tuesday.
McAfee says the same group are responsible for carrying out large scale attacks on Turkish banks last month and said that there were many similarities between the attacks and those used on Sony Pictures in 2014.
But the attacks on Turkish financial institutions, which were carried out between March 14 and 18 this year, were only a fraction of the operation, which eventually spanned 17 countries, including Thailand, the United States, Germany, Japan, China and Australia.
The tools used in the attacks were the same as those used by Hidden Cobra, which the United States say are state sponsored hackers from North Korea. As well as being named as those responsible for the huge hack on Sony Pictures, Hidden Cobra are also thought to have carried out the Wanna Cry malware attack that crippled computers and networks around the world last May.
Servers seized by authorities in Thailand
Meanwhile on Wednesday, Thailand’s Computer Emergency Response Team (ThaiCERT) announced that it had seized the servers used in the global hacking campaign and that they had been handed over to law enforcement agencies.
According to McAfee one of the servers was located at Thammasat University in Bangkok.
“This server resides at Thammasat University in Bangkok, Thailand. The same entity hosted the control server for the Sony Pictures implants”, McAfee said in its report.
“This SSL certificate has been used in Hidden Cobra operations since the Sony Pictures attack. Analyzing this certificate reveals additional control servers using the same PolarSSL certificate.
“Further analysis of McAfee telemetry data reveals several IP addresses that are active, two within the same network block as the 2018 Destover-like implant.”
“McAfee is working with Thai government authorities to take down the control server infrastructure of Operation GhostSecret, while preserving the systems involved for further analysis by law enforcement authorities”.
“By creating and maintaining partnerships with worldwide law enforcement, McAfee demonstrates that we are stronger together”.