Malware Strikes Again

In the world of cybersecurity, it seems there is a never ending battle against new security threats or revamped old threats. 

In a recent case, McAfee reported the reemergence of components of a former Chinese state-sponsored malware threat.  In an interesting twist, this new threat derived from an old threat, reuses code that was never made public, nor was it ever available on the black market.  Read on to learn more about the mystery surrounding this rehashed threat, now identified as “Oceansalt”.

The History Behind Oceansalt

In 2013 it was discovered that over 100 U.S. companies were victims of hackers, losing hundreds of terabytes of data through the work of a Chinese state-sponsored group known as Comment Crew, or APT1. 

The group then vanished as quickly as they had emerged.  Recently, McAfee reported they found malware that reuses a portion of code from an implant dubbed “Seasalt”, circulated by Comment Crew back in 2010.  As noted earlier, what makes this particular malware interesting is that the source code used to create the new Oceansalt malware was never made public, nor was it available for sale on the black market.

The Emergence of Oceansalt Attacks 

Initially starting in South Korea in May of 2018, Oceansalt was used to strategically target those in the financial industry, in addition to public infrastructure projects. 

Eventually the malware made its way to companies in the U.S. and Canada, focusing on targets in the healthcare, agricultural and financial industries.  Oceansalt works by infecting Excel spreadsheets attached to emails.  It is significant in that not only can it control the device it infects, it can also control any network the infected device connects to.

The Mystery of Oceansalt

Although McAfee has learned enough about Oceansalt to determine its source code and how the malware infects systems, the verdict is still out as to who is directly responsible for creating Oceansalt. 

Whether Oceansalt is a clue as to the reemergence of APT1 or perhaps due to the theft of APT1’s original work, or if the finger pointing to China is simply a smokescreen for another group currently unknown, the answer remains to be seen.

If you would like to know more about how to protect your data from cybersecurity threats such as Oceansalt, please contact us.

Leave a Reply