Article by Rosie Perper

A North Korea-linked hacking group has been tied to a series of cyberattacks spanning 17 countries, far larger than initially thought.

A new report by McAfee Advanced Threat Research found a major hacking campaign, dubbed Operation GhostSecret, sought to steal sensitive data from a wide range of industries including critical infrastructure, entertainment, finance, healthcare, and telecommunications.


Attackers used tools and malware programs associated with the North Korea-sponsored cyber unit Hidden Cobra, also known as Lazarus, to execute the highly sophisticated operation.

Operation GhostSecret is thought to have started with a massive cyberattack on several Turkish financial institutions and government organizations in early March 2018. The cyberoffensive then began targeting industries in 17 countries and is still active, according to McAfee.

Servers in the US, Australia, Japan, and China were infected several times from March 15 to 19, 2018. Nearly 50 servers in Thailand were hit heavily by the malware, the most of any country.

McAfee researchers noted many similarities between the methods used in Operation GhostSecret and other major attacks attributed to the group, including the 2014 attack on Sony Pictures and 2017's global WannaCry attack.

(Flickr photo by Blogtrepreneur)

"As we monitor this campaign, it is clear that the publicity associated with the (we assume) first phase of this campaign did nothing to slow the attacks. The threat actors not only continued but also increased the scope of the attack, both in types of targets and in the tools they used," Raj Samani, McAfee's chief scientist, said.

The report indicates North Korea has been expanding its cybercrime beyond its usual focus of stealing military intel or cryptocurrency that can be used to funnel money to the heavily sanctioned government.

North Korean groups have been tied to increasingly high-stakes attacks in recent months.

In January 2017, researchers from the US cybersecurity firm Recorded Future said a hacking campaign targeting the South Korean cryptocurrency exchange Coinlink employed the same malware used in the Sony and WannaCry attacks.

The attack was attributed to the Lazarus group, which has been conducting operations since at least 2009, when it launched an attack on US and South Korean websites by infecting them with a virus known as MyDoom.

This article originally appeared on Business Insider. Follow @BusinessInsider on Twitter.