Multiple security vendors come together to help identify the tools and tactics that the Lazarus Group used against Sony and other targets.
The attack against Sony Pictures Entertainment in 2014 is one of the highest-profile and yet mysterious security breaches in recent years. Possible culprits have ranged from North Korea to disgruntled ex-employees, but “Operation Blockbuster,” a multi-vendor report issued Feb. 24, blames attackers identified as the Lazarus Group and also claims that they are still active.Among the organizations that participated in the Operation Blockbuster research are Kaspersky Lab, AlienVault and Novetta, with support from Invincea ThreatConnect, Veloxity, Punch Cyber, Trend Micro and Symantec.After the attack against Sony Pictures Entertainment in 2014, Kaspersky Lab’s Global Research and Analysis Team began investigating samples of the Destover malware publicly named as used in the attack, explained Brian Bartholomew, senior security researcher at Kaspersky Lab. “This led to wider research into a cluster of related cyber-espionage and cyber-sabotage campaigns targeting financial institutions, media stations and manufacturing companies, among others,” Bartholomew told eWEEK.Over the course of the investigation, Kaspersky Lab researchers exchanged preliminary findings with AlienVault Labs, and researchers from the two companies decided to conduct a joint investigation.
“Simultaneously, the activity of the Lazarus Group was being investigated by many other companies and security specialists,” Bartholomew said. “One of these companies, Novetta, started an initiative aimed at publishing the most extensive and actionable intelligence on the activity of the Lazarus Group.”
The fact that most of the participants in Operation Blockbuster are competitors is not a problem.Security industry collaboration is common, even among competitors, Jaime Blasco, vice president and chief data scientist at AlientVault, told eWEEK.Although Operation Blockbuster is all about discovering the activities of the Sony Pictures attackers, the vendors involved in the operation did not work directly with Sony.”We didn’t work with Sony,” Blasco said. “The information from Sony was obtained from open-source sources as well as from the US-CERT [United States Computer Emergency Readiness Team] when they shared technical details about the Sony attackers.”By analyzing multiple attacks and malware families, the Operation Blockbuster participants were able to determine that a single hacker collective, identified as the Lazarus Group, used approximately 45 unique malware families to attack victims, including Sony Pictures.”Most attackers use a smaller amount of malware families,” Blasco explained. “This actor [Lazarus Group] uses a variety of malware [some of which] are variants of each other or share common functionality and even the same code base.”The Operation Blockbuster participants also identified some common command-and-control elements across the malware families that the Lazarus Group used.
In addition to crossovers in some command-and-control servers, there were similarities in code, Bartholomew said.
That said, he emphasized that attribution isn’t reliant on finding the one golden nugget.”It’s a very careful and specific process that incorporates many small pieces into a larger picture,” Bartholomew said. “Even if there was one main node, this would not have been enough by itself to definitively provide attribution.”Although the FBI has pointed fingers at North Korea as the base of the attack against Sony Pictures, the Operation Blockbuster participants are making no such assertion.”We don’t do attribution,” Blasco said. “That being said, the FBI blamed North Korea for the Sony attack. On the other hand, the South Korean government has blamed North Korea for almost all these campaigns, including DarkSeoul.”As early as December 2014, Kaspersky Lab analysts were already reporting that there was a correlation between malware used in the DarkSeoul attack against South Korean targets and the malware in the Sony Pictures attack.As such, the Operation Blockbuster report notes that the Lazarus Group was, in fact, active prior to the Sony Pictures attack in 2014 and is likely still active today. With the publication of the report today and coordination across multiple security vendors, the hope is that the activities of the Lazarus Group will be severely disrupted.Blasco said he expects Operation Blockbuster to affect the Lazarus Group activities because information has been shared with different antivirus companies that can update their signatures and remove the malware from the victims.”That way, the attackers will lose access to some of the victims,” Blasco said. “On the other hand, since we are disclosing all the technical details and their techniques, we are forcing them to spend more resources, including time, to build new malware and avoid detection. We are basically raising the bar for them to keep operating.”The Lazarus Group is a currently active malicious threat actor that multiple law enforcement agencies are already investigating, Bartholomew said. He echoed Blasco’s view that the antivirus push to protect the largest-possible percentage of the population will definitely cause the Lazarus Group to regroup and retool.”How this will translate into a time frame, we don’t know,” Bartholomew said. “This operation, though, was more about bringing to light the extensiveness and longevity of this group, which until now, was only attributed to a small amount of attacks.”Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com.
Follow him on Twitter @TechJournalist.