Cybersecurity firms unite against ‘Sony hackers’
By Digital News Asia February 29, 2016
- Indonesia and Malaysia among countries affected by Lazarus Group
- ‘The power to wipe thousands of computers at the push of a button’
FOUR cybersecurity firms are working together to investigate and take down the hacker collective known as Lazarus Group, believed to be behind the attack on Sony Pictures Entertainment in 2014 and operation DarkSeoul that targeted media and financial institutions in 2013.
Operation Blockbuster, which involves AlienVault Labs, Kaspersky Lab, Novetta and Symantec, began its activities in December 2014, about a month after the Sony Pictures attack, for which a group called Guardians of Peace claimed responsibility at the time.
In the Sony Pictures attack, the hackers got access to confidential data, including payroll information and private e-mail correspondences between executives, and copies of unreleased movies, and leaked it all online. This led to several high-level resignations at the studio.
At the time, the attack was believed to have in retaliation for a movie that was about to be released, The Interview, a comedy starring Seth Rogen and James Franco about a fictional plot to assassinate North Korean dictator Kim Jong-un. Sony decided not to release the movie after the attack.
After the attack on Sony Pictures, Kaspersky Lab’s Global Research and Analysis Team (GReAT) began its investigation into samples of the Destover malware publicly named as used in the attack, the cybersecurity company said in a statement.
This led to wider research into a cluster of related cyber-espionage and cyber-sabotage campaigns targeting financial institutions, media stations, and manufacturing companies, among others.
Based on the common characteristics of the different malware families, Kaspersky Lab experts were able to group together dozens of isolated attacks and determine that they all belong to one threat actor, as other participants in Operation Blockbuster confirmed in their own analysis.
The Lazarus Group threat actor was active several years before the Sony Pictures incident, and it appears that it is still active, Kaspersky Lab said in its statement.
During the investigation, Kaspersky Lab researchers exchanged preliminary findings with AlienVault Labs. Eventually researchers from the two companies decided to unite efforts and conduct a joint investigation.
Simultaneously, the activity of the Lazarus Group was being investigated by many other companies and security specialists. One of these companies, Novetta, started an initiative aimed at publishing the most extensive and actionable intelligence on the activity of the Lazarus Group.
Other Operation Blockbuster research confirms a connection between malware used in various campaigns, such as Operation DarkSeoul against Seoul-based banks and broadcasters, Operation Troy targeting military forces in South Korea, and the Sony Pictures incident, it added.
As part of Operation Blockbuster, together with Novetta, AlienVault Labs, and other industry partners, Kaspersky Lab is publishing its findings for the benefit of the wider public.
“Through Operation Blockbuster, Novetta, Kaspersky Lab and our partners have continued efforts to establish a methodology for disrupting the operations of globally significant attack groups and attempting to mitigate their efforts to inflict further harm,” said Andre Ludwig, senior technical director, Novetta Threat Research and Interdiction Group.
“The level of in-depth technical analysis conducted in Operation Blockbuster is rare, and sharing our findings with industry partners, so we all benefit from increased understanding, is even rarer,” he added.
The extent of the operation
The analysis of samples showed that the earliest might have been compiled as long ago as 2009, five years before the infamous attack against Sony. The number of new samples has grown dynamically since 2010, Kaspersky Lab said.
This characterises the Lazarus Group as a stable, longstanding threat actor. Based on metadata extracted from investigated samples, most of the malicious programs used by the Lazarus Group appear to have been compiled during the working hours of GMT+8 to GMT+9 time zones.
“As we predicted, the number of wiper attacks grows steadily. This kind of malware proves to be a highly effective type of cyber-weapon,” said Kaspersky Lab senior security researcher Juan Guerrero (pic).
Wiper attacks can delete data from hard drives, and also delete the master boot record, rendering computers useless.
“The power to wipe thousands of computers at the push of a button represents a significant bounty to a Computer Network Exploitation team tasked with disinformation and the disruption of a target enterprise,” said Guerrero.
“Its value as part of hybrid warfare, where wiper attacks are coupled with kinetic attacks to paralyse a country’s infrastructure, remains an interesting thought experiment closer to reality than we can be comfortable with,” he added.
To learn more about Novetta’s findings on the Lazarus Group, visit www.OperationBlockbuster.com.
SEA journalists being targeted by hackers, state agencies
Asia in the crosshairs of APT attackers: FireEye CTO
State-sponsored group that spied on Malaysia for 10 years
New attacks targeting ministries, media and others: Trend Micro
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.