Threat Intelligence

2/24/2016
08:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Sony Hackers Behind Previous Cyberattacks Tied To North Korea

'Lazarus Group' cyber espionage group has been operating in major attack campaigns since at least 2009, according to new investigation, bolstering the FBI conclusion that North Korea was behind the epic Sony breach.

Turns out the massive Sony breach was just one in a series of aggressive cyber-espionage and cyber-sabotage attacks in the past decade mainly against South Korea and the US by hackers thought to be out of North Korea.

A rare team investigation effort by researchers from multiple security vendors has traced the 2014 cyberattack on Sony Pictures Entertainment that wiped data and doxed its executives and sensitive company information, to earlier aggressive attacks on military, government, media, and other commercial interests mainly against South Korea and the US, but also Taiwan, Japan, and China. The researchers have dubbed the hackers the Lazarus Group.

Led by Novetta and including Kaspersky Lab, AlienVault, Symantec, Invincea, ThreatConnect, Volexity, and PunchCyber, the so-called Operation Blockbuster investigation into the hacking group that hit Sony discovered a whopping 47 different malware families after researchers pieced together links between code and malware used by the attackers.

They were able to match the malware and MO of the Sony attack to the so-called Operation Troy in 2009, when a cyber espionage campaign under the cover of a hacktivist DDoS and data-wiping attack on South Korean banks, media outlets, and other entities, was discovered also quietly pilfering South Korean and US military secrets. They also connected the dots to Operation DarkSeoul, which targeted banks and media in South Korea in 2013, as well as other attacks mainly targeting South Korean interests. South Korea government officials later called out North Korea as the culprit of the hacks.

“They [the Sony attackers] had been active a lot longer” than thought, says Peter LaMontagne, CEO of Novetta. “The scale of operation is broader than anyone expected.”

Subsequent attack campaigns, like the one against Sony, had some sort of hacktivist moniker while meanwhile doing some heavy digital damage inside the victim’s network. “They all have the same behavior patterns and hard links in the code,” says Andre Ludwig, senior technical director of Novetta’s threat research and interdiction group. ”This is definitely not an isolated group ... There is tremendous scale and scope as far as tooling is concerned.”

Operation Blockbuster researchers all stopped short of confirming North Korea as behind the Sony attack, but say their findings indeed sync with the FBI’s conclusion. “Our findings would support the FBI claim. We cannot make that definitive statement” that it’s North Korea, Ludwig says. But “there’s definitely an Asia-Pacific nexus.”

Lazarus Group’s malware was mostly compiled during the working hours of the GMT +8 and GMT +9 time zones, according to Kaspersky Lab. That’s another sign pointing to a North Korea connection.

Word that the Sony attackers were still active and hacking away came to light earlier this month at the Kaspersky Analyst Summit in Tenerife, Spain, where Juan Andres Guerrero-Saade, senior security researcher at Kaspersky Lab, and Jaime Blasco, vice president and chief scientist at AlienVault, detailed new activity they had witnessed by the Sony hackers.

A malware sample targeting Samsung in South Korea was found to be related to malware used by the Lazarus Group, Kaspersky’s Guerrero-Saade told Dark Reading in an interview. “It was a variant of the ‘Hangman’ malware that we remotely connect to ‘Destover,’” the malware used by the Lazarus Group to wipe data from Sony's disk drives.

“It’s been an archeological dig,” he says.

Smashing Windows

The combination of the hacktivist messages, DDoS attacks, data destruction and dumping, and stealing sensitive information, for the most part has been a calling card of North Korea’s cyber espionage operations, which most security experts believe are backed by Kim Jong-un’s government.

And Lazarus Group operates very differently from most cyber espionage gangs. “It’s rare that a group tags the building, breaks the plate-glass window, and starts stealing the jewels,” LaMontagne says.

It’s unclear how many groups or subgroups operate under the Lazarus Group umbrella. “Is it five guys in an apartment or 10 crews? I’m not sure we have an understanding of that part. We definitely have a sense that there is a diversity of group and different skills,” Kaspersky’s Guerrero-Saade says. “There is some developing prowess here. It’s not a point-and-click toolkit. There are developers involved and different levels of opsec, depending on some of the campaigns.”

[The epic and ugly cyberattack on Sony in 2014 may now be one for the history books, but the attackers behind it remain active and prolific. Read Sony Hackers Still Active, ‘Darkhotel’ Checks Out Of Hotel Hacking.]

Novetta first began exploring the Sony malware in late 2014, and at first found that tools and methods used in the attack were used by a well-resourced and established hacking entity that appeared to pose as a hacktivist group. The security firm later began teaming up with and sharing its findings with security researchers from other firms, thus building a more comprehensive profile of the Lazarus Group.

In the end, it was the attackers’ code reuse, as well as a shared password, that exposed them to the researchers. The Lazarus Group initially developed the first generation of malware used in Operation Flame in March of 2007, an attack campaign later tied to Operation1Mission, Operation Troy, and DarkSeoul.

AlienVault’s Blasco, who ID’ed multiple droppers and families of malware using the same password that helped connect the dots to the Lazarus Group, says he was most surprised by the volume of tools and malware used by the attackers. “It’s a lot,” he says.  

The Operation Blockbuster report includes technical details on Lazarus Group's malware, tactics, techniques, as well as hashes and YARA rules.

 

Interop 2016 Las VegasFind out more about security threat intelligence at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/28/2016 | 11:34:16 AM
No reliable trace
This is actually raises another problems, somebody hacks and quite well-known company and we are not able to trace it back to where the attack came from. Why would NSA continue to keep all these data then, obviously that does not help in this critical incident.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/28/2016 | 11:27:57 AM
Re: but Russia?
" ... Obama caused Sony ..."

Exactly. This happened during net neutrality conversation, it was about distracting the public. :--)))
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/28/2016 | 11:26:00 AM
Re: but Russia?
"...So conspiracy theorists will continue to wonder ..."

I would agree with that, until specific proofs this would never end and we will continue to hear contracting research results.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/28/2016 | 11:24:23 AM
Re: but Russia?
"Whatever happened to the claims that the Sony hackers were actually Russians ..."

Russia would most likely be part of it under any circumstances, one of these technologically advanced countries would be providing the required skills I would say.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/28/2016 | 11:21:33 AM
Asia-Pacific
Obviously we still have not certainty on this subject, Asia-Pacific does not mean North Korea, it may as well be China when you think what country would have the skill to execute that type of attacks.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/26/2016 | 2:44:40 AM
Re: but Russia?
Uh-oh.  Is it only a matter of time before we hear chants of "Obama caused Sony"???
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
2/25/2016 | 8:25:24 AM
Re: but Russia?
That's one of many theories that now have been debunked by this new research.

Although--as members of Operation Blockbuster all say, attribution isn't always 100%. So conspiracy theorists will continue to wonder.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/24/2016 | 11:07:20 PM
but Russia?
Whatever happened to the claims that the Sony hackers were actually Russians who were trying to make it look like the Sony attacks originated from N. Korea?  Was that just hooey, then?
Microsoft President: Governments Must Cooperate on Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/8/2018
The Morris Worm Turns 30
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/9/2018
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12174
PUBLISHED: 2018-11-14
Heap overflow in Intel Trace Analyzer 2018 in Intel Parallel Studio XE 2018 Update 3 may allow an authenticated user to potentially escalate privileges via local access.
CVE-2018-3621
PUBLISHED: 2018-11-14
Insufficient input validation in the Intel Driver & Support Assistant before 3.6.0.4 may allow an unauthenticated user to potentially enable information disclosure via adjacent access.
CVE-2018-3635
PUBLISHED: 2018-11-14
Insufficient input validation in installer in Intel Rapid Store Technology (RST) before version 16.7 may allow an unprivileged user to potentially elevate privileges or cause an installer denial of service via local access.
CVE-2018-3696
PUBLISHED: 2018-11-14
Authentication bypass in the Intel RAID Web Console 3 for Windows before 4.186 may allow an unprivileged user to potentially gain administrative privileges via local access.
CVE-2018-3697
PUBLISHED: 2018-11-14
Improper directory permissions in the installer for the Intel Media Server Studio may allow unprivileged users to potentially enable an escalation of privilege via local access.