Threat Intelligence
2/24/2016
08:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Sony Hackers Behind Previous Cyberattacks Tied To North Korea

'Lazarus Group' cyber espionage group has been operating in major attack campaigns since at least 2009, according to new investigation, bolstering the FBI conclusion that North Korea was behind the epic Sony breach.

Turns out the massive Sony breach was just one in a series of aggressive cyber-espionage and cyber-sabotage attacks in the past decade mainly against South Korea and the US by hackers thought to be out of North Korea.

A rare team investigation effort by researchers from multiple security vendors has traced the 2014 cyberattack on Sony Pictures Entertainment that wiped data and doxed its executives and sensitive company information, to earlier aggressive attacks on military, government, media, and other commercial interests mainly against South Korea and the US, but also Taiwan, Japan, and China. The researchers have dubbed the hackers the Lazarus Group.

Led by Novetta and including Kaspersky Lab, AlienVault, Symantec, Invincea, ThreatConnect, Volexity, and PunchCyber, the so-called Operation Blockbuster investigation into the hacking group that hit Sony discovered a whopping 47 different malware families after researchers pieced together links between code and malware used by the attackers.

They were able to match the malware and MO of the Sony attack to the so-called Operation Troy in 2009, when a cyber espionage campaign under the cover of a hacktivist DDoS and data-wiping attack on South Korean banks, media outlets, and other entities, was discovered also quietly pilfering South Korean and US military secrets. They also connected the dots to Operation DarkSeoul, which targeted banks and media in South Korea in 2013, as well as other attacks mainly targeting South Korean interests. South Korea government officials later called out North Korea as the culprit of the hacks.

“They [the Sony attackers] had been active a lot longer” than thought, says Peter LaMontagne, CEO of Novetta. “The scale of operation is broader than anyone expected.”

Subsequent attack campaigns, like the one against Sony, had some sort of hacktivist moniker while meanwhile doing some heavy digital damage inside the victim’s network. “They all have the same behavior patterns and hard links in the code,” says Andre Ludwig, senior technical director of Novetta’s threat research and interdiction group. ”This is definitely not an isolated group ... There is tremendous scale and scope as far as tooling is concerned.”

Operation Blockbuster researchers all stopped short of confirming North Korea as behind the Sony attack, but say their findings indeed sync with the FBI’s conclusion. “Our findings would support the FBI claim. We cannot make that definitive statement” that it’s North Korea, Ludwig says. But “there’s definitely an Asia-Pacific nexus.”

Lazarus Group’s malware was mostly compiled during the working hours of the GMT +8 and GMT +9 time zones, according to Kaspersky Lab. That’s another sign pointing to a North Korea connection.

Word that the Sony attackers were still active and hacking away came to light earlier this month at the Kaspersky Analyst Summit in Tenerife, Spain, where Juan Andres Guerrero-Saade, senior security researcher at Kaspersky Lab, and Jaime Blasco, vice president and chief scientist at AlienVault, detailed new activity they had witnessed by the Sony hackers.

A malware sample targeting Samsung in South Korea was found to be related to malware used by the Lazarus Group, Kaspersky’s Guerrero-Saade told Dark Reading in an interview. “It was a variant of the ‘Hangman’ malware that we remotely connect to ‘Destover,’” the malware used by the Lazarus Group to wipe data from Sony's disk drives.

“It’s been an archeological dig,” he says.

Smashing Windows

The combination of the hacktivist messages, DDoS attacks, data destruction and dumping, and stealing sensitive information, for the most part has been a calling card of North Korea’s cyber espionage operations, which most security experts believe are backed by Kim Jong-un’s government.

And Lazarus Group operates very differently from most cyber espionage gangs. “It’s rare that a group tags the building, breaks the plate-glass window, and starts stealing the jewels,” LaMontagne says.

It’s unclear how many groups or subgroups operate under the Lazarus Group umbrella. “Is it five guys in an apartment or 10 crews? I’m not sure we have an understanding of that part. We definitely have a sense that there is a diversity of group and different skills,” Kaspersky’s Guerrero-Saade says. “There is some developing prowess here. It’s not a point-and-click toolkit. There are developers involved and different levels of opsec, depending on some of the campaigns.”

[The epic and ugly cyberattack on Sony in 2014 may now be one for the history books, but the attackers behind it remain active and prolific. Read Sony Hackers Still Active, ‘Darkhotel’ Checks Out Of Hotel Hacking.]

Novetta first began exploring the Sony malware in late 2014, and at first found that tools and methods used in the attack were used by a well-resourced and established hacking entity that appeared to pose as a hacktivist group. The security firm later began teaming up with and sharing its findings with security researchers from other firms, thus building a more comprehensive profile of the Lazarus Group.

In the end, it was the attackers’ code reuse, as well as a shared password, that exposed them to the researchers. The Lazarus Group initially developed the first generation of malware used in Operation Flame in March of 2007, an attack campaign later tied to Operation1Mission, Operation Troy, and DarkSeoul.

AlienVault’s Blasco, who ID’ed multiple droppers and families of malware using the same password that helped connect the dots to the Lazarus Group, says he was most surprised by the volume of tools and malware used by the attackers. “It’s a lot,” he says.  

The Operation Blockbuster report includes technical details on Lazarus Group's malware, tactics, techniques, as well as hashes and YARA rules.

 

Interop 2016 Las VegasFind out more about security threat intelligence at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/28/2016 | 11:34:16 AM
No reliable trace
This is actually raises another problems, somebody hacks and quite well-known company and we are not able to trace it back to where the attack came from. Why would NSA continue to keep all these data then, obviously that does not help in this critical incident.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/28/2016 | 11:27:57 AM
Re: but Russia?
" ... Obama caused Sony ..."

Exactly. This happened during net neutrality conversation, it was about distracting the public. :--)))
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/28/2016 | 11:26:00 AM
Re: but Russia?
"...So conspiracy theorists will continue to wonder ..."

I would agree with that, until specific proofs this would never end and we will continue to hear contracting research results.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/28/2016 | 11:24:23 AM
Re: but Russia?
"Whatever happened to the claims that the Sony hackers were actually Russians ..."

Russia would most likely be part of it under any circumstances, one of these technologically advanced countries would be providing the required skills I would say.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/28/2016 | 11:21:33 AM
Asia-Pacific
Obviously we still have not certainty on this subject, Asia-Pacific does not mean North Korea, it may as well be China when you think what country would have the skill to execute that type of attacks.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/26/2016 | 2:44:40 AM
Re: but Russia?
Uh-oh.  Is it only a matter of time before we hear chants of "Obama caused Sony"???
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
2/25/2016 | 8:25:24 AM
Re: but Russia?
That's one of many theories that now have been debunked by this new research.

Although--as members of Operation Blockbuster all say, attribution isn't always 100%. So conspiracy theorists will continue to wonder.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/24/2016 | 11:07:20 PM
but Russia?
Whatever happened to the claims that the Sony hackers were actually Russians who were trying to make it look like the Sony attacks originated from N. Korea?  Was that just hooey, then?
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
DNS Threats: What Every Enterprise Should Know
Domain Name System exploits could put your data at risk. Here's some advice on how to avoid them.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.