Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

2/24/2016
08:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Sony Hackers Behind Previous Cyberattacks Tied To North Korea

'Lazarus Group' cyber espionage group has been operating in major attack campaigns since at least 2009, according to new investigation, bolstering the FBI conclusion that North Korea was behind the epic Sony breach.

Turns out the massive Sony breach was just one in a series of aggressive cyber-espionage and cyber-sabotage attacks in the past decade mainly against South Korea and the US by hackers thought to be out of North Korea.

A rare team investigation effort by researchers from multiple security vendors has traced the 2014 cyberattack on Sony Pictures Entertainment that wiped data and doxed its executives and sensitive company information, to earlier aggressive attacks on military, government, media, and other commercial interests mainly against South Korea and the US, but also Taiwan, Japan, and China. The researchers have dubbed the hackers the Lazarus Group.

Led by Novetta and including Kaspersky Lab, AlienVault, Symantec, Invincea, ThreatConnect, Volexity, and PunchCyber, the so-called Operation Blockbuster investigation into the hacking group that hit Sony discovered a whopping 47 different malware families after researchers pieced together links between code and malware used by the attackers.

They were able to match the malware and MO of the Sony attack to the so-called Operation Troy in 2009, when a cyber espionage campaign under the cover of a hacktivist DDoS and data-wiping attack on South Korean banks, media outlets, and other entities, was discovered also quietly pilfering South Korean and US military secrets. They also connected the dots to Operation DarkSeoul, which targeted banks and media in South Korea in 2013, as well as other attacks mainly targeting South Korean interests. South Korea government officials later called out North Korea as the culprit of the hacks.

“They [the Sony attackers] had been active a lot longer” than thought, says Peter LaMontagne, CEO of Novetta. “The scale of operation is broader than anyone expected.”

Subsequent attack campaigns, like the one against Sony, had some sort of hacktivist moniker while meanwhile doing some heavy digital damage inside the victim’s network. “They all have the same behavior patterns and hard links in the code,” says Andre Ludwig, senior technical director of Novetta’s threat research and interdiction group. ”This is definitely not an isolated group ... There is tremendous scale and scope as far as tooling is concerned.”

Operation Blockbuster researchers all stopped short of confirming North Korea as behind the Sony attack, but say their findings indeed sync with the FBI’s conclusion. “Our findings would support the FBI claim. We cannot make that definitive statement” that it’s North Korea, Ludwig says. But “there’s definitely an Asia-Pacific nexus.”

Lazarus Group’s malware was mostly compiled during the working hours of the GMT +8 and GMT +9 time zones, according to Kaspersky Lab. That’s another sign pointing to a North Korea connection.

Word that the Sony attackers were still active and hacking away came to light earlier this month at the Kaspersky Analyst Summit in Tenerife, Spain, where Juan Andres Guerrero-Saade, senior security researcher at Kaspersky Lab, and Jaime Blasco, vice president and chief scientist at AlienVault, detailed new activity they had witnessed by the Sony hackers.

A malware sample targeting Samsung in South Korea was found to be related to malware used by the Lazarus Group, Kaspersky’s Guerrero-Saade told Dark Reading in an interview. “It was a variant of the ‘Hangman’ malware that we remotely connect to ‘Destover,’” the malware used by the Lazarus Group to wipe data from Sony's disk drives.

“It’s been an archeological dig,” he says.

Smashing Windows

The combination of the hacktivist messages, DDoS attacks, data destruction and dumping, and stealing sensitive information, for the most part has been a calling card of North Korea’s cyber espionage operations, which most security experts believe are backed by Kim Jong-un’s government.

And Lazarus Group operates very differently from most cyber espionage gangs. “It’s rare that a group tags the building, breaks the plate-glass window, and starts stealing the jewels,” LaMontagne says.

It’s unclear how many groups or subgroups operate under the Lazarus Group umbrella. “Is it five guys in an apartment or 10 crews? I’m not sure we have an understanding of that part. We definitely have a sense that there is a diversity of group and different skills,” Kaspersky’s Guerrero-Saade says. “There is some developing prowess here. It’s not a point-and-click toolkit. There are developers involved and different levels of opsec, depending on some of the campaigns.”

[The epic and ugly cyberattack on Sony in 2014 may now be one for the history books, but the attackers behind it remain active and prolific. Read Sony Hackers Still Active, ‘Darkhotel’ Checks Out Of Hotel Hacking.]

Novetta first began exploring the Sony malware in late 2014, and at first found that tools and methods used in the attack were used by a well-resourced and established hacking entity that appeared to pose as a hacktivist group. The security firm later began teaming up with and sharing its findings with security researchers from other firms, thus building a more comprehensive profile of the Lazarus Group.

In the end, it was the attackers’ code reuse, as well as a shared password, that exposed them to the researchers. The Lazarus Group initially developed the first generation of malware used in Operation Flame in March of 2007, an attack campaign later tied to Operation1Mission, Operation Troy, and DarkSeoul.

AlienVault’s Blasco, who ID’ed multiple droppers and families of malware using the same password that helped connect the dots to the Lazarus Group, says he was most surprised by the volume of tools and malware used by the attackers. “It’s a lot,” he says.  

The Operation Blockbuster report includes technical details on Lazarus Group's malware, tactics, techniques, as well as hashes and YARA rules.

 

Interop 2016 Las VegasFind out more about security threat intelligence at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/28/2016 | 11:34:16 AM
No reliable trace
This is actually raises another problems, somebody hacks and quite well-known company and we are not able to trace it back to where the attack came from. Why would NSA continue to keep all these data then, obviously that does not help in this critical incident.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/28/2016 | 11:27:57 AM
Re: but Russia?
" ... Obama caused Sony ..."

Exactly. This happened during net neutrality conversation, it was about distracting the public. :--)))
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/28/2016 | 11:26:00 AM
Re: but Russia?
"...So conspiracy theorists will continue to wonder ..."

I would agree with that, until specific proofs this would never end and we will continue to hear contracting research results.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/28/2016 | 11:24:23 AM
Re: but Russia?
"Whatever happened to the claims that the Sony hackers were actually Russians ..."

Russia would most likely be part of it under any circumstances, one of these technologically advanced countries would be providing the required skills I would say.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/28/2016 | 11:21:33 AM
Asia-Pacific
Obviously we still have not certainty on this subject, Asia-Pacific does not mean North Korea, it may as well be China when you think what country would have the skill to execute that type of attacks.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/26/2016 | 2:44:40 AM
Re: but Russia?
Uh-oh.  Is it only a matter of time before we hear chants of "Obama caused Sony"???
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
2/25/2016 | 8:25:24 AM
Re: but Russia?
That's one of many theories that now have been debunked by this new research.

Although--as members of Operation Blockbuster all say, attribution isn't always 100%. So conspiracy theorists will continue to wonder.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/24/2016 | 11:07:20 PM
but Russia?
Whatever happened to the claims that the Sony hackers were actually Russians who were trying to make it look like the Sony attacks originated from N. Korea?  Was that just hooey, then?
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19012
PUBLISHED: 2019-11-17
An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or ...
CVE-2019-19022
PUBLISHED: 2019-11-17
iTerm2 through 3.3.6 has potentially insufficient documentation about the presence of search history in com.googlecode.iterm2.plist, which might allow remote attackers to obtain sensitive information, as demonstrated by searching for the NoSyncSearchHistory string in .plist files within public Git r...
CVE-2019-19035
PUBLISHED: 2019-11-17
jhead 3.03 is affected by: heap-based buffer over-read. The impact is: Denial of service. The component is: ReadJpegSections and process_SOFn in jpgfile.c. The attack vector is: Open a specially crafted JPEG file.
CVE-2019-19011
PUBLISHED: 2019-11-17
MiniUPnP ngiflib 0.4 has a NULL pointer dereference in GifIndexToTrueColor in ngiflib.c via a file that lacks a palette.
CVE-2019-19010
PUBLISHED: 2019-11-16
Eval injection in the Math plugin of Limnoria (before 2019.11.09) and Supybot (through 2018-05-09) allows remote unprivileged attackers to disclose information or possibly have unspecified other impact via the calc and icalc IRC commands.