Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

2/24/2016
08:00 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Sony Hackers Behind Previous Cyberattacks Tied To North Korea

'Lazarus Group' cyber espionage group has been operating in major attack campaigns since at least 2009, according to new investigation, bolstering the FBI conclusion that North Korea was behind the epic Sony breach.

Turns out the massive Sony breach was just one in a series of aggressive cyber-espionage and cyber-sabotage attacks in the past decade mainly against South Korea and the US by hackers thought to be out of North Korea.

A rare team investigation effort by researchers from multiple security vendors has traced the 2014 cyberattack on Sony Pictures Entertainment that wiped data and doxed its executives and sensitive company information, to earlier aggressive attacks on military, government, media, and other commercial interests mainly against South Korea and the US, but also Taiwan, Japan, and China. The researchers have dubbed the hackers the Lazarus Group.

Led by Novetta and including Kaspersky Lab, AlienVault, Symantec, Invincea, ThreatConnect, Volexity, and PunchCyber, the so-called Operation Blockbuster investigation into the hacking group that hit Sony discovered a whopping 47 different malware families after researchers pieced together links between code and malware used by the attackers.

They were able to match the malware and MO of the Sony attack to the so-called Operation Troy in 2009, when a cyber espionage campaign under the cover of a hacktivist DDoS and data-wiping attack on South Korean banks, media outlets, and other entities, was discovered also quietly pilfering South Korean and US military secrets. They also connected the dots to Operation DarkSeoul, which targeted banks and media in South Korea in 2013, as well as other attacks mainly targeting South Korean interests. South Korea government officials later called out North Korea as the culprit of the hacks.

“They [the Sony attackers] had been active a lot longer” than thought, says Peter LaMontagne, CEO of Novetta. “The scale of operation is broader than anyone expected.”

Subsequent attack campaigns, like the one against Sony, had some sort of hacktivist moniker while meanwhile doing some heavy digital damage inside the victim’s network. “They all have the same behavior patterns and hard links in the code,” says Andre Ludwig, senior technical director of Novetta’s threat research and interdiction group. ”This is definitely not an isolated group ... There is tremendous scale and scope as far as tooling is concerned.”

Operation Blockbuster researchers all stopped short of confirming North Korea as behind the Sony attack, but say their findings indeed sync with the FBI’s conclusion. “Our findings would support the FBI claim. We cannot make that definitive statement” that it’s North Korea, Ludwig says. But “there’s definitely an Asia-Pacific nexus.”

Lazarus Group’s malware was mostly compiled during the working hours of the GMT +8 and GMT +9 time zones, according to Kaspersky Lab. That’s another sign pointing to a North Korea connection.

Word that the Sony attackers were still active and hacking away came to light earlier this month at the Kaspersky Analyst Summit in Tenerife, Spain, where Juan Andres Guerrero-Saade, senior security researcher at Kaspersky Lab, and Jaime Blasco, vice president and chief scientist at AlienVault, detailed new activity they had witnessed by the Sony hackers.

A malware sample targeting Samsung in South Korea was found to be related to malware used by the Lazarus Group, Kaspersky’s Guerrero-Saade told Dark Reading in an interview. “It was a variant of the ‘Hangman’ malware that we remotely connect to ‘Destover,’” the malware used by the Lazarus Group to wipe data from Sony's disk drives.

“It’s been an archeological dig,” he says.

Smashing Windows

The combination of the hacktivist messages, DDoS attacks, data destruction and dumping, and stealing sensitive information, for the most part has been a calling card of North Korea’s cyber espionage operations, which most security experts believe are backed by Kim Jong-un’s government.

And Lazarus Group operates very differently from most cyber espionage gangs. “It’s rare that a group tags the building, breaks the plate-glass window, and starts stealing the jewels,” LaMontagne says.

It’s unclear how many groups or subgroups operate under the Lazarus Group umbrella. “Is it five guys in an apartment or 10 crews? I’m not sure we have an understanding of that part. We definitely have a sense that there is a diversity of group and different skills,” Kaspersky’s Guerrero-Saade says. “There is some developing prowess here. It’s not a point-and-click toolkit. There are developers involved and different levels of opsec, depending on some of the campaigns.”

[The epic and ugly cyberattack on Sony in 2014 may now be one for the history books, but the attackers behind it remain active and prolific. Read Sony Hackers Still Active, ‘Darkhotel’ Checks Out Of Hotel Hacking.]

Novetta first began exploring the Sony malware in late 2014, and at first found that tools and methods used in the attack were used by a well-resourced and established hacking entity that appeared to pose as a hacktivist group. The security firm later began teaming up with and sharing its findings with security researchers from other firms, thus building a more comprehensive profile of the Lazarus Group.

In the end, it was the attackers’ code reuse, as well as a shared password, that exposed them to the researchers. The Lazarus Group initially developed the first generation of malware used in Operation Flame in March of 2007, an attack campaign later tied to Operation1Mission, Operation Troy, and DarkSeoul.

AlienVault’s Blasco, who ID’ed multiple droppers and families of malware using the same password that helped connect the dots to the Lazarus Group, says he was most surprised by the volume of tools and malware used by the attackers. “It’s a lot,” he says.  

The Operation Blockbuster report includes technical details on Lazarus Group's malware, tactics, techniques, as well as hashes and YARA rules.

 

Interop 2016 Las VegasFind out more about security threat intelligence at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/24/2016 | 11:07:20 PM
but Russia?
Whatever happened to the claims that the Sony hackers were actually Russians who were trying to make it look like the Sony attacks originated from N. Korea?  Was that just hooey, then?
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
2/25/2016 | 8:25:24 AM
Re: but Russia?
That's one of many theories that now have been debunked by this new research.

Although--as members of Operation Blockbuster all say, attribution isn't always 100%. So conspiracy theorists will continue to wonder.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/26/2016 | 2:44:40 AM
Re: but Russia?
Uh-oh.  Is it only a matter of time before we hear chants of "Obama caused Sony"???
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/28/2016 | 11:21:33 AM
Asia-Pacific
Obviously we still have not certainty on this subject, Asia-Pacific does not mean North Korea, it may as well be China when you think what country would have the skill to execute that type of attacks.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/28/2016 | 11:24:23 AM
Re: but Russia?
"Whatever happened to the claims that the Sony hackers were actually Russians ..."

Russia would most likely be part of it under any circumstances, one of these technologically advanced countries would be providing the required skills I would say.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/28/2016 | 11:26:00 AM
Re: but Russia?
"...So conspiracy theorists will continue to wonder ..."

I would agree with that, until specific proofs this would never end and we will continue to hear contracting research results.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/28/2016 | 11:27:57 AM
Re: but Russia?
" ... Obama caused Sony ..."

Exactly. This happened during net neutrality conversation, it was about distracting the public. :--)))
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/28/2016 | 11:34:16 AM
No reliable trace
This is actually raises another problems, somebody hacks and quite well-known company and we are not able to trace it back to where the attack came from. Why would NSA continue to keep all these data then, obviously that does not help in this critical incident.
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-30477
PUBLISHED: 2021-04-15
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of replies to messages sent by outgoing webhooks to private streams meant that an outgoing webhook bot could be used to send messages to private streams that the user was not intended to be able to send messages to.
CVE-2021-30478
PUBLISHED: 2021-04-15
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the can_forge_sender permission (previously is_api_super_user) resulted in users with this permission being able to send messages appearing as if sent by a system bot, including to other organizations hosted by the sa...
CVE-2021-30479
PUBLISHED: 2021-04-15
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the all_public_streams API feature resulted in guest users being able to receive message traffic to public streams that should have been only accessible to members of the organization.
CVE-2021-30487
PUBLISHED: 2021-04-15
In the topic moving API in Zulip Server 3.x before 3.4, organization administrators were able to move messages to streams in other organizations hosted by the same Zulip installation.
CVE-2020-36288
PUBLISHED: 2021-04-15
The issue navigation and search view in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.1 allows remote attackers to inject arbitrary HTML or JavaScript via a DOM Cross-Site Scripting (XSS) vulnerability caused ...