Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

2/24/2016
08:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Sony Hackers Behind Previous Cyberattacks Tied To North Korea

'Lazarus Group' cyber espionage group has been operating in major attack campaigns since at least 2009, according to new investigation, bolstering the FBI conclusion that North Korea was behind the epic Sony breach.

Turns out the massive Sony breach was just one in a series of aggressive cyber-espionage and cyber-sabotage attacks in the past decade mainly against South Korea and the US by hackers thought to be out of North Korea.

A rare team investigation effort by researchers from multiple security vendors has traced the 2014 cyberattack on Sony Pictures Entertainment that wiped data and doxed its executives and sensitive company information, to earlier aggressive attacks on military, government, media, and other commercial interests mainly against South Korea and the US, but also Taiwan, Japan, and China. The researchers have dubbed the hackers the Lazarus Group.

Led by Novetta and including Kaspersky Lab, AlienVault, Symantec, Invincea, ThreatConnect, Volexity, and PunchCyber, the so-called Operation Blockbuster investigation into the hacking group that hit Sony discovered a whopping 47 different malware families after researchers pieced together links between code and malware used by the attackers.

They were able to match the malware and MO of the Sony attack to the so-called Operation Troy in 2009, when a cyber espionage campaign under the cover of a hacktivist DDoS and data-wiping attack on South Korean banks, media outlets, and other entities, was discovered also quietly pilfering South Korean and US military secrets. They also connected the dots to Operation DarkSeoul, which targeted banks and media in South Korea in 2013, as well as other attacks mainly targeting South Korean interests. South Korea government officials later called out North Korea as the culprit of the hacks.

“They [the Sony attackers] had been active a lot longer” than thought, says Peter LaMontagne, CEO of Novetta. “The scale of operation is broader than anyone expected.”

Subsequent attack campaigns, like the one against Sony, had some sort of hacktivist moniker while meanwhile doing some heavy digital damage inside the victim’s network. “They all have the same behavior patterns and hard links in the code,” says Andre Ludwig, senior technical director of Novetta’s threat research and interdiction group. ”This is definitely not an isolated group ... There is tremendous scale and scope as far as tooling is concerned.”

Operation Blockbuster researchers all stopped short of confirming North Korea as behind the Sony attack, but say their findings indeed sync with the FBI’s conclusion. “Our findings would support the FBI claim. We cannot make that definitive statement” that it’s North Korea, Ludwig says. But “there’s definitely an Asia-Pacific nexus.”

Lazarus Group’s malware was mostly compiled during the working hours of the GMT +8 and GMT +9 time zones, according to Kaspersky Lab. That’s another sign pointing to a North Korea connection.

Word that the Sony attackers were still active and hacking away came to light earlier this month at the Kaspersky Analyst Summit in Tenerife, Spain, where Juan Andres Guerrero-Saade, senior security researcher at Kaspersky Lab, and Jaime Blasco, vice president and chief scientist at AlienVault, detailed new activity they had witnessed by the Sony hackers.

A malware sample targeting Samsung in South Korea was found to be related to malware used by the Lazarus Group, Kaspersky’s Guerrero-Saade told Dark Reading in an interview. “It was a variant of the ‘Hangman’ malware that we remotely connect to ‘Destover,’” the malware used by the Lazarus Group to wipe data from Sony's disk drives.

“It’s been an archeological dig,” he says.

Smashing Windows

The combination of the hacktivist messages, DDoS attacks, data destruction and dumping, and stealing sensitive information, for the most part has been a calling card of North Korea’s cyber espionage operations, which most security experts believe are backed by Kim Jong-un’s government.

And Lazarus Group operates very differently from most cyber espionage gangs. “It’s rare that a group tags the building, breaks the plate-glass window, and starts stealing the jewels,” LaMontagne says.

It’s unclear how many groups or subgroups operate under the Lazarus Group umbrella. “Is it five guys in an apartment or 10 crews? I’m not sure we have an understanding of that part. We definitely have a sense that there is a diversity of group and different skills,” Kaspersky’s Guerrero-Saade says. “There is some developing prowess here. It’s not a point-and-click toolkit. There are developers involved and different levels of opsec, depending on some of the campaigns.”

[The epic and ugly cyberattack on Sony in 2014 may now be one for the history books, but the attackers behind it remain active and prolific. Read Sony Hackers Still Active, ‘Darkhotel’ Checks Out Of Hotel Hacking.]

Novetta first began exploring the Sony malware in late 2014, and at first found that tools and methods used in the attack were used by a well-resourced and established hacking entity that appeared to pose as a hacktivist group. The security firm later began teaming up with and sharing its findings with security researchers from other firms, thus building a more comprehensive profile of the Lazarus Group.

In the end, it was the attackers’ code reuse, as well as a shared password, that exposed them to the researchers. The Lazarus Group initially developed the first generation of malware used in Operation Flame in March of 2007, an attack campaign later tied to Operation1Mission, Operation Troy, and DarkSeoul.

AlienVault’s Blasco, who ID’ed multiple droppers and families of malware using the same password that helped connect the dots to the Lazarus Group, says he was most surprised by the volume of tools and malware used by the attackers. “It’s a lot,” he says.  

The Operation Blockbuster report includes technical details on Lazarus Group's malware, tactics, techniques, as well as hashes and YARA rules.

 

Interop 2016 Las VegasFind out more about security threat intelligence at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/24/2016 | 11:07:20 PM
but Russia?
Whatever happened to the claims that the Sony hackers were actually Russians who were trying to make it look like the Sony attacks originated from N. Korea?  Was that just hooey, then?
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
2/25/2016 | 8:25:24 AM
Re: but Russia?
That's one of many theories that now have been debunked by this new research.

Although--as members of Operation Blockbuster all say, attribution isn't always 100%. So conspiracy theorists will continue to wonder.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/26/2016 | 2:44:40 AM
Re: but Russia?
Uh-oh.  Is it only a matter of time before we hear chants of "Obama caused Sony"???
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/28/2016 | 11:27:57 AM
Re: but Russia?
" ... Obama caused Sony ..."

Exactly. This happened during net neutrality conversation, it was about distracting the public. :--)))
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/28/2016 | 11:26:00 AM
Re: but Russia?
"...So conspiracy theorists will continue to wonder ..."

I would agree with that, until specific proofs this would never end and we will continue to hear contracting research results.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/28/2016 | 11:24:23 AM
Re: but Russia?
"Whatever happened to the claims that the Sony hackers were actually Russians ..."

Russia would most likely be part of it under any circumstances, one of these technologically advanced countries would be providing the required skills I would say.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/28/2016 | 11:21:33 AM
Asia-Pacific
Obviously we still have not certainty on this subject, Asia-Pacific does not mean North Korea, it may as well be China when you think what country would have the skill to execute that type of attacks.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/28/2016 | 11:34:16 AM
No reliable trace
This is actually raises another problems, somebody hacks and quite well-known company and we are not able to trace it back to where the attack came from. Why would NSA continue to keep all these data then, obviously that does not help in this critical incident.
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Lessons from the NSA: Know Your Assets
Robert Lemos, Contributing Writer,  12/12/2019
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...