After the furious attack against the famous movie production company, Sony Pictures Entertainment in 2014, Kaspersky Lab’s Global Research and Analysis Team started its investigation into samples of the Destover malware publicly named as used in the attack. The investigation led to wider research into a cluster of related cyber-espionage and cyber-sabotage campaigns targeting financial institutions, media stations, and manufacturing companies, among others.
The security researchers managed to group together tens of the isolated attacks and determined that they all belong to one threat actor, as other participants in Operation Blockbuster confirmed in their own analysis.
The so called “Lazarus Group” entity, which was active a few years before the SPE incident, continues to be active now. The research by Kaspersky Lab and another Operation Blockbuster, proves the connection between malware used in different campaigns like Operation DarkSeoul against Seoul-based banks and broadcasters, Operation Troy targeting military forces in South Korea, and the Sony Pictures incident.
While making the research, Kaspersky Lab exchanged preliminary findings with AlienVault Labs. The researchers from the two companies united their efforts and conducted a joint investigation. At the same time, the activity of the Lazarus Group was being investigated by some other companies and security experts.
Among the above-mentioned companies was Novetta, which started an initiative aimed at publishing the most extensive and actionable intelligence on the activity of the Lazarus Group. As part of Operation Blockbuster, together with Novetta, AlienVault Labs, and other industry partners, Kaspersky Lab is publishing its findings for the benefit of the wider public.
After analyzing the samples of malware spotted in different cyber-security incidents and creating special detection rules, the researchers identified a number of attacks as having been conducted by the Lazarus Group. The experts discovered that the hackers were actively re-using code – borrowing fragments of code from one malicious program to use in another.
Additionally, the researchers spotted similarities in the modus operandi of attackers. When analyzing artefacts from different attacks, they discovered that droppers – special files used to install different variations of a malicious payload – all kept their payloads within a password-protected ZIP archive.
The password for archives used in different campaigns was the same and was hardcoded inside the dropper. The password protection was implemented in order to prevent automated systems from extracting and analyzing the payload, but in reality it just helped researchers to identify the group.
Cyber criminals used a special method trying to wipe traces of their presence from an infected system, along with some techniques they used to evade detection by anti-virus products also gave researchers additional means of clustering related attacks. Eventually tens of different targeted attacks, whose operators had been considered unknown, were linked to a single threat actor.
The analysis of samples’ compilation dates showed that the earliest might have been compiled as long ago as 2009. The number of new samples has grown dynamically since 2010.
Based on metadata extracted from investigated samples, most of the malicious programs used by the Lazarus Group appear to have been compiled during the working hours of GMT+8 – GMT+9 time zones.
“As we predicted, the number of wiper attacks grows steadily. This kind of malware proves to be a highly effective type of cyber-weapon. The power to wipe thousands of computers at the push of a button represents a significant bounty to a Computer Network Exploitation team tasked with disinformation and the disruption of a target enterprise. Its value as part of hybrid warfare, where wiper attacks are coupled with kinetic attacks to paralyze a country’s infrastructure remains an interesting thought experiment closer to reality than we can be comfortable with. Together with our industry partners, we are proud to put a dent in the operations of an unscrupulous actor willing to leverage these devastating techniques,” stated Juan Guerrero, senior security researcher at Kaspersky Lab.
“This actor has the necessary skills and determination to perform cyberespionage operations with the purpose of stealing data or causing damage. Combining that with the use of disinformation and deception techniques, the attackers have been able to successfully launch several operations over the last few years,” said Jaime Blasco, chief scientist, AlienVault. “Operation Blockbuster is an example of how industry-wide information sharing and collaboration can set the bar higher and prevent this actor from continuing its operations.”
“Through Operation Blockbuster, Novetta, Kaspersky Lab and our partners have continued efforts to establish a methodology for disrupting the operations of globally significant attack groups and attempting to mitigate their efforts to inflict further harm,” said Andre Ludwig, senior technical director, Novetta Threat Research and Interdiction Group. “The level of in-depth technical analysis conducted in Operation Blockbuster is rare, and sharing our findings with industry partners, so we all benefit from increased understanding, is even rarer.”
