Kaspersky Lab helps to disrupt the activity of the Lazarus Group responsible for multiple devastating cyber attacks
Thursday, 25th February 2016;Together with Novetta and other industry partners, Kaspersky Lab is proud to announce its contribution to Operation Blockbuster. The goal of the operation is to disrupt the activity of the Lazarus Group – a highly malicious entity responsible for data destruction as well as conventional cyber-espionage operations against multiple companies around the world. The attackers are believed to be behind the attack on Sony Pictures Entertainment in 2014, and operation DarkSeoul that targeted media and financial institutions in 2013.
After a devastating attack against the famous movie production company, Sony Pictures Entertainment (SPE) in 2014, Kaspersky Lab’s Global Research and Analysis Team (GReAT) began its investigation into samples of the Destover malware publicly named as used in the attack. This led to wider research into a cluster of related cyber-espionage and cyber-sabotage campaigns targeting financial institutions, media stations, and manufacturing companies, among others.
Based on the common characteristics of the different malware families, the company’s experts were able to group together tens of isolated attacks and determine that they all belong to one threat actor, as other participants in Operation Blockbuster confirmed in their own analysis.
The Lazarus Group threat actor was active several years before the SPE incident, and it appears that it is still active. Kaspersky Lab and other Operation Blockbuster research confirms a connection between malware used in various campaigns, such as Operation DarkSeoul against Seoul-based banks and broadcasters, Operation Troy targeting military forces in South Korea, and the Sony Pictures incident.
During the investigation, Kaspersky Lab researchers exchanged preliminary findings with AlienVault Labs. Eventually researchers from the two companies decided to unite efforts and conduct a joint investigation. Simultaneously, the activity of the Lazarus Group was being investigated by many other companies and security specialists. One of these companies, Novetta started an initiative aimed at publishing the most extensive and actionable intelligence on the activity of the Lazarus Group. As part of Operation Blockbuster, together with Novetta, AlienVault Labs, and other industry partners, Kaspersky Lab is publishing its findings for the benefit of the wider public.
A haystack full of needles
By analysing multiple samples of malware spotted in different cyber-security incidents and creating special detection rules, Kaspersky Lab, AlienVault and other Operation Blockbuster specialists were able to identify a number of attacks as having been conducted by the Lazarus Group.
The link from multiple samples to a single group was found during the analysis of methods used by this actor. In particular, it was discovered that the attackers were actively re-using code –borrowing fragments of code from one malicious programme to use in another.
Besides that, researchers were able to spot similarities in the modus operandi of attackers. While analysing artefacts from different attacks, they discovered that droppers – special files used to install different variations of a malicious payload – all kept their payloads within a password-protected ZIP archive. The password for archives used in different campaigns was the same and was hardcoded inside the dropper. The password protection was implemented in order to prevent automated systems from extracting and analysing the payload, but in reality it just helped researchers to identify the group.
A special method used by the criminals to try to wipe traces of their presence from an infected system, along with some techniques they used to evade detection by anti-virus products also gave researchers additional means of clustering related attacks. Eventually tens of different targeted attacks, whose operators had been considered unknown, were linked to a single threat actor.
The Operation’s Geography
The analysis of samples’ compilation dates showed that the earliest might have been compiled as long ago as 2009, five years before the infamous attack against Sony. The number of new samples has grown dynamically since 2010. This characterises the Lazarus Group as a stable, longstanding threat actor. Based on metadata extracted from investigated samples, most of the malicious programmes used by the Lazarus Group appear to have been compiled during the working hours of GMT+8 – GMT+9 time zones.