Keyboard light up feature
Security industry to use intelligence and malware sharing to help disrupt cybercrooks Jeroen Bennink

Top security firms from across the globe are teaming up to combat the notorious Lazarus collective reportedly linked with the widespread cyberattack against Sony Pictures in 2014 alongside a slew of other hacks against finance and media organisations in the US, China, Russia and South Korea.

Dubbed Operation Blockbuster, first launched in 2014 but now being made public for the first time, the goal is to use a collaborative approach to help disrupt the activity of Lazarus by sharing vital intelligence and malware research. Being led by analytics firm Novetta, the operation will also feature work from security firms Symantec, AlienVault and Kaspersky Lab, all of which have long documented the scope of Lazarus' campaigns.

"The Lazarus group has the necessary skills and determination to perform cyberespionage operations for the purpose of stealing data or causing damage," said Jaime Blasco, chief scientist at AlienVault. "By combining this with the use of sophisticated disinformation and deception techniques, the attackers have been able to launch several successful operations over the past few years. However, Operation Blockbuster serves as an example of how industry-wide information sharing and collaboration can set the bar higher to prevent this group from continuing its operations."

By investigating the Lazarus group in detail for a number of years the security teams have linked the malware strains used in various large-scale attacks to the same threat actor. The malware in question, coined Destover, was the subject of an FBI investigation which led the agency to conclude the North Korean government was involved with the now infamous attack against Sony.

Indeed, a fresh Novetta report that outlines the scope of Operation Blockbuster does not attempt to assert who exactly the hackers are or where they operate from. Instead, the team is following the evidence left behind by the malware's path of destruction.

"We strongly believe that the Sony Pictures attack was not the work of insiders or hacktivists," the report argues. "Given the malicious tools and previous cyberoperations linked to these tools, it appears that the [Sony] attack was carried out by a single group, or potentially very closely linked groups sharing technical resources, infrastructure, and even tasking.

"We have dubbed this organisation the Lazarus group. However, rather than focus on the specifics of attribution, this report and subsequent technical reports are intended to detail our technical findings on the scope of the Lazarus group's known tools and capabilities."

According to Symantec, which has been tracking the cyberattacks associated with Lazarus since 2009, the group appears to be well organised and primarily targeting organisations in the US and South Korea. "Our investigations have shown that the Lazarus group is a well-resourced and aggressive adversary with the capabilities to carry out both espionage and subversive attacks," said Orla Cox, director of Symantec Security Response team. "Tackling today's digital security challenges often requires a collective approach to keep our customers protected."

Sony hackers ‘got sloppy’ and posted from North Korea servers
North Korean hackers have long been suspected of the Sony Pictures cyberattack


Based on the Novetta analysis, the actual tactics used by the notorious group are vast. "The Lazarus group has developed an extensive and varied toolset which effectively combines a number of methods for delivering additional malicious tools, exfiltrating data, and launching destructive attacks," states the report.

"The Lazarus group's tools are sufficiently advanced for the intended targets and level of impact. However, the Lazarus group is not limited solely to the deployment of destructive malware. In fact, the toolset identified during this operation suggests that the Lazarus group encompasses a wide spectrum of capabilities, including distributed denial of service (DDoS) malware, keyloggers, and RATs, and even a P2P malware family that allows operators to establish a common program base and remote administration across all infected machines."

Now, Novetta claims that enhanced industry collaboration will help to devise ways to degrade the group's so-called malware toolset and erode its ability to carry out future attacks. "While no effort can completely halt malicious operations, Novetta believes that these efforts can help cause significant disruption and raise operating costs for adversaries, in addition to profiling groups that have relied on secrecy for much of their success," the report notes.

"It is our hope that private industry will not only continue to illuminate various threat actors' toolsets and operations, but also work with other industry partners and law enforcement agencies as able to affect positive change on the safety of network environments worldwide."