Operation Blockbuster is a Novetta-led coalition of private industry partners, created with the intent to understand and potentially disrupt malicious tools and infrastructure that have been attributed to an adversary that Novetta has identified and named as the Lazarus Group. This group has been active since at least 2009, and potentially as early as 2007, and was responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment (SPE).
The attack against Sony Pictures Entertainment (SPE) was unprecedented in its media coverage and overt use of malicious destructive capabilities against a commercial entity. The SPE attack broke new ground not only as a destructive malware attack on a U.S. commercial entity but also due to the fact that the U.S. government attributed the attack to North Korea and enacted small reciprocal measures.
While the debate over who was responsible – North Korea, hacktivists, or SPE employees – was the primary subject played out in the media, the attack presented much larger implications, such as how little resistance a modern commercial enterprise is able to provide in the face of a capable and determined adversary with destructive intent.
Further, Novetta’s analysis of the observed tooling and TTPs suggests that the group has executed numerous successful attacks due in large part to their organization and determination, more so than due to any highly sophisticated malware such as those reportedly used by similar classes of threat actors reported in the last few years, e.g., HDD malware and Satellite Turla.
Through careful analysis outlined in this report and other associated reverse engineering technical reports, Novetta has been able to link the malware used in the SPE attack to a widely varied malicious toolset. This toolset includes malware directly related to previously reported attacks, suggesting that these malicious tools have been actively developed and used over a span of at least 7 years, and that the attackers responsible for the SPE attack have a much larger collection of related malware outside of the set of reported SPE destructive malware. Due to this, we strongly believe that the SPE attack was not the work of insiders or hacktivists. Instead, given the malicious tools and previous cyber operations linked to these tools, it appears that the SPE attack was carried out by a single group, or potentially very closely linked groups sharing technical resources, infrastructure, and even tasking. We have dubbed this group the Lazarus Group. Although our analysis cannot support direct attribution of a nation-state or other specific group due to the difficulty of proper attribution in the cyber realm, the FBI’s official attribution claims could be supported by our findings.
While the SPE attack occurred over a year ago, we are releasing this report now to detail our technical findings, clarify details surrounding the SPE hack, and profile the Lazarus Group, who has continued to develop tools and target victims since then. Most importantly, Novetta continues to work with our public and private partner organizations in this Operation to ensure that Novetta’s signatures and other data will have a meaningful impact on the Lazarus Group’s abilities to function, as well as help potential victims understand in great detail not only the technical but also the operational methods. Novetta feels that this combination of sharing highly technical analysis with both the public and private industry is the best way to interdict these types of actors.
Views: 16
