Operation Blockbuster | Novetta Threat Research & Interdiction Group
▻https://operationblockbuster.com
In Operation Blockbuster, a Novetta-led coalition of private industry partners joined together to identify, understand, expose, and aid industry in degrading the Lazarus Group, the malicious threat actors behind multiple cyber campaigns, including the November 2014 Sony Pictures attack. Our story demonstrates private industry’s new role in ensuring the balance of global cyber defense.
...
The attack against Sony Pictures Entertainment
(SPE) was unprecedented in its media coverage
and overt use of malicious destructive capabilities
against a commercial entity. The SPE attack broke
new ground not only as a destructive malware
attack on a U.S. commercial entity but also due
to the fact that the U.S. government attributed
the attack to North Korea and enacted small
reciprocal measures.
1
While the debate over who
was responsible – North Korea, hacktivists, or SPE
employees – was the primary subject played out
in the media, the attack presented much larger
implications, such as how little resistance a modern
commercial enterprise is able to provide in the
face of a capable and determined adversary with
destructive intent.
Further, Novetta’s analysis of the observed tooling and TTPs
suggests that the group has executed numerous successful
attacks due in large part to their organization and determination, more so than due to any highly sophisticated malware
such as those reportedly used by similar classes of threat actors reported in the last few years, e.g., HDD malware
2
and
Satellite Turla.
3
Through careful analysis outlined in this report and other associated reverse engineering technical reports, Novetta has
been able to link the malware used in the SPE attack to a widely varied malicious toolset. This toolset includes malware
directly related to previously reported attacks, suggesting that these malicious tools have been actively developed and
used over a span of at least 7 years, and that the attackers responsible for the SPE attack have a much larger collection
of related malware outside of the set of reported SPE destructive malware. Due to this, we strongly believe that the SPE
attack was not the work of insiders or hacktivists. Instead, given the malicious tools and previous cyber operations linked
to these tools, it appears that the SPE attack was carried out by a single group, or potentially very closely linked groups
sharing technical resources, infrastructure, and even tasking. We have dubbed this group the Lazarus Group.
Although
our analysis cannot support direct attribution of a nation-state or other specific group due to the difficulty of proper
attribution in the cyber realm, the FBI’s official attribution claims
4
could be supported by our findings.
While the SPE attack occurred over a year ago, we are releasing this report now to detail our technical findings, clarify
details surrounding the SPE hack, and profile the Lazarus Group, who has continued to develop tools and target victims
since then. Most importantly, Novetta continues to work with our public and private partner organizations in this
Operation to ensure that Novetta’s signatures and other data will have a meaningful impact on the Lazarus Group’s
abilities to function, as well as help potential victims understand in great detail not only the technical but also the
operational methods. Novetta feels that this combination of sharing highly technical analysis with both the public and
private industry is the best way to interdict these types of actors.
▻https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf