Kaspersky Lab helps to disrupt the activity of the Lazarus Group responsible for multiple devastating cyber-attacks

Kaspersky Lab_Lazarus_Map copy copy

Together with Novetta and other industry partners, Kaspersky Lab is proud to announce its contribution to Operation Blockbuster. The goal of the operation is to disrupt the activity of the Lazarus Group – a highly malicious entity responsible for data destruction as well as conventional cyber-espionage operations against multiple companies around the world.

The attackers are believed to be behind the attack on Sony Pictures Entertainment in 2014, and operation DarkSeoul that targeted media and financial institutions in 2013.

After a devastating attack against the famous movie production company, Sony Pictures Entertainment (SPE) in 2014, Kaspersky Lab’s Global Research and Analysis Team (GReAT) began its investigation into samples of the Destover malware publicly named as used in the attack.

This led to wider research into a cluster of related cyber-espionage and cyber-sabotage campaigns targeting financial institutions, media stations, and manufacturing companies, among others.

Based on the common characteristics of the different malware families, the company’s experts were able to group together tens of isolated attacks and determine that they all belong to one threat actor, as other participants in Operation Blockbuster confirmed in their own analysis.

The Lazarus Group threat actor was active several years before the SPE incident, and it appears that it is still active.

Kaspersky Lab and other Operation Blockbuster research confirms a connection between malware used in various campaigns, such as Operation DarkSeoul against Seoul-based banks and broadcasters, Operation Troy targeting military forces in South Korea, and the Sony Pictures incident.

During the investigation, Kaspersky Lab researchers exchanged preliminary findings with AlienVault Labs. Eventually researchers from the two companies decided to unite efforts and conduct a joint investigation.

Simultaneously, the activity of the Lazarus Group was being investigated by many other companies and security specialists. One of these companies, Novetta started an initiative aimed at publishing the most extensive and actionable intelligence on the activity of the Lazarus Group.

As part of Operation Blockbuster, together with Novetta, AlienVault Labs, and other industry partners, Kaspersky Lab is publishing its findings for the benefit of the wider public.

A haystack full of needles

By analyzing multiple samples of malware spotted in different cyber-security incidents and creating special detection rules, Kaspersky Lab, AlienVault and other Operation Blockbuster specialists were able to identify a number of attacks as having been conducted by the Lazarus Group.

The link from multiple samples to a single group was found during the analysis of methods used by this actor. In particular, it was discovered that the attackers were actively re-using code –borrowing fragments of code from one malicious program to use in another.

Besides that, researchers were able to spot similarities in the modus operandi of attackers.

While analyzing artefacts from different attacks, they discovered that droppers – special files used to install different variations of a malicious payload – all kept their payloads within a password-protected ZIP archive.

The password for archives used in different campaigns was the same and was hardcoded inside the dropper. The password protection was implemented in order to prevent automated systems from extracting and analyzing the payload, but in reality it just helped researchers to identify the group.

A special method used by the criminals to try to wipe traces of their presence from an infected system, along with some techniques they used to evade detection by anti-virus products also gave researchers additional means of clustering related attacks.

Eventually tens of different targeted attacks, whose operators had been considered unknown, were linked to a single threat actor.

The Operation’s Geography

The analysis of samples’ compilation dates showed that the earliest might have been compiled as long ago as 2009, five years before the infamous attack against Sony.

The number of new samples has grown dynamically since 2010. This characterizes the Lazarus Group as a stable, longstanding threat actor.

Based on metadata extracted from investigated samples, most of the malicious programs used by the Lazarus Group appear to have been compiled during the working hours of GMT+8 – GMT+9 time zones.

“As we predicted, the number of wiper attacks grows steadily. This kind of malware proves to be a highly effective type of cyber-weapon. The power to wipe thousands of computers at the push of a button represents a significant bounty to a Computer Network Exploitation team tasked with disinformation and the disruption of a target enterprise. Its value as part of hybrid warfare, where wiper attacks are coupled with kinetic attacks to paralyze a country’s infrastructure remains an interesting thought experiment closer to reality than we can be comfortable with. Together with our industry partners, we are proud to put a dent in the operations of an unscrupulous actor willing to leverage these devastating techniques,” said Juan Guerrero, senior security researcher at Kaspersky Lab.

“This actor has the necessary skills and determination to perform cyberespionage operations with the purpose of stealing data or causing damage. Combining that with the use of disinformation and deception techniques, the attackers have been able to successfully launch several operations over the last few years,” said Jaime Blasco, chief scientist, AlienVault. “Operation Blockbuster is an example of how industry-wide information sharing and collaboration can set the bar higher and prevent this actor from continuing its operations.”

“Through Operation Blockbuster, Novetta, Kaspersky Lab and our partners have continued efforts to establish a methodology for disrupting the operations of globally significant attack groups and attempting to mitigate their efforts to inflict further harm,” said Andre Ludwig, senior technical director, Novetta Threat Research and Interdiction Group. “The level of in-depth technical analysis conducted in Operation Blockbuster is rare, and sharing our findings with industry partners, so we all benefit from increased understanding, is even rarer.”