Operation Blockbuster security biz: We'll get you, Sony hackers

A newly created cross-industry initiative aims to pool resources in order to bring down – or, at least, disrupt – the hackers behind the infamous attack against Sony Pictures back in 2014.

The Lazarus Group, which may in reality consist of several associated groups of attackers or hacking crews, started around seven years since 2009 and remains active.

The group is believed to be behind the attack on Sony Pictures Entertainment in 2014 and operation Dark Seoul that targeted media and financial institutions in South Korea a year earlier, among other attacks.

The Sony Pictures hack involved the wiping of enterprise PCs as well as the leaking of unreleased movies and - worst of all - corporate documents and emails. Less publicised activities by the group include cyber-espionage.

Operation Blockbuster involves several security vendors sharing intelligence and resources in order to assist commercial and government organisations in protecting themselves against Lazarus. As part of the initiative, vendors will circulate malware signatures and other useful intelligence related to these attackers. Such co-operation is not uncommon in the security industry but an organised collaboration targeting one particular group is far less common.

Cross-industry parallels exist in the shape of the Conficker Working Group, but that was established to develop a strategy to contain a global malware pathogen rather than a group of hackers slinging disk-wiping malware, which is where the comparison starts to break down.

Contributors to Operation Blockbuster include Kaspersky Lab, Symantec, AlienVault and Novetta, among others.

Samples of the Destover malware publicly named as used in the attack against Sony Pictures Entertainment led to wider research into a cluster of related cyber-espionage and cyber-sabotage campaigns targeting financial institutions, media stations and manufacturing companies, among others.

Kaspersky Lab said that “based on the common characteristics of the different malware families” its experts “were able to group together tens of isolated attacks and determine that they all belong to one threat actor, as other participants in Operation Blockbuster confirmed in their own analysis.”

The attackers were actively re-using code, making it easier to piece together links between their malicious creations. Researchers were able to spot similarities in the modus operandi of attackers, such as the tactic of packing malware payloads within a password-protected ZIP archive. The hard-coded password for archives used in different campaigns was the same.

Orla Cox, director security intelligence delivery at Symantec, said: “Our investigations have shown that the Lazarus Group is a well-resourced and aggressive adversary with the capabilities to carry out both espionage and subversive attacks. By pooling our respective insights, the Operation Blockbuster team hopes to deliver a considerable blow to this attack group while helping to ensure that all of our customers have robust protections to safeguard valuable information.”

The Sony Picture hack was, of course, blamed by no less an authority as the US government on North Korea. Readers will remember the huge political row over the matter and may also recall doubts in the wider infosec community when the FBI fingered the NORKS. Those doubts abated after it emerged that NSA intel based on snooping on South Korea spying on North Korea was behind the intelligence.

More on Kaspersky Lab’s findings on the Lazarus Group van be found in a post on its Securelist.com news blog here. Symantec’s take is here.

The Operation Blockbuster portal (which is maintained by Novetta) is at OperationBlockbuster.com. ®