Only after four different cyber-security firms teamed up, did security analysts manage to understand how efficient, organized, vast, and powerful the group behind the Sony Pictures hack truly is.
Working together, security experts from AlienVault, Kaspersky, Novetta, and Symantec, along with help from ten other companies, have put together clues gathered in the last seven years to reveal a constant stream of attacks from the group behind the Sony hack, which they named the Lazarus Group.
First seen in 2009, this group has been extremely active, targeting companies in numerous countries such as the US, Mexico, Brazil, Turkey, Russia, Iran, Saudi Arabia, India, Bangladesh, China, Indonesia, Malaysia, Vietnam, Taiwan, but above all South Korea.
Lazarus Group used over 45 different malware families
During all these attacks, the security companies that were called in to investigate collected a large number of malware families, ranging from RATs to hard drive wipers and from keyloggers to DDoS bots.
While in the past, security companies have attributed these tools and the respective campaigns to different groups (like Dark Seoul, Operation Troy, Operation 1Mission, Ten Days of Rain, Duuzer, Hangman, or Wild Positron), they recently discovered a similarity among all, inside one of their droppers.
A dropper is a relatively harmless malware family that gets an initial foothold on the victim’s PC and then downloads other malware, more intrusive and dangerous.
The malware dropper component which the Lazarus Group used in their operations behaved in the same way in all campaigns it was employed, which allowed researchers to track the group across time in a suite of attacks which they codenamed Operation Blockbuster.
The dropper downloaded its payload from C&C servers in the form of a password-protected archive and then used the hard-coded “!1234567890 dghtdhtrhgfjnui$%^^&fdt” password to unzip the file and launch the payload into execution.
Simple mistake lifts the shroud of mystery from the group’s activities
Because of this slip-up, researchers managed to identify some of the attacks in which the group was involved, but have been previously attributed to other hacker groups.
This included DDoS attacks on US and South Korean websites in 2009, attacks on South Korean media, financial institutions, and critical infrastructure in 2011, and attacks on South Korean conservative media in 2012.
Additionally, researchers uncovered attacks on South Korean broadcasters and banks in 2013, the infamous Sony Pictures hack in 2014, and attacks on South Korean government offices via a zero-day exploit in the Hangul Word processor in 2015.
Researchers have not officially accused the group of having ties to the North Korean government, but the timing at which they attacked all their targets certainly lets anyone see a pattern of pro-Pyongyang actions.
Besides this “theoretical” clue, two Kaspersky researchers also discovered that most of the group’s malware was compiled in the regular working hours associated with North Korea’s timezone, and also found Korean language settings in 60% of all the malware samples they analyzed.
Over five different reports are available on the Operation Blockbuster website, dealing with the group’s hacking tools, RATs, loaders, and various other malware variants employed in their operations.