Multi-APT’s Linked to One Attack Group

Friday, February 26, 2016 @ 05:02 PM gHale

A group thought to be behind multiple attacks including the 2014 attack on Sony Pictures Entertainment is now the focus of an investigation by security firms.

Novetta, Kaspersky Lab, AlienVault, and Symantec published reports on the activities of an attacker they called the Lazarus Group.

ICS-CERT BlackEnergy Report
BlackEnergy in other Ukraine Systems
Ukraine Power Outage Exposes Risk
BlackEnergy using Tainted Word Documents

As a part of Operation Blockbuster, researchers from these companies analyzed more than 45 malware families, which has allowed them to find connections between several major attacks and tie them to a single group.

The Lazarus Group has been active since at least 2009, but possibly as early as 2007, and it has conducted not only cyber espionage operations, but also attacks whose goal was to destroy data and disrupt systems.

Based on the analysis of malware samples, experts have managed to link the Lazarus Group to numerous attacks, including Sony in 2014, Dark Seoul and Operation Troy campaigns, and attacks on government, media, military, aerospace, manufacturing and financial organizations primarily located in South Korea and the United States.

Users in Taiwan, Brazil, Mexico, Turkey, Saudi Arabia, Iran, India, Russia, China, Indonesia, Malaysia, and Vietnam were all victims of the group.

Researchers connected the Lazarus attacks based on code shared between several malicious tools, and similarities in the attackers’ approach, including methods used to wipe their tracks and evade detection by security products.

In December 2014, researchers found links between Destover, the wiper used in the Sony attack, and DarkSeoul malware, but did not find any conclusive evidence to link the threats to the same malware developers.

One key piece of evidence was in the malware droppers, researchers said.

Droppers Analyzed
The analyzed droppers all stored their payload inside a password-protected archive file. The password set by the attackers was the same in every campaign and it ended up hardcoded inside the dropper. While this prevented automated systems from extracting the payload, it provided researchers the information they needed to identify Lazarus’ operations.

The U.S. government said North Korea was behind the Sony attack and South Korea has blamed Pyongyang for many of the malicious campaigns targeting the country, North Korea has always denied launching cyber attacks against the United States and South Korea.

The reports published by the security firms on the Lazarus Group don’t directly accuse North Korea, but the evidence suggests that it could be responsible.

Kaspersky said malicious tools used by the attacker had been compiled during the working hours associated with the same time zones matching North Korea. Kaspersky also said more than 60 percent of Lazarus samples have at least one PE resource with Korean locale or language.

Novetta’s report presents evidence the Sony attack was likely not the work of hacktivists or insiders, as some concluded shortly after the incident.

“As we predicted, the number of wiper attacks grows steadily. This kind of malware proves to be a highly effective type of cyber-weapon. The power to wipe thousands of computers at the push of a button represents a significant bounty to a Computer Network Exploitation team tasked with disinformation and the disruption of a target enterprise,” said Juan Guerrero, senior security researcher at Kaspersky Lab. “Its value as part of hybrid warfare, where wiper attacks are coupled with kinetic attacks to paralyze a country’s infrastructure remains an interesting thought experiment closer to reality than we can be comfortable with.”

“This actor has the necessary skills and determination to perform cyber espionage operations with the purpose of stealing data or causing damage. Combining that with the use of disinformation and deception techniques, the attackers have been able to successfully launch several operations over the last few years,” said Jaime Blasco, chief scientist at AlienVault.

“Through Operation Blockbuster, Novetta, Kaspersky Lab and our partners have continued efforts to establish a methodology for disrupting the operations of globally significant attack groups and attempting to mitigate their efforts to inflict further harm,” said Andre Ludwig, senior technical director, Novetta Threat Research and Interdiction Group. “The level of in-depth technical analysis conducted in Operation Blockbuster is rare, and sharing our findings with industry partners, so we all benefit from increased understanding, is even rarer.”

Click here for more technical details on the Lazarus Group’s activities from Kaspersky, Symantec, Novetta and AlienVault.