Security companies collaborate to tackle Lazarus hacker group
Coalition working together to disrupt group behind the Sony Pictures attack
A group of cybersecurity companies have joined forces to attempt to stop the activities of a particularly aggressive hacking group, known as Lazarus.
The Lazarus group is believed to have been responsible for cyberattacks on commercial, military and government targets beginning as early as 2009. The group is believed to have carried out the attack against Sony Pictures Entertainment in 2014.
The joint operation to identify and disrupt the Lazarus group has been dubbed Operation Blockbuster, and is being led by security analytics company Novetta. Other Operation Blockbuster members include Kaspersky Lab, Symantec, Alienvault Labs, Trend, Carbonblack, Invincea, PunchCyber, ThreatConnect, Volexity, RiskIQ, JPCert/CC and NetRisk.
"The Lazarus Group is just one of many attack groups with the sophisticated operational techniques required to breach networks around the globe, and steal or destroy data and other assets," said Peter LaMontagne, CEO of Novetta. "By working with industry partners, we were able to better understand and devise ways to disrupt the tools and techniques used by malicious actors and share that information to protect our collective customers."
The Lazarus group, which may be a coalition of different groups, has focused mainly on targets in the US and South Korea, and is noted for using highly destructive malware, usually implementing data theft and disk-wiping. In the Middle East, targets have been affected in Saudi Arabia, Iran and Turkey.
Researchers from the various companies were able to identify common characteristics of different malware families used in multiple attacks, which all suggested that one single group was behind all of the attacks. Alongside data theft, Lazarus appears to have specialised in DDoS attacks and wiper malware, giving it the ability disrupt or destroy target networks with ease.
One of the earliest attacks linked to Lazarus occurred when distributed denial of service attacks (DDoS) attacks knocked a number of US and South Korean websites offline. A Trojan known as Dozer (detected by Symantec as Trojan.Dozer) mounted the DDoS attacks using computers it had previously compromised. Dozer was spread through emails in a campaign involving a number of worms (detected as W32.Dozer, W32.Mydoom.A@mm, and W32.Mytob!gen).
A similar wave of DDoS attacks hit South Korean websites in 2011, this time involving more destructive malware known as Trojan.Koredos.
Orla Cox, Senior Manager, Security Response at Symantec said: "Tackling today's digital security challenges often require a collective approach to keep our customers protected. Our investigations have shown that the Lazarus Group is a well-resourced and aggressive adversary with the capabilities to carry out both espionage and subversive attacks. By pooling our respective insights, the Operation Blockbuster team hopes to deliver a considerable blow to this attack group while helping to ensure that all of our customers have robust protections to safeguard valuable information."
"Through Operation Blockbuster, Novetta, Kaspersky Lab and our partners have continued efforts to establish a methodology for disrupting the operations of globally significant attack groups and attempting to mitigate their efforts to inflict further harm," added Andre Ludwig, senior technical director, Novetta Threat Research and Interdiction Group. "The level of in-depth technical analysis conducted in Operation Blockbuster is rare, and sharing our findings with industry partners, so we all benefit from increased understanding, is even rarer."