Operation Blockbuster Brings the Fight to Sony Hackers
Feb 25, 2016 10:39 AM PT
Operation Blockbuster, a coalition of security companies led by Novetta, on Wednesday published a report detailing the activities of the Lazarus Group, the organization responsible for the 2014 cyberattack against Sony Pictures Entertainment.
Researchers last week published detection signatures to the companies' respective software in the hope of disrupting the group's activities.
The coalition's response has heavily wounded the malware arsenal the attackers used but has not eliminated the threats worldwide, Operation Blockbuster said.
Last year, researchers began identifying several malware hashes publicized by the security community following the Sony attack. From those hashes they established a baseline of the malware capabilities, common code and libraries used in the malware samples, according to the report.
They used the fragments of code and library functions to detect additional malware samples. They used proprietary tools and Totem, an open source Novetta-developed framework for large-scale file analysis and triage.
Refining that process led researchers to detect and analyze more than 45 distinct malware families related to the Sony malware, according to Brian Bartholomew, a researcher at coalition member Kaspersky Lab.
"I think we are definitely putting a dent in their operation. I don't think it is going to make them disappear, but it is definitely causing them some headaches," he told the E-Commerce Times.
Other members of Operation Blockbuster include AlienVault, Invincea, PunchCyber, Symantec, ThreatConnect and Volexity.
The Lazarus Group has conducted multiple attacks over at least six years, the most-well-known being the attack against Sony. The group also is responsible for some 43 malware families, said Bartholomew.
"They moved the line in the sand. They are still out there and functioning," he said.
The malware definitely poses a real threat all over the world, Bartholomew said. The attackers were not very selective about their targets, and they have played by a different set of rules.
Still, the progress the coalition has made in countering the massive malware attacks is impressive, according to Andrew Ludwig, senior technical director at Novetta who led the report.
"The biggest change comes with the identification and analysis of such a vast array of unique malware tools and capabilities that are all interrelated," he told the E-Commerce Times.
Ever Present Threat
Hacking groups are spawning because hacking is effective in cybercrime and cyber espionage.
Revelation of the activities conducted by the Lazarus Group is proof of the growing problem, according to Ben Johnson, chief security strategist at Carbon Black.
"The big reveal that the Lazarus Group exists does not increase or change the current state of the threat landscape. It underscores that there are many other groups like this one that are acting with the intent to exfiltrate valuable data from an organization, potentially pin their attack on another group or country and act in accordance with whatever code they have set forth," told the E-Commerce Times.
The details the report provides does little to change the malware landscape, noted Jeff Reingold, co-founder of Panurgy. All that's new are reported details of the multiyear efforts and investigation by Novetta and others to gain more detail into who was behind the Sony Pictures attack, the specific malware code and techniques used.
"While the results of the investigation may help make a dent in the possible further damage that could be done by Lazarus or others using those same malware tools, it does not change the landscape much regarding ongoing and future attacks aimed at data theft and/or destruction," he told the E-Commerce Times.
What To Do About It
A good defense and a strong offense are tactics to continue countering malware organizations.
The Operation Blockbuster report suggests that the Lazarus Group is a formidable threat actor capable of causing reputational and operational harm, noted Norman Comstock, researcher for the Berkeley Research Group.
It accomplishes this "by exfiltrating and leaking data, impairing system availability or recoverability with great patience and obfuscation," he told the E-Commerce Times.
A full-frontal counterattack across borders poses many risks, noted Nathan Wenzler, executive director of security at Thycotic.
Dealing with a politically volatile group makes it difficult for cyberattack victims to do anything directly without it being seen as an act of aggression or even an act of war, he told the E-Commerce Times.
"Barring that, however, there are many defensive measures that corporations and government agencies should be implementing in order to defeat the types of attacks coming out of this group," Wenzler said.