Detailed Research and Analysis
Operation Blockbuster began in December 2014, independent of any investigation conducted by law enforcement or Sony Pictures Entertainment (SPE). Our intent to not only identify and impact the malicious tools and infrastructure used by the Lazarus Group, but also to clarify details surrounding the November 2014 SPE attack, which was the subject of widespread confusion. While this particular attack occurred over a year ago, we are releasing this report now to detail our technical findings, clarify details surrounding the SPE hack, and profile the Lazarus Group, who has continued to develop tools and target victims since then. Here, in the supplemental resources, we’ve included key information, as well as four supplemental reports which go into far greater detail about the specifics of the Lazarus Group’s tools, techniques and processes. We’ve also included a brief, 2 page Executive Summary, for a quick synopsis of this ongoing operation.
Lazarus Group Timeline
Malware Attacks Documented as Far Back as 2009

Malware Variants
The Lazarus Group has developed an extensive and varied toolset which effectively combines a number of methods for delivering additional malicious tools, exfiltrating data, and launching destructive attacks. While the group’s combined capabilities are not necessarily as polished or advanced as other publicly reported APT groups, the TTPs and malware connected to the Lazarus Group demonstrate that it is a capable and determined adversary. The following illustrates the common malware variants that the Lazarus Group used in the series of attacks documented in the Operation Blockbuster report.

Rats
A malware program that includes an entry point for administrative control over a computer. These are usually invisible to users and are downloaded through platforms such as online games and email attachments.

Installers
Software that allows applications to run on a computer.

Spreaders
Those who try to cause other computers to become infected with viruses.

Loaders
A component in a system that locates a selected program and loads it onto the main storage.

Hard Drive Wipers
A security measure taken to completely erase the data from a hard disk.

General Tools
Miscellaneous attack tools uncovered during Operation Blockbuster.

Uninstallers
Various utility software that is created to remove parts from a computer.

Proxy
A type of Trojan designed to use the victim’s computer as a proxy server. This allows the attacker to commit illegal activities from a separate host.

Keylogger
Someone who tracks and notes each keystroke made on a computer, usually without permission from the user.

DDoS Bot
A type of attack where many compromised systems target a single system making it unavailable to the intended user.
Malware Families
In Operation Blockbuster, we identified more than 45 distinct malware “families.” We developed a naming scheme that allows readers to quickly identify the larger classes to which a malware family belongs. Within a single family there may exists variants that exhibit the same primary criteria of the overall family, but have significant differences that allow for additional grouping. While many of the families are dropped by another family of malware (e.g. a “dropper”), a distinction is made between the malware that drops/installs another piece of malware and the family to which the dropped malware belongs because the two families of malware serve two different functions and have two different designs. The diagram below illustrates the relationship of the Lazarus Group’s malware versions.

Hunting Method
Our Step-by-Step Process for Identifying and Tracking Malware Activity


Read The Full Story
Download the Operation Blockbuster report to read the definitive story. See how Novetta and a team of industry partners tracked, profiled and interdicted the threat actors behind the Sony Pictures Attack. The report shows that no longer is industry a watchdog only. In the changing balance of global cyber defense, Novetta shows industry can be a positive, proactive force.