Resources

Detailed Research and Analysis

Operation Blockbuster began in December 2014, independent of any investigation conducted by law enforcement or Sony Pictures Entertainment (SPE). Our intent to not only identify and impact the malicious tools and infrastructure used by the Lazarus Group, but also to clarify details surrounding the November 2014 SPE attack, which was the subject of widespread confusion. While this particular attack occurred over a year ago, we are releasing this report now to detail our technical findings, clarify details surrounding the SPE hack, and profile the Lazarus Group, who has continued to develop tools and target victims since then. Here, in the supplemental resources, we’ve included key information, as well as four supplemental reports which go into far greater detail about the specifics of the Lazarus Group’s tools, techniques and processes. We’ve also included a brief, 2 page Executive Summary, for a quick synopsis of this ongoing operation.

Lazarus Group Timeline

Malware Attacks Documented as Far Back as 2009

Malware Variants

The Lazarus Group has developed an extensive and varied toolset which effectively combines a number of methods for delivering additional malicious tools, exfiltrating data, and launching destructive attacks. While the group’s combined capabilities are not necessarily as polished or advanced as other publicly reported APT groups, the TTPs and malware connected to the Lazarus Group demonstrate that it is a capable and determined adversary. The following illustrates the common malware variants that the Lazarus Group used in the series of attacks documented in the Operation Blockbuster report.

Rats

A malware program that includes an entry point for administrative control over a computer. These are usually invisible to users and are downloaded through platforms such as online games and email attachments.

Installers

Software that allows applications to run on a computer.

Spreaders

Those who try to cause other computers to become infected with viruses.

Loaders

A component in a system that locates a selected program and loads it onto the main storage.

Hard Drive Wipers

A security measure taken to completely erase the data from a hard disk.

General Tools

Miscellaneous attack tools uncovered during Operation Blockbuster.

Uninstallers

Various utility software that is created to remove parts from a computer.

Proxy

A type of Trojan designed to use the victim’s computer as a proxy server. This allows the attacker to commit illegal activities from a separate host.

Keylogger

Someone who tracks and notes each keystroke made on a computer, usually without permission from the user.

DDoS Bot

A type of attack where many compromised systems target a single system making it unavailable to the intended user.

Malware Families

In Operation Blockbuster, we identified more than 45 distinct malware “families.” We developed a naming scheme that allows readers to quickly identify the larger classes to which a malware family belongs. Within a single family there may exists variants that exhibit the same primary criteria of the overall family, but have significant differences that allow for additional grouping. While many of the families are dropped by another family of malware (e.g. a “dropper”), a distinction is made between the malware that drops/installs another piece of malware and the family to which the dropped malware belongs because the two families of malware serve two different functions and have two different designs. The diagram below illustrates the relationship of the Lazarus Group’s malware versions.

Hunting Method

Our Step-by-Step Process for Identifying and Tracking Malware Activity

Supplemental Reports

Through careful analysis and associated reverse engineering, Novetta and the Operation Blockbuster team have been able to link the malware used in the SPE attack to a widely varied malicious toolset. Our full report shows in detail how we identified, tracked and disrupted the malware activity. After more than a year of ongoing research and action, we have created extensive documentation of the Lazarus Group’s activities along with our ongoing, coordinated responses. In the supplemental reports below, we’ve mapped out in even greater detail the specific research, and preventative steps we’ve taken. These reports are intended for readers with a high level of technical understanding. In addition, the 2-page Executive Summary outlines the key takeaways. Download the supplemental materials below.

Tools Report

The Lazarus Group earned its name from the frequency in which specific malware was observed over time. These malware tools came to be characteristic of the group’s attacks. In the Tools report, we provide detailed analysis of these tools, and profile how the tools were used in Lazarus Group attacks dating back to 2009.

Download Report

RAT and Staging Report

A Remote Administration Tool (RAT) is malicious code that gives attackers remote control over an infected system. As outlined in this report, the Lazarus Group employs a variety of RATs which enable the group to use victim’s machines for further malicious attacks. This reverse engineering report looks at the RATs and staging malware found within the group’s collection.

Download Report

Loaders-Installers-Uninstallers-Report-Cover

Loaders, Installer and Uninstallers Report

The Lazarus Group uses a variety of installers, uninstallers, and loaders to facilitate proliferation of the group’s malware. In this detailed report we dissect the malware, and show how these tools were used to infect victims’ hardware. The use of these types of malware has broad-reaching implications on network security, and information security best practices.

Download Report

Destructive Malware Report

This report outlines our technical findings on the destructive malware observed during Operation Blockbuster. We explore and reveal the Lazarus Group’s deep toolbox of malware, and demonstrate the relationships between malware families. The naming scheme for identified malware is also detailed and explained.

Download Report

Executive Summary

In Operation Blockbuster, a Novetta-led coalition of private industry partners joined together to identify, understand, expose, and aid industry in degrading the Lazarus Group, the malicious threat actors behind the 2014 Sony Pictures attack. The Executive Summary explains key takeaways, including private industry’s new role in ensuring the balance of global cyber defense.

Download Report

Read The Full Story

Download the Operation Blockbuster report to read the definitive story. See how Novetta and a team of industry partners tracked, profiled and interdicted the threat actors behind the Sony Pictures Attack. The report shows that no longer is industry a watchdog only. In the changing balance of global cyber defense, Novetta shows industry can be a positive, proactive force.

Download Operation Blockbuster