{"id":6835,"date":"2016-02-25T06:05:21","date_gmt":"2016-02-25T11:05:21","guid":{"rendered":"https:\/\/kasperskydaily.com\/uk\/?p=6835"},"modified":"2020-04-10T19:05:08","modified_gmt":"2020-04-10T18:05:08","slug":"operation-blockbuster","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.uk\/blog\/operation-blockbuster\/6835\/","title":{"rendered":"What is known about the Lazarus Group: Sony hack, military espionage, attacks on Korean banks and other crimes"},"content":{"rendered":"<p>The morning of November 24, 2014 is engrained into the collective memories of Sony Pictures Entertainment employees. On that day, an unknown cyber-gang hacked the company\u2019s server, leaked a slew of confidential data and created a whole lot of reputation repair work for Sony. FBI suspected North Korean hackers. Since then, not much has been known about the culprits. That was until today.<\/p>\n<p>Kaspersky Lab collaborated with Novetta and AlienVault for a joint investigation (dubbed Operation Blockbuster) of the Lazarus group\u2019s activity to benefit the greater good. This gang is believed to be responsible for the Sony Pictures hack and a number of <a href=\"https:\/\/securelist.com\/blog\/incidents\/65106\/south-korean-whois-team-attacks\/\" target=\"_blank\" rel=\"noopener noreferrer\">attacks against Seoul-based banks and broadcasters<\/a> that took place in 2013.<\/p>\n<p>After the notorious Sony Pictures breach our specialists analysed samples of the Destover malware publicly named as being involved in the attack. The studies revealed traces of dozens cyber campaigns that used different malware samples with a number of common characteristics.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">New Version of <a href=\"https:\/\/twitter.com\/hashtag\/Destover?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Destover<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/Malware?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Malware<\/a> Signed by Stolen <a href=\"https:\/\/twitter.com\/Sony?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@Sony<\/a> Certificate \u2013 <a href=\"http:\/\/t.co\/mDq0ZRgUgp\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/mDq0ZRgUgp<\/a><\/p>\n<p>\u2014 Threatpost (@threatpost) <a href=\"https:\/\/twitter.com\/threatpost\/status\/542409928632049665?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">December 9, 2014<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Thanks to this investigation Kaspersky Lab was able to proactively spot new malware produced by the same threat actor.<\/p>\n<h3>What other things were done by the Lazarus Group did &amp; how did we identify them?<\/h3>\n<p>The attackers were actively re-using their developments: they borrowed fragments of a code from one malicious program and implemented it into another. Besides, droppers \u2013 the special files used to install different variations of a malicious payload \u2013 all kept data within a protected ZIP archive. The password was one and the same in many different campaigns. In fact, it was hard-coded into the dropper.<\/p>\n<p>Even the methods that criminals used to wipe traces of their presence from an infected system were similar which helped to identify the group.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Evidence suggests <a href=\"https:\/\/twitter.com\/Sony?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@Sony<\/a> hackers are alive &amp; well and still <a href=\"https:\/\/twitter.com\/hashtag\/hacking?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#hacking<\/a> <a href=\"https:\/\/t.co\/uEgsLcrOUP\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/uEgsLcrOUP<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/infosec?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#infosec<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/TheSAS2016?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#TheSAS2016<\/a> <a href=\"https:\/\/t.co\/fzcpD7aUOL\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/fzcpD7aUOL<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/698175098260480000?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">February 12, 2016<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The investigation revealed that Lazarus Group was involved in <a href=\"https:\/\/blogs.mcafee.com\/mcafee-labs\/dissecting-operation-troy-cyberespionage-in-south-korea\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">military espionage<\/a> campaigns and it sabotaged operations of financial institutions, media stations, and manufacturing companies. As far as we know, most of the victims reside in South Korea, India, China, Brazil, Russia, and Turkey. These criminals created such malware as the Hangman (2014\u00ac-2015) and Wild Positron (also known as Duuzer, 2015). Wild Positron was a topic of discussion at the <a href=\"https:\/\/www.kaspersky.co.uk\/blog\/tag\/thesas2016\/\" target=\"_blank\" rel=\"noopener\">Security Analyst Summit 2016<\/a>.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-6837\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/86\/2016\/02\/05194148\/lazarus-map-EN.png\" alt=\"lazarus-map-EN\" width=\"1024\" height=\"836\"><\/p>\n<p>Kaspersky Lab shared the investigation results with AlienVault Labs. Eventually researchers from the two companies decided to unite their efforts and conduct a joint investigation. It turned out that the activity of the Lazarus Group was also being researched by many other companies and security specialists. One of these companies, Novetta, started an initiative aimed at publishing the results of our investigation as a part of the \u201cOperation Blockbuster,\u201d and we were glad to support it.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Is North Korea Really Behind the Sony Breach?: <a href=\"https:\/\/t.co\/nb46bzxZXk\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/nb46bzxZXk<\/a> <a href=\"http:\/\/t.co\/6nZ4m8Yg0z\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/6nZ4m8Yg0z<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/546110282544971777?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">December 20, 2014<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<h3>What do we know about those criminals?<\/h3>\n<p>The first malware samples produced by the Lazarus Group date back to 2009. Since 2010 the number of new samples has grown dynamically. This characterizes the Lazarus Group as a stable, long-standing threat actor. In 2014-2015 the group\u2019s productivity was at its highest volume, and the criminals are still active in 2016.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-6838\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/86\/2016\/02\/05194147\/operation-blockbuster-samples-count.png\" alt=\"operation-blockbuster-samples-count\" width=\"808\" height=\"540\"><\/p>\n<p>Judging by the activity timetable of the band members, they live in GMT+8 or GMT+9. Criminals start working around midnight (GMT) and break for lunch around 3:00am GMT. Besides, it\u2019s also clear that gang members are extreme workaholics: their working days last 15-16 hours. The Lazarus Group is probably the most hard-working APT-group among all known by us (and we\u2019ve studied <a href=\"https:\/\/apt.securelist.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">a lot of them<\/a> over the last years).<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-6839\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/86\/2016\/02\/05194145\/lazarus-group-activity.png\" alt=\"lazarus-group-activity\" width=\"786\" height=\"538\"><\/p>\n<p>There is another interesting observation. Judging by the Lazarus group reference sample set, compiled by Novetta, almost two thirds of cyber-criminals\u2019 executable files include elements that are typical for Korean-speaking users.<\/p>\n<p>The investigation is still in progress. You can read more about the Lazarus Group and our findings at <a href=\"https:\/\/securelist.com\/blog\/incidents\/73914\/operation-blockbuster-revealed\/\" target=\"_blank\" rel=\"noopener noreferrer\">Securelist<\/a>.<\/p>\n<p>Operation Blockbuster helped all parties involved find out a lot about this dangerous cyber-gang. We would not be able to achieve the same results alone due to a number of reasons, including the geographical distribution of security solutions, developed by different companies. Our collaboration gives a great example of how sharing of information helps to identify real criminals and make Internet a safer place.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Kaspersky Lab and partners reveal details of the joint investigation of the Lazarus group hazardous activity.<\/p>\n","protected":false},"author":522,"featured_media":6836,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,2026],"tags":[423,93,1333,861,78,1334,352,1335,36,1336,709,161],"class_list":{"0":"post-6835","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-threats","9":"tag-apt","10":"tag-cybercriminals","11":"tag-darkseoul","12":"tag-hack","13":"tag-hackers","14":"tag-investigation","15":"tag-kaspersky-lab","16":"tag-lazarusapt","17":"tag-malware-2","18":"tag-operation-blockbuster","19":"tag-research","20":"tag-sony"},"hreflang":[{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/operation-blockbuster\/6835\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/operation-blockbuster\/6763\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/operation-blockbuster\/6735\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/operation-blockbuster\/7797\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/operation-blockbuster\/7580\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/operation-blockbuster\/10995\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/operation-blockbuster\/11407\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/operation-blockbuster\/6013\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/operation-blockbuster\/10500\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/operation-blockbuster\/10995\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/operation-blockbuster\/11407\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/operation-blockbuster\/11407\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.uk\/blog\/tag\/apt\/","name":"apt"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/6835","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/users\/522"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=6835"}],"version-history":[{"count":5,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/6835\/revisions"}],"predecessor-version":[{"id":19677,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/6835\/revisions\/19677"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/media\/6836"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=6835"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=6835"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=6835"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}