25 Feb 2016

Kaspersky Lab and friends declare war on the Lazarus Group

Kaspersky Lab has just declared war on the infamous hacking collective Lazarus Group, and it’s bringing its friends to the fight.
Together with Novetta and “other industry partners”, Kaspersky Lab has announced the formation of Operation Blockbuster – targeted at disrupting the activity of the Lazarus Group.


For those unfamiliar with the name – Lazarus Group is believed to be responsible for the 2014 attack on Sony Pictures Entertainment, as well as the 2013 Operation DarkSeoul, which targeted media and financial institutions.
Kaspersky Lab, Novetta and AlienVault have analysed samples of malware spotted on different incidents and have managed to link a number of high-profile attacks to the group. Prior to the revelation, those attacks attributed to an “unknown attacker.”
The security researchers said they found a couple of interesting things that linked various attacks to the same group. First, it was discovered that they were recycling code – borrowing fragments from one malicious program to use in another. They also spotted similarities in the way the group works – the droppers (files used to install malware) all kept their payloads within a password-protected ZIP archive.
“The password protection was implemented in order to prevent automated systems from extracting and analysing the payload, but in reality it just helped researchers to identify the group.”
Eventually, tens of different targeted attacks were linked to a single actor. The group says the first attack might have occurred in 2009, five years before the Sony incident. It seems as the group is working in the GMT+8 and GMT+9 time zones.
“As we predicted, the number of wiper attacks grows steadily. This kind of malware proves to be a highly effective type of cyber-weapon. The power to wipe thousands of computers at the push of a button represents a significant bounty to a Computer Network Exploitation team tasked with disinformation and the disruption of a target enterprise. Its value as part of hybrid warfare, where wiper attacks are coupled with kinetic attacks to paralyse a country’s infrastructure remains an interesting thought experiment closer to reality than we can be comfortable with. Together with our industry partners, we are proud to put a dent in the operations of an unscrupulous actor willing to leverage these devastating techniques,” said Juan Guerrero, Senior Security Researcher at Kaspersky Lab.
“This actor has the necessary skills and determination to perform cyberespionage operations with the purpose of stealing data or causing damage. Combining that with the use of disinformation and deception techniques, the attackers have been able to successfully launch several operations over the last few years,” said Jaime Blasco, chief scientist, AlienVault. “Operation Blockbuster is an example of how industry-wide information sharing and collaboration can set the bar higher and prevent this actor from continuing its operations.”

ITproportal