The perpetrators behind the unprecedented attack against Sony Pictures Entertainment in 2014 have finally been identified, according to a consortium of private digital security firms led by Novetta. The hacker collective, which Novetta has dubbed the Lazarus Group, has apparently been active since at least 2009, and maybe as early as 2007.
Project Blockbuster, the Novetta-led effort to uncover the identity of the hackers, released a report on the collective today. Although there was little communications from the hackers, who called themselves the Guardians of Peace during the Sony hack, Novetta said the group continues to operate and target new victims today.
In November 2014, Sony Pictures, Sony's studio subsidiary, was the victim of a cyberattack against its network and IT infrastructure by the hacker group. The hack took down the studio's computers for several days, and resulted in a massive loss of confidential data, including payroll information, private e-mail correspondences between executives and digital copies of entire, then-unreleased movies. The company was thrown into complete chaos for months following the breach.
The hack also caused the movie giant to initially can one of its new comic film, "The Interview." The Sony-produced comedy starred Seth Rogen and James Franco, was thought to be the likely the cause of the cyberattack because it depicted a fictional plot to assassinate North Korean dictator Kim Jong-un.
Organized and Determined
“The attack against Sony Pictures Entertainment (SPE) was unprecedented in its media coverage and overt use of malicious destructive capabilities against a commercial entity,” Novetta wrote in the report. “The SPE attack broke new ground not only as a destructive malware attack on a U.S. commercial entity but also due to the fact that the U.S. government attributed the attack to North Korea and enacted small reciprocal measures.”
What has made Lazarus, and its attack against Sony Pictures, so successful is not the strength of its technology but its superior organization and determination, the report noted. In fact, Lazarus has been developing its toolset for at least seven years, and likely has access to a much larger collection of tools than were used in the Sony hack, according to Novetta.
The report declined to draw any conclusion about whether Lazarus is, in fact, linked to the North Korean government, as the U.S. government claimed at the time of the attack. However, Novetta noted that the findings of Operation Blockbuster were consistent with that interpretation.
Lazarus Responsible for Attacks in U.S., South Korea
Novetta said that the Lazarus Group seemed to consist of well-established teams of developers and operators demonstrating varying levels of technical aptitude and proficiency in computer network operations.
“This threat actor demonstrates a heavy reliance on shared code, techniques, and ideas from other previously developed Lazarus Group tool components as well as outside sources,” Novetta noted in the report. “Due to this, malware used in the November 2014 SPE attack can be linked to a much wider set of the Lazarus Group’s malware that has been under active development since as early as 2009.”
The Lazarus Group has been responsible for attacks against governments, the media, military, aerospace, financial, and infrastructure targets in South Korea and the U.S., according to Operation Blockbuster. The group seems to share cryptographic keys and general malware techniques across its malware families.