Connect with us

Hi, what are you looking for?


Malware & Threats

Sony Hackers Linked to Many Espionage, Destruction Campaigns

Several security firms have teamed up to analyze and potentially disrupt the activities of a threat group that is believed to be behind the 2014 attack on Sony Pictures Entertainment.

Several security firms have teamed up to analyze and potentially disrupt the activities of a threat group that is believed to be behind the 2014 attack on Sony Pictures Entertainment.

Novetta, Kaspersky Lab, AlienVault, and Symantec published reports on Wednesday on the activities of an actor they have dubbed the Lazarus Group. As part of what they call Operation Blockbuster, researchers from these companies have analyzed more than 45 malware families, which has allowed them to find connections between several major attacks and tie them to a single group.

The Lazarus Group has been active since at least 2009, but possibly as early as 2007, and it has conducted not only cyber espionage operations, but also attacks whose goal was to destroy data and disrupt systems.

Based on the analysis of malware samples, experts have managed to link the Lazarus Group to numerous attacks, including the one that crippled and shamed Sony in 2014, the Dark Seoul and Operation Troy campaigns, and attacks on government, media, military, aerospace, manufacturing and financial organizations primarily located in South Korea and the United States. Victims have also been spotted in Taiwan, Brazil, Mexico, Turkey, Saudi Arabia, Iran, India, Russia, China, Indonesia, Malaysia, and Vietnam.

Lazarus group victims

Researchers managed to connect these campaigns to Lazarus based on code shared between several malicious tools, and similarities in the attackers’ modus operandi, including methods used to wipe their tracks and evade detection by security products.

In December 2014, experts reported finding links between Destover, the wiper used in the Sony attack, and DarkSeoul malware, but experts had not found any conclusive evidence to link the threats to the same malware developers.

One key piece of evidence that has now allowed investigators to tie tens of targeted attacks that had been carried out by previously unknown actors to a single group was found in the malware droppers.

Advertisement. Scroll to continue reading.

The analyzed droppers all stored their payload inside a password-protected archive file. The password set by the attackers was the same in every campaign and it was hardcoded inside the dropper. While this method was used to prevent automated systems from extracting the payload, it provided researchers the information they needed to identify Lazarus’ operations.

The U.S. government has pointed the finger at North Korea for the Sony attack and South Korea has blamed Pyongyang for many of the malicious campaigns targeting the country, but North Korea has always denied launching cyberattacks against the United States and South Korea.

The reports published by security firms on the Lazarus Group don’t directly accuse North Korea, but the evidence they present suggests that it could be responsible. For example, Kaspersky noted that the malicious tools used by the threat actor had been compiled during the working hours associated with the GMT+8 and GMT+9 time zones, which matches North Korea. Kaspersky also noted that more than 60 percent of Lazarus samples have at least one PE resource with Korean locale or language.

Novetta’s report presents evidence that the Sony attack was likely not the work of hacktivists or insiders, as some concluded shortly after the incident.

“This actor has the necessary skills and determination to perform cyberespionage operations with the purpose of stealing data or causing damage. Combining that with the use of disinformation and deception techniques, the attackers have been able to successfully launch several operations over the last few years,” said Jaime Blasco, chief scientist at AlienVault.

“As we predicted, the number of wiper attacks grows steadily. This kind of malware proves to be a highly effective type of cyber-weapon. The power to wipe thousands of computers at the push of a button represents a significant bounty to a Computer Network Exploitation team tasked with disinformation and the disruption of a target enterprise,” said Juan Guerrero, senior security researcher at Kaspersky Lab. “Its value as part of hybrid warfare, where wiper attacks are coupled with kinetic attacks to paralyze a country’s infrastructure remains an interesting thought experiment closer to reality than we can be comfortable with.”

Technical details on the Lazarus Group’s activities are available in the reports published by Kaspersky, Symantec, Novetta and AlienVault.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...