The same group of computer hackers that paralyzed Sony Pictures Entertainment’s computer systems more than a year ago was tagged responsible for other large-scale hacking jobs against organizations and governments from the United States, South Korea, and other countries for more than half a decade.
Security vendors who have collaborated over the past few years to investigate the hacking activities have dubbed the group “Lazarus.” Over the said time period, these security vendors have linked Lazarus to at least a thousand malicious file samples that could be divided into some 45 different malware groups.
Among those affected by the hackers were sectors from the government, military, finance, media, aerospace, and other crucial organizations – as early as 2009. Data theft and destruction, discontinuing of service, and cyber espionage were among the attacks Lazarus committed over that time span.
The United States and South Korea were two of the main targets by Lazarus but research showed that Japan, Taiwan, China, Italy, Brazil, India, and Pakistan were among the other countries targeted by the hacker group. This proves that Lazarus is a well-organized, well-funded, and highly-driven group according to Novetta – a company that analyzes data which organized the research for this issue.
Data theft and destruction, discontinuing of service, and cyber espionage were among the attacks Lazarus committed.
The November 2014 attack on Sony leaked a huge amount of their documents online, while majority of their computers’ data were erased. An estimated $35 million in IT system repairs were incurred by Sony as a result of the hacking debacle. An entity called the Guardians of Peace took responsibility of the attack, as authorities suspected former unhappy Sony employees or North Korea as possible offenders
North Korea was eventually identified by the FBI as the presumed attackers while the United States government sanctioned North Korean business entities. This was not backed up by sufficient evidence, making computer security researchers skeptical about the attribution to North Korea. Reports released about the activities put forth by Lazarus do not confirm this; however they do enforce the FBI’s deduction.
Novetta released a report saying, “Our analysis cannot support direct attribution of a nation-state or other specific group due to the difficulty of proper attribution in the cyber realm, the FBI’s official attribution claims could be supported by our finding.”
More than 60% of the malware associated with the Lazarus group contained Korean words, according to Kaspersky Lab – one of the 12 security vendors who worked with Novetta. According to Kaspersky researchers, the hackers likely belong to the GMT+8/GMT+9 time zones, based on activity patterns. Pyongyang, North Korea belongs to the GMT+9 time zone.
Most of Lazarus’ targeted groups are in South Korea, leading experts to believe that they serve North Korea’s interests. They are also known to exploit Zero-Day vulnerabilities in Hangul, a word processer typically used in South Korea.
Among the attacks attributed to Lazaraus were the 2009 attacks on South Korean and United States government, news, and finance websites; the 2011 Ten Days of Rain against South Korea; and the 2013 DarkSeoul operation which attacked banks and TV stations in South Korea.
The research group focusing on the Lazarus Group is called Operation Blockbuster and they have set up a website to publish the full report and share sources that can assist companies with hackers and similar threats. Companies that have collaborated with this are Symantec, Invincea, ThreatConnect, Volexity, Trend Micro, RsikIQ, PunchCyer, JPCERT/CC, Carbon Black and NetRisk.
Comprehensive multi-device protection for you and your family for up to 6 PCs, Macs, Android, and iOS devices. For more info click here.