Novetta Exposes Depth of Sony Pictures Attack
February 24, 2016
Leads Industry Effort to Disrupt 45+ Malware Families Going Back to 2009
MCLEAN, Va. -- Novetta, a leader in advanced analytics technology, today announced Operation Blockbuster, a Novetta-led effort to identify, understand and disrupt the adversary behind the 2014 Sony Pictures attack. Operation Blockbuster has tied the adversary, dubbed the Lazarus Group, both to the Sony breach and to numerous malicious attacks on commercial, military and government targets beginning as early as 2009. The Operation Blockbuster report provides details on the project’s scope and the more than 45 malware families identified, and includes signatures and guidance to help organizations detect and stop the group’s actions.
“The Lazarus Group is just one of many attack groups with the sophisticated operational techniques required to breach networks around the globe, and steal or destroy data and other assets,” said Peter LaMontagne, CEO of Novetta. “By working with industry partners, we were able to better understand and devise ways to disrupt the tools and techniques used by malicious actors and share that information to protect our collective customers.”
Novetta led Operation Blockbuster research and development efforts, and formed the coalition of technology industry partners that are working together to distribute the malware signatures and other information to commercial and government organizations. Operation Blockbuster partners include Kaspersky Lab, Symantec, AlienVault, Invincea, Trend Micro, Carbon Black, PunchCyber, RiskIQ, ThreatConnect, Volexity and others.
“As we predicted in 2013, the number of wiper attacks is growing at a steady rate and is proving to be a highly effective type of cyber-weapon,” said Juan Guerrero, senior security researcher at Kaspersky Lab. “When a Computer Network Exploitation team has the power to wipe thousands of computers with the push of a button, it makes for a significant bounty and potentially causes paralyzing impacts for its victims. Working with Novetta and other industry partners, we are proud to put a dent in the operations of an unscrupulous threat actor leveraging these devastating techniques.”
Operation Blockbuster was initiated in late 2014 when Novetta began to investigate the Sony attack using malware information released by US-CERT and other organizations. Initially Novetta uncovered tools and techniques used in the breach, established a baseline for the attack group’s malware capabilities, and determined the attack was the work of a long standing, well-resourced, and superbly organized entity working under the moniker of a hacktivist group.
Based on its initial research, Novetta identified the specific attack tools, techniques and potential motivations of the Lazarus Group, and generated signatures to detect common code and libraries used by more than 45 malware families under the group’s control. Operation Blockbuster partners worked together to distribute Novetta- and partner-developed signatures and other information on a broad scale to help organizations identify the Lazarus Group’s tools and techniques and disrupt further malicious operations.
“Through Operation Blockbuster, Novetta and its partners have continued efforts to establish a methodology for disrupting the operations of globally significant attack groups and attempting to mitigate their efforts to inflict further harm,” said Andre Ludwig, senior technical director, Novetta Threat Research and Interdiction Group. “The level of in-depth technical analysis conducted in Operation Blockbuster is rare, and sharing our findings with industry partners, so we all benefit from increased understanding, is even rarer.”
“Visibility into the attacker’s infrastructure is important in threat investigations and was a key component in understanding the Lazarus Group,” said Elias Manousos, CEO, RiskIQ. “RiskIQ’s PassiveTotal product was made available to our industry partner analysts providing additional linkages and context to the Internet infrastructure used to carry out the attack.”
To learn more about Operation Blockbuster and access the full report, visit www.OperationBlockbuster.com. The full report includes information about the operation’s objectives and research methodologies used for investigation and analysis; details about the threat actor group’s profiles, tools, scope of activities, and extensive footprint of exploits; and a complete set of hashes, signatures and other resources to help prevent further attacks.
Headquartered in McLean, VA with over 750 employees across the US, Novetta has over two decades of experience solving problems of national significance through advanced analytics for government and commercial enterprises worldwide. Grounded in its work for national security clients, Novetta has pioneered disruptive technologies in four key areas of advanced analytics: data, cyber, open source/media and multi-int fusion. Novetta enables customers to find clarity from the complexity of ‘big data’ at the scale and speed needed to drive enterprise and mission success. Visit www.novetta.com for more information.
Click here for the full release