24 Feb The hackers that took down Sony Pictures are still on the attack, researchers say
After Sony Pictures Entertainment was hacked shortly before Thanksgiving of 2014, the attackers – who dubbed themselves the “Guardians of Peace” – went quiet.
Or so it seemed.
But now researchers say they’ve linked the attackers – whom the U.S. government has said were directed by North Korea — to a chameleon-like group active since at least 2009 and still on the digital warpath, attacking systems in South Korea and elsewhere in Asia.
A new report from cybersecurity firm Novetta dubs the attackers the “Lazarus Group” – a reference to a biblical figure that comes back from the dead – because it seems to rise up with new identities for different campaigns.
Novetta, along with researchers from other companies including AlienVault and Kaspersky Lab, say they’ve pieced together evidence that suggests the Lazarus Group was behind the Sony attack along with a string of other attacks, including a 2013 campaign against South Korean television stations and financial institutions — which the South Korean government blamed on North Korea — and attempts to lure victims via spearphishing with documents purporting to be media coverage of the South Korean parliamentary election last year.
The Lazarus Group appears to have created monikers for previous unknown hacking groups including “NewRomanic Cyber Army Team,” the “WhoIs Team,” and “IsOne” to claim credit for hacks in the past, according to the report. But they were just as ephemeral as “Guardians of Peace.”
“Once the attack subsides, that group disappears and is never heard from again — but we know it’s the same group using these same tools,” said Andre Ludwig, a senior technical director at Novetta.
The researchers connected the different incidents by analyzing malware from attacks, finding clues that linked more than forty families of malware to the group, according to the report.
One chief detail linking them was the reuse of code across the different types of malware, the researchers said. “There’s very hard evidence to suggest that a lot of the development is all originating from the same authors and codebases,” said Ludwig. “These aren’t pieces of malware that are being shared on underground forums — these are very well guarded codebases that haven’t leaked out or been thrown around publicly.”