Halting the activities of Lazarus Group in Saudi Arabia

Kaspersky Lab announced that, with the help of other partners in the technical sector, it was able to disrupt the activities of Lazarus Group - a group of destructive malware responsible for attacks on data and hacking into several international companies worldwide including in Saudi. It is believed that the attackers were responsible for the attacks on Sony Pictures Entertainment in 2014 as well as the 2013 operation Dark Seoul which targeted media and financial institutions.

Following the destructive attack on Sony Pictures Entertainment in 2014 Kaspersky Lab's search and analysis team began investigating samples of the malware "Destover". This led to wider investigations into a series of malicious attacks, related to spying and cyber hacking, which targeted financial institutions and media channels and production companies, among others. By comparing the common factors in the groups of malicious malware Kaspersky Lab experts were able to gather the results of tens of solitary attacks, concluding that they were caused by a single threat. This was confirmed by other participants in their latest Operation Blockbuster.

It became clear that Lazarus Group had been active for several years before the attack on Sony and appears to be active until now. Analysis by Kapersky and others in Operation Blockbuster confirmed a connection between all the malicious attacks on financial institutions "Operation Dark Seoul" and against the military forces "Operation Troy" as well as a cyber attack on South Korea.

Eventually Kaspersly decided to join forces with Alien Vault to carry out an investigation. At the same time Lazarus Group was being investigated by security specialists in several other companies. Through Operation Blockbuster, Novetta and Kaspersky Lab published their results in the public interest. By analysing many samples of malicious malware, via special tracking bases, and used during hacking incidents, it was discovered that the attackers were recycling code; borrowing fragments from one malicious program to use in another. 

They also discovered similarities in the way the group works: the droppers (files used to install malware) all kept their payloads within a password-protected ZIP archive. The password protection was used to prevent automated systems from extracting and analyzing the payload, but in reality it helped researchers to identify the group. The results of cumulative analysis indicated that the first attack was conducted in 2009, five years before the Sony incident. The number of attacks grew steadily since 2010. This makes Lazarus Group a constant and long-term threat. (It also appears that the group is working in the GMT+8 and GMT+9 time zones.)

Juan Guerroro, senior security researcher at Kaspersky Lab., said: "This kind of malware appears to be a highly effective type of cyber-weapon. The power to wipe thousands of computers at the push of a button represents a significant reward to a Computer Network Exploitation team aimed at disinformation and the disruption of a target enterprise. Its value as part of hybrid warfare, where wiper attacks are coupled with kinetic attacks, to paralyze a country’s infrastructure, remains an interesting thought experiment closer to reality than we can be comfortable with. Together with our industry partners, we are proud to counteract the operations of an unethical agent from carrying out their malicious actions".

Jaime Blasco, chief scientist at AlienVault. stated: "This group has the required skills and determination to perform cyber-espionage operations with the purpose of stealing data or causing damage. Combined with disinformation and deception techniques, the attackers were able to successfully launch several operations over the last few years". 

He added: "Operation Blockbuster is an example of how industry-wide information-sharing and collaboration can cause an obvious improvement in the prevention of this agent's operations". 

Andre Ludwig, senior technical director, Novetta Threat Research and Interdiction Group said: "Through Operation Blockbuster, Novetta, Kaspersky Lab and our partners have continued efforts to establish a systematic way for disrupting the operations of globally significant attack groups and attempting to eliminate their efforts to cause further harm".

He added: "The level of in-depth technical analysis conducted in Operation Blockbuster is unusual, and sharing our results with industry partners, so we all benefit from increased understanding, is even more unusual".