Operation Blockbuster has released its long-awaited report (pdf) on the Sony attack that dominated the headlines in 2014. The report is based on a more than one-year’s worth of analysis by Operation Blockbuster coalition members and identifies more than 45 pieces of unique malware used by the attackers. Operation Blockbuster has identified the attackers as the Lazarus Group and has linked the group to several malware families used in other attacks that have taken place in the last seven years.
The Lazarus Group’s activities clearly indicate the growing trend of malware developers moving from mass-market attacks – which many security vendors are able to block fairly easily – to very targeted attacks. Targeted attacks rely on information gathered through social engineering, online research, and similar data gathering methods. This information is used to develop spear phishing and other attacks designed to fool victims into taking action desired by the attackers. These attacks often bypass traditional security methods. The security industry has observed tremendous growth in these methods over the past decade.
The shift from mass-market attacks to targeted attacks is not the only evolution in cybercrime. Advanced malware such as advanced persistent threats (APTs) and ransomware are now among the top payloads. APTs often reside on a network for several months, conducting stealth discovery operations that can help a criminal further refine an attack. In 2015, the FBI reported that 992 CryptoWall-related complaints were filed, and the total losses from these complaints exceeded $18 million USD.
The Operation Blockbuster report (pdf) underscores some of the issues we face every day. Nation-state sponsored attackers have enormous resources, and even smaller organizations and individuals can develop sources of support for large operations. No organization is exempt from attacks, and no vulnerability is too small to be exploited. As a community, technology professionals tend to sort security vulnerabilities by severity. IT Teams often are tasked to deal with the most critical vulnerabilities first, while postponing smaller issues that appear to be low risk. In theory, this makes sense. However, when dealing with a group with significant resources, those “low risk” issues can be exploited quickly, and be used to launch a larger attack.
The Operation Blockbuster report is an example of community progress. Industry experts worked together to analyze the Lazarus Group attacks and develop mitigation tools. The coalition developed AV, IDS, and YARA signatures specifically designed to identify Lazarus Group tools and traffic. Operation Blockbuster demonstrates an unprecedented level of private industry collaboration in response to cyber crime and offers an example of how private industry should contribute to global cyberdefense.
Security remains a classic cat-and-mouse game between the attackers and the industry. Criminals often are able to evade signatures and security systems as fast as they are put into place. It is incumbent upon the security community to develop multiple layers of protection that defend all threat vectors, including networks, critical applications, email, and the web. It is also our responsibility to ensure that information about attacks and threat mitigation is shared among potential victims. Rather than think of users as ‘the weakest link’ in security, we should empower them to be the strongest defenders of the organization.
Consumers of IT security should demand constant innovation from their security providers. Companies, nonprofit organizations, government entities, and individuals, have the power to provide feedback to vendors and insist on a higher level of protection that addresses all risks across all threat vectors. Security providers should push development of new detection techniques such as URL re-writing in email messages to enable full inspection of web content at the time of the click; or the use of sandboxing to inspect downloads in isolated environments; or detection of any attempted external attack on a web-facing resource such as websites, APIs, and file sharing sites; or analysis of all incoming and outgoing traffic with a focus on communications with command and control hosts. Widely deployed, these technologies would have a major impact against cybercrime.
As mentioned above, the Lazarus Group has been linked to dozens of pieces of malware and multiple attacks over the past several years. One of the smallest and most interesting pieces of information gleaned from the Operation Blockbuster report is the way in which the researchers were able to link some of these activities to the Lazarus Group:
IssueMakersLab researchers have connected malicious activity as recent as the March 2013 DarkSeoul wiper attack to activity as far back as 2007, as the attackers used the same passwords, RSA encryption keys, and C2 protocol across attacks. (page 21)
It’s an interesting irony that the cybercriminals fell victim to the vulnerabilities they exploit every time they go after a new victim. Even low-skilled technology users understand that unique passwords are the first line of defense.
More importantly, this information reveals the arrogance or carelessness of the cybercriminals who carried out these attacks. They gave no thought to details that would reveal their association to multiple crimes. That arrogance may work against them, as it makes the Operation Blockbuster mitigation tools more effective, more quickly.
Cybercrime is organized crime, with access to significant resources. Although the attack methods have evolved from mass-market attacks to targeted attacks, the tools used to create targeted attacks are mass produced and widely available.
Coalitions like Operation Blockbuster, and groups like Cyber Threat Alliance and Anti-Phishing Working Group, must continue to unite the private security industry behind the goal of global defense. Government entities must play a role in supporting innovation and education of cybersecurity as national security. And consumers of security technology should keep pressure on security vendors to develop new layers of protection.
A fully engaged partnership between all of these parties can exponentially strengthen our global defenses against these threats. Only the cybercriminals will object to such a unified effort against cybercrime.
- Operation Blockbuster website
- Novetta summary
- Operation Blockbuster report (pdf)
- Cyber Threat Alliance