On Wednesday February 24th Novetta released Operation Blockbuster, a report that describes how a Novetta-led coalition of private industry partners Novetta’s Threat Research & Interdiction Group (TRIG), identified and interdicted the adversary behind the Sony Pictures attack. This effort is the culmination of more than a year of research and reverse engineering by many skilled professionals with the goal of devising ways to disrupt the tools and techniques of the threat actor group to collectively protect our customers.
If you haven’t yet seen this report, there’s a friendly two-page executive summary at http://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Ex-Summary.pdf and the full report is at http://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf.
But why should you read it? Why do we think it’s important?
If you’re like me the words “Sony attack” raise a few questions and mental flags. Are any of these questions popping up in your mind?:
- “The Sony attack…that was in like 2014. It’s 2016 now. Why is this relevant?”
- “Sony sounded like a one-time revenge attack because of that movie with James Franco and Seth Rogen . If that’s true, why would anyone other than Sony itself bother unraveling it?”
- “My organization has many feeds of threat intel, signatures, and Indicators of Compromise. So we’d be protected against this adversary by now, right?”
- “I don’t even work with malware or incident response, and fixed-width typeface makes me sleepy. What are the take-aways for the Information Security industry as a whole?”
If any of those questions resonate with you, or if you’re on the fence about reading the report, or if you’re just curious about why we feel Operation Blockbuster is important, check out these five reasons why:
1. This was not a one-time occurrence
No, the Sony Pictures attack wasn’t a one-time attack by malicious actors the world had never seen before. TRIG has linked the Lazarus Group, the operation name for this adversary, to repeated use of particular malware code and numerous malicious attacks for targeted cyber espionage, data theft, and data destruction. They’ve targeted government, media, military, aerospace, financial, and critical infrastructure entities dating as far back as 2009. That’s 7 years! And while they’ve historically targeted organizations in South Korea and the United States, they’ve shown that they have the resources and motivation to reach out and touch nearly anyone.
2. There was insufficient actionable threat intelligence for this threat
It’s tempting to think that threat intelligence is a magic bullet. If you have prior knowledge of threats, such as signatures and other Indicators of Compromise, you can automatically scan for them and block attack attempts. That’s great, but what if traditional threat intelligence is not sufficient for a threat like the Lazarus Group? The group is known to have targeted traditional network defensive practices like firewall and anti-virus and is capable of moving within a compromised network undetected.
Why was the publicly available threat intel insufficient? Despite years of activity, including reported attacks with disclosed malware file hashes and malicious IP addresses, none of the intelligence was thoroughly organized and explained to provide actionable intelligence for network defenders. This meant that security departments were working with old and/or incomplete information.
By organizing with other industry partners and sharing information uncovered during Novetta’s and other partners’ research, the coalition was able to understand the threat group in a way that goes beyond a simple list of indicators. From this, the coalition was able to push thorough anti-virus signatures, IDS signatures, and YARA rules to commercial security products, as well as identify a robust collection of malware file hashes. When paired with a well funded and dedicated security team proactively monitoring network activity, these indicators and signatures can help improve an organization’s defensive posture against this threat. While the attackers will of course create new malware that evades these signature-based prevention mechanisms, this operation makes it harder for them to rely on tools and strategies that have been sufficient for the better part of a decade.
3. The report shows the power of uncovering a threat actor network by looking at shared code across a large volume of malware samples
Stick with me here – this touches on a technical detail but it’s really important.
The coalition behind Operation Blockbuster identified more than 45 malware families by linking shared code, encryption keys, and other features across a diverse set of Lazarus Group tools. A key component in this analysis was Totem, an open-source Novetta-developed framework for large-scale file analysis and triage.
What did this involve? Scanning billions of files and looking for code fragments that were specific to the Lazarus Group and not the result of commodity code. This yielded 2000 samples (that’s roughly 0.0001%), 1000 of which were manually vetted and catalogued as belonging to the Lazarus Group.
This matters because attackers can now no longer rely on defenders being overwhelmed with a large volume of malware samples. Platforms like Totem can shred through malware, identify commonalities, and group samples together, which gives analysts a rich data source for performing analysis on an attacker’s tools, techniques, and procedures. As Totem and other open-source tools like it evolve, the capabilities of the defender will be improving as quickly as the tactics of the attacker.
4. This is part of the continual TTP arms race
Even if your day job doesn’t involve malware analysis, advanced threats, or incident response, if you’re in any way connected to the InfoSec industry you should be aware of the continual cyber arms race. Attackers, especially committed advanced attackers and nation-state actors, are continually improving their tools and techniques, so defenders need to keep pace with their defense mechanisms, skills, and knowledge. By analyzing an advanced attack by a well resourced group, the coalition led by Novetta is helping to ensure that large, well funded, and coordinated actors cannot operate without opposition.
The report states:
“While no effort can completely halt malicious operations, Novetta believes that these efforts can help cause significant disruption and raise operating costs for adversaries, in addition to profiling groups that have relied on secrecy for much of their success.”
This is really important. The coalition is doing the hard work to shine a light on this advanced adversary, slowing down their progress and forcing them to retool, making it harder for them to carry out their next attack.
5. Private industry groups can take action on adversaries
We see in the report that malicious actors can be highly organized and can perform coordinated attacks. So why can’t that be true of the defenders as well?
The coalition put their resources to bear on this attack in a coordinated way and was successful in revealing many of the details behind the Lazarus Group. Novetta itself feels that the combination of sharing highly technical analysis with both the public and private industry is the best way to interdict these types of actors.
What did I miss? Send me a note at pvb (at) novetta (dot) com if you have more ideas about why Operation Blockbuster matters.
Also, if you’re at the RSA conference this week, stop by and talk to some friendly folks at the Novetta booth #N4504.