Operation Blockbuster is a Novetta-led coalition of industry partners created to identify and disrupt the malicious tools associated with the threat actor behind the November 2014 Sony Pictures attack. We began researching last year by identifying several malware hashes publicized by the security community following the SPE attack. From these hashes, we were able to establish a baseline of the malware capabilities, as there were common code and libraries being used in the malware samples.

From these common snippets of code and use of library functions, signatures were generated to detect additional malware samples using both proprietary tools and Totem, an open-source Novetta-developed framework for large-scale file analysis and triage. These new samples were then verified and analyzed for any divergence such as structure change or change in capabilities, allowing us to refine signatures to again check against more malware samples. From this process, we was able to detect and analyze more than 45 distinct malware families related to the SPE malware.

The similarities found in code snippets indicated the malware families were the work of the same developer or developers sharing code, infrastructure, and resources with each other. We have dubbed this group that has developed and used these malware families the Lazarus Group, and have linked several identified malware families to publicly reported attacks beyond the SPE attack. From the 2009 DDoS attacks to the Ten Days of Rain attacks and Operation Troy, a cyber espionage campaign that reportedly culminated in the March 2013 DarkSeoul attack, the Lazarus Group has been carrying out a series of attacks with the tools identified during Operation Blockbuster.

Along with our Operation Blockbuster participants, we have been sharing findings with other security researchers in order to develop and push out antivirus, IDS, and YARA signatures to various security products, helping to identify and remove known malware. Indicators of compromise (IOCs) and malware hashes have also been shared. Additionally, in working with our partners and coalescing research efforts over the past year, we have been able to better understand the identified threat actor who has been operating unfettered for the better part of a decade. Operation Blockbuster participants intend to continue researching, sharing information, and mitigating malicious tools.