The hackers who crippled Sony in 2014 weren't striking for the first time. New research indicates that these hackers are part of a prolific group that's been active since at least 2009, and which appears to be responsible for more than 45 families of malware used in attacks since then.

Using the Sony malware as a starting point, a number of researchers have traced connections between that hack and a constellation of other attacks that they say can be attributed to a team of hackers they're calling the Lazarus Group. The hacking group's activity apparently began with a volley of unsophisticated DDoS attacks in 2009 that struck three dozen US and South Korean web sites over the Fourth of July holiday weekend.

From then, the attackers diligently honed and developed their techniques and tools, changing methods as needed and occasionally growing more destructive. Their activity culminated in the "scorched Earth" attack that struck Sony in November 2014—a hack that wiped out many of the company's servers, resulted in the theft of terabytes of data, and ultimately brought the entertainment giant to its knees.

"This wasn't a spontaneous capability that was developed a year prior to and in the months leading up to [the Sony hack]," Peter LaMontagne, CEO of Novetta, one of the companies involved in the research, told WIRED. "It's an established capability that does provide insight into the nature of the attack and the fact that the perpetrators of this were well-organized and well-resourced."

Although it initially seemed the attackers went silent after the Sony hack in late 2014, they have actually continued to conduct other campaigns, as researchers from AlienVault Labs and Kaspersky Lab showed in a recent conference presentation.

The hackers' work isn't as advanced as other nation-state groups like those connected to China, Russia, and the US. It doesn't need to be. Their malware only has to be sufficiently advanced to defeat their intended targets.

The research, conducted by a coalition of security firms working independently and together include Symantec, Kaspersky Lab, AlienVault Labs, and Novetta, a data analytics firm that is releasing an extensive report today that details the findings.

Based on more than a year's worth of analysis, the researchers have identified more than 45 unique families of malware used by the Lazarus Group. The researchers found these malware families primarily through the attackers' re-use of passwords, identical snippets of code, encryption keys, obfuscation methods for avoiding detection, command-and-control structures, and other telling code details and techniques.

Through these commonalities, researchers compiled a massive toolkit of malware used by Lazarus that includes families of remote-access trojans, keystroke loggers, installers and uninstallers, spreading mechanisms, DDoS botnet tools, and hard drive wipers—such as the destructive wiper used in the Sony hack. Using these malware families, they then connected disparate attacks conducted over the last decade that targeted victims in a wide swath of industries in South Korea and the US, as well as in Taiwan, China, Japan, India. These included government, media, military, aerospace, financial, and critical infrastructure targets. But the Sony hack, of course, is the most famous victim of all of these.

"That's a tremendous list," Andre Ludwig, senior technical director of Novetta's Threat Research and Interdiction Group told WIRED of the massive toolkit. "You know, Microsoft has like 45 products. Large organizations have that amount of tools and capabilities and projects.... It's impressive the scope of what these guys have done and what they continue to do .... And the scary part is, they have no qualms about being destructive."

Novetta

The Sony hack got a lot of attention—primarily for its spectacularly destructive nature and for the attribution game that played out over many weeks as various groups alternately blamed the attack on hacktivists, Sony insiders, North Korea, and even Russia. Ultimately, the FBI attributed the attack to North Korea, which led the White House to levy sanctions against members of Kim Jong-un's regime.

The researchers carefully point out that they've uncovered no evidence that definitely ties the Lazarus Group to North Korea, but Novetta notes in its report that "the FBI’s official attribution claims could be supported by our findings."

They also note that the attribution game is less important than the larger implications of the Sony hack: The attackers easily took command of Sony's networks with little resistance. They accomplished this not by using exceptional malware or highly technical techniques, but through determination, focus, and great organizational and coordination skills—skills that they have displayed to varying degrees in other linked attacks.

That's not to say that the Group's work is as polished or advanced as other nation-state groups like those connected to China, Russia, or the US. It's not, nor does it need to be. Their efforts only need to be sufficiently advanced to defeat their intended targets, and in the case of Sony and other victims, Novetta notes, they certainly met the requirements for mounting effective attacks.

It's possible the varied attacks being attributed to the Lazarus Group have actually been conducted by a number of groups instead of a single group. But Novetta says that if this is the case, the groups have very similar goals and "share tools, methods, taskings, and even operational duties."

Novetta

How the Researchers Tracked the Lazarus Group's Attacks

Research to uncover the Lazarus Group's oeuvre began in December 2014, after information about malware used in the Sony hack became available.

First, the researchers identified common libraries and unique snippets of code the attackers used. Then they wrote signatures and YARA rules to find other malware that used the same code and libraries. YARA is a pattern-matching tool for finding connections between malware samples and seemingly disparate attacks; YARA rules are essentially search strings for finding these patterns. The lengthy report issued by Novetta discusses in detail the commonalities that helped connect related malware and attacks.

The researchers automatically scanned billions of malware samples collected through Virus Total—a free online service that aggregates more than three dozen antivirus scanners and to which people can upload suspicious files to see if the scanners recognize them as malicious—and from antivirus vendors like Kaspersky Lab who collected samples directly from infected customers. Over time, the researchers fine-tuned their signatures and YARA rules until they narrowed the sample to 2,000 files, of which 1,000 so far have been manually examined and attributed to the Lazarus Group.

These include four different families of destructive malware that the attackers used to wipe data and systems, as they did in the Sony attack. Novetta has called the families Whiskey Alfa, Whiskey Bravo, Whiskey Charlie, Whiskey Delta—but they have been identified in the past by researchers under different names. Whiskey Alfa, for example, is Novetta's name for the destructive wiper used in the Sony hack that other researchers know as Destover.

The researchers also found five distinct suicide scripts the Lazarus Group used. Suicide scripts ensure that once a malicious executable has finished running on a system, it—and any signs of its presence—are completely erased. Hackers generally do this by creating a Windows batch file that operates in an infinite loop to delete the executable over and over until all traces are gone.

Timeline of the Lazarus Group's Attacks

The first evidence of the group's activity traces back to 2007, the researchers say, when the attackers apparently began developing code that was eventually used in an attack known as Operation Flame. This attack that would in turn later be tied to hacks against South Korea in 2013 that are known as DarkSeoul.

But they really made themselves known for the first time with the July Fourth DDoS attacks in 2009—attacks that ignited hysteria on Capitol Hill and prompted one lawmaker to urge President Obama to use a "show of force" against North Korea for launching cyberwar against the US. Researchers found connections between those 2009 attacks, the DarkSeoul attacks in 2013, and a December 2014 destructive wiper attack against a South Korean power plant.

During this same period, the group also conducted a series of cyber-espionage campaigns that researchers have previously called Operation Troy and Ten Days of Rain. The latter struck in March 2011 and targeted South Korean media, financial, and critical infrastructure.

But probably the most interesting attacks from the Lazarus Group have been the destructive campaigns—of which there have been three, beginning in March 2013 with the DarkSeoul attacks. These attacks targeted three South Korean broadcasting companies, several banks, and an ISP, and used a logic bomb to simultaneously wipe the hard drives on computers at a specific date and time, preventing bank customers from being able to use ATMs for a short period. The destruction involved in these attacks, however, nowhere compared to the destruction conducted against Sony the following year.

One of the enduring mysteries of the Sony hack involves the public persona the attackers adopted for that hack. When Sony employees first learned of the breach, it was through a message displayed on their computer screens by a group calling itself Guardians of Peace. It was this moniker, along with the fact that the hackers appeared to be trying to extort money from Sony, that led many to believe hacktivists were behind the attack.

But the Novetta researchers point out that other attacks attributed to the Lazarus Group have also involved personas apparently adopted for specific campaigns. In June 2012, the group apparently attacked a conservative South Korean newspaper using the moniker "IsOne." Like the Guardians of Peace, IsOne "emerged from complete obscurity and has done nothing since," Novetta notes. And in the DarkSeoul attacks in 2013, two groups took credit—the New Romantic Cyber Army Team and the WhoIs Team.

The Novetta researchers suggest that the Lazarus Group poses as these apparent hacktivist groups to mislead and distract the public and researchers.

"I think that they are quite willing to dispose of identities and use a certain amount of disinformation in their campaigns, which is one of the reasons I think that the security research community has had a hard to time, until now, with clustering all of this activity and understanding that it is all inter-related," Juan Andrés Guerrero-Saade, senior security researcher with Kaspersky Lab’s Global Research and Analysis Team, told WIRED.

Once they finished with these campaigns, they discarded the names and the malware they used, and went off in different directions. "They create identities and they adapt their toolkit to match, and then dispose and keep going."

But this tactic isn't enough. The telltale code and techniques they reused in many of their attacks dropped breadcrumbs for the researchers to follow. These bits were often tiny, but they were sufficient for what the researchers needed.

"I really don't think that they thought we would catch on to that bit," says Guerrero-Saade.