Security experts uncover masterminds behind Sony Pictures hack

An investigation into the 2014 Sony hack has bolstered claims that North Korea was behind the attack.

The cybersecurity experts who mounted the investigation, dubbed Operation Blockbuster, found that the culprits, dubbed the Lazarus Group, have been active since at least 2009.

Analysts Novetta and 12 industry players, including Symantec, Kaspersky Lab, Trent Micro, AlienVault and Carbon Black were behind the operation, which was "created with the intent to understand and potentially disrupt malicious tools and infrastructure" used by Lazarus Group.

"The [November 2014] attack against Sony Pictures Entertainment (SPE) was unprecedented in its media coverage and overt use of malicious destructive capabilities against a commercial entity," the report reads.

"[It] broke new ground not only as a destructive malware attack on a US commercial entity but also due to the fact that the US government attributed the attack to North Korea and enacted small reciprocal measures," it adds.

While Novetta said it could not definitively attribute Lazarus Group and its behaviour to any specific nation state or group, it did give the caveat that "the FBI's official attribution claims could be supported by our findings".

While the SPE attack caused headlines around the globe, the researchers discovered Lazarus Group had been active since at least 2009 and possibly since 2007.

In that time, the group, which the report says "appears to be comprised of developers and operators", developed and honed the malware used in the DarkSeoul 2013 attack, carried out a four-year-long cyber espionage campaign, attacked South Korean critical infrastructure and financial targets, took on the South Korean media and, ultimately, attacked Sony.

Protection against the attacks levied by Lazarus Group is difficult, according to the report, due to the level of sophistication involved. However, traffic monitoring, network segregation and educating employees not to fall victim to social engineering attacks are all helpful mitigation methods.

"While no effort can completely halt malicious operations, Novetta believes that these efforts can help cause significant disruption and raise operating costs for adversaries, in addition to profiling groups that have relied on secrecy for much of their success," the researchers added.

Jane McCallion is ITPro's deputy editor, specializing in cloud computing, cyber security, data centers and enterprise IT infrastructure. Before becoming Deputy Editor, she held the role of Features Editor, managing a pool of freelance and internal writers, while continuing to specialise in enterprise IT infrastructure, and business strategy.

Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.