A new report is shedding some light on the mysterious cyberattackers behind the notorious Sony Pictures hack. The hack burst into the headlines in November 2014, when the unprecedented breach of the movie studio's computer systems exposed countless confidential documents to the public. Now, an investigation by a group of cybersecurity firms finds that the hackers responsible for the attacks -- being called the Lazarus Group by the report's authors -- can be tied to other hacks going back to at least 2009, and is still very active.
The investigation, dubbed "Operation Blockbuster," began in December 2014, completely independent of any official investigation by law enforcement or the film studio. The security firms Symantec, Kaspersky Lab, AlienVault Labs, and Novetta collaborated on the study that aimed to "identify and impact the malicious tools and infrastructure used by the Lazarus Group" and also to "clarify details surrounding" the Sony attack, the report reads.
The study identified numerous, distinct malware "families" used by the hacking group. While the Sony hack might be the most prominent attack carried out by the group, the study reports that the Lazarus Group was also behind a large-scale 2013 attack on South Korean television stations, and continues to carry out operations against media, governmental and financial institutions throughout the United States, Asia and elsewhere around the world.
Following the Sony attack, North Korea quickly emerged as the leading suspect behind the massive hack. The FBI investigation pointed the finger at North Korea, and President Obama imposed new sanctions on the country. While the latest report does not directly pin the Lazarus Group to a specific country, the researchers said that their findings do seem to indicate that it is likely tied to a government.
"We believe the U.S. government assertion that (the Sony attack) was the work of a nation-state is far more likely than this being the work of a hacktivist group or a vindictive former employee," Novetta CEO Peter LaMontagne told the Washington Post.
In a blog post on its site, Kaspersky, one of the firms behind the study, noted that the Lazarus Group's reported hours of operations appeared to coincide with the timezone in North Korea. Of course, this isn't enough to tie the attacks officially to any one group, but it does contribute to a more our understanding of who might be behind the shadowy group.
"There is another interesting observation. Judging by the Lazarus group reference sample set, compiled by Novetta, almost two thirds of cybercriminals' executable files include elements that are typical for Korean-speaking users," Kaspersky reports.