The Sony Pictures Entertainment hack served as a very public wake-up call to the dangers posed by malicious hackers. In the course of the attacks, information was both stolen and destroyed by the attackers – and new information is still coming to light about who those attackers were. The Cipher Brief spoke with Brian Bartholomew, Senior Security Researcher at Kaspersky Labs North America, about a recent joint report about the Sony hackers – now known as the Lazarus Group. According to Bartholomew, the biggest impact of the Lazarus Group’s activities could be greater usage of destructive techniques by a larger number of hacker groups.
The Cipher Brief: What is the Lazarus Group? How did Kaspersky become aware of it, and how long has it been active?
Brian Bartholomew: Lazarus Group is a name for a grouping of actors that have been responsible for some very high profile attacks, including the attack on Sony Pictures Entertainment. We have been tracking this activity since at least 2015, but based on our research, it seems they have been around since at least 2009.
TCB: What are the goals of the Lazarus Group (espionage, crime, sabotage, etc.)? Who do they target, and what does this imply about their motivations?
BB: Lazarus’ motivations vary based on the target. We have seen them involved in espionage activity, but they have also conducted some very high profile destructive attacks in the past.
TCB: Kaspersky Lab’s research on the Lazarus Group was part of Operation Blockbuster, a joint effort between several cybersecurity companies to address the threat posed by Lazarus. What are the challenges of this type of joint action? What are the benefits?
BB: Operation Blockbuster was the name for the joint effort involving many leading industry vendors. The goal of this operation was to expose the actors publicly in order to help the public gain a better awareness of the threat. That said, there are always some hardships that need to be tackled during a collaborative effort of this size. Logistical planning, sharing of what is considered proprietary data in some circles, coordinating deployment of protection mechanisms, and agreement on the content of the report were all things that challenged the group.
The main benefit of the effort is the combined power of one voice educating the public on the threat. In the past, multiple companies have reported on pieces of Lazarus’ activity, but never has such a comprehensive and collaborative report been made public. Another benefit is the coordinated push of protection measures by multiple companies. This essentially degrades the actor’s ability to operate at will and forces them to retool / reevaluate their operations.
TCB: What does the research on the Lazarus Group tell us about how APTs are changing? How do you expect the threat posed by groups like Lazarus to change moving forward?
BB: I believe Lazarus group is important because they have now moved the line in the sand a bit forward with respect to destructive attacks. Before, many actors considered this taboo. Now that they have executed destructive attacks on multiple occasions, other groups may consider it a viable option in their toolbox.
TCB: What can organizations do to better protect themselves from threats like this?
BB: Many of the common recommended practices apply to this threat as well. One thing that many companies don’t have—which they should—is a recovery plan in the event of a destructive attack. Knowing exactly what to do when something like that happens and training on it in real life is essential to quickly recovering from a destructive attack. Also, things like having a layered defensive posture, segregating portions of your network, keeping your products updated, and monitoring your networks for nefarious credential usage all play an important role in protecting yourself against an actor like Lazarus. The biggest thing here is to prepare for the worst but diligently try to prevent it.