Wired has a frighteningly good write up on the perpetrators of one of the biggest hack attacks the United States has ever seen. As many may recall, in 2014, just as the movie The Interview was about to come out, Sony Pictures Corp (my former boss) was the victim of a massive hack. That source of that attack would be linked to North Korea.
But Wired has a follow up to the tale of the hackers and it turns out they are still very much active and still causing trouble. The article does not so much debate if North Korea was or was not behind the attack. Instead it analyzes the crime scene, if you will, and reports back the so called TTP (tools, techniques and practices) of the hackers.
Like good CSI agents, Juan Andrés Guerrero-Saade senior security researcher at Kaspersky Lab’s Global Research and Analysis Team and Jaime Blasco who heads the Lab Intelligence and Research team at AlienVault Labs have gone over all the evidence and come to some startling conclusions about the hackers:
“[T]hey didn’t disappear…not at all,” Guerrero-Saade said during a presentation with Blasco this week at the Kaspersky Security Analyst Summit in Spain.
I’ve written previously about some nasty malware out there in the wild and it turns out what the hackers used is a version of the same. As is the case with this type of malware, the program overwrites the master boot record on the target computer. Using the infected Sony computers as exhibit A, the team:
…wrote a series of so-called YARA rules based on tiny similarities and quirks that stood out in the Sony samples and the attackers’ techniques, which made them think that if they ever saw those quirks again, it would likely be in a breach conducted by the same guys. YARA is a tool for uncovering malicious files or patterns of suspicious activity on systems or networks that share similarities. YARA rules—essentially search strings—help analysts find, group, and categorize related malware samples and draw connections between them…
Over the course of more than a year, they collected 400 to 500 malware samples used in attacks now believed to be related, as well as other digital footprints left behind by the group or groups of hackers behind the attacks. The method even allowed them to find related malware that had never been publicly reported by other security researchers before. “I think we’ve gotten quite accurate and good at finding the work of these guys,” Guerrero-Saade said about the attackers.
What the team discovered is that the Sony hackers have been involved a number of attacks that have happened after Sony and even before Sony:
They were able, for example, to tie malware samples and attacks discovered in 2013 and known variously by different security firms as Operation Troy/DarkSeoul/Silent Chollima with malware and attacks discovered in 2014 and known as Hangman/Volgmer/TEMP.Hermit and with newer malware discovered in 2015 known as WildPositron and Duuzer.
They also were able to uncover and link recent attacks conducted in 2015 and 2016. These include malware and campaigns known as New Troy.dll/AIMRAT and Sconlog/SSPPMID, both of which were discovered in 2015, and SpaSPE and Hangman_Samsung/mySingleMessenger, discovered in 2016.
This article goes on to detail the methods and a clue as to who these attackers might be. Read the Wired article for more info.
Special thanks to Afterdawn for reporting it.