# Operation BlockbusteR **IndiaEcho** **RomeoBravo** **HOTEL** HTTP Server **HotelAlfa** **IndiaFoxtrot** **RomeoCharlie** **IndiaGolf** **RomeoDelta** **INDIA** Installer **IndiaHotel** **RomeoEcho** **IndiaIndia** **RomeoFoxtrot** **KILO** Keylogger **KiloAlfa** **IndiaJuliett** **RomeoGolf** **IndiaKilo** **RomeoHotel** **LimaAlfa** **IndiaWhiskey** **LIMA** Loader **RomeoMike** **LimaBravo** #### The LimaCharlie RomeoNovember **PAPA** Proxy **LimaDelta** **RomeoWhiskey** #### Lazarus **PapaAlfa** **TangoAlfa** #### Group ROMEO RAT **TangoBravo** **TangoCharlie** **SIERRA** Spreader **TangoDelta** **SierraAlfa** **SierraBravo** **UniformAlfa** **TANGO** Tool (Non-classed) **SierraCharlie** **UniformJuliett** **SierraJuliett-MikeOne** **UNIFORM** Uninstaller **WhiskeyAlfa** � MALWARE FAMILIES � **DELTA** **HOTEL** **INDIA** **KILO** #### The LIMA **PAPA** #### Lazarus Group ROMEO **SIERRA** **TANGO** **UNIFORM** ----- ### 2009 2012 2014 ``` DDoS attack on U.S. and South Attack on a conservative South Attack on Sony Pictures Korean websites (MYDOOM) Korean media organization (IsOne) 2011 2013 2015 Attack on South Korean media, Attack on South Korean Novetta released ## OPERATION financial, and critical broadcasters and banks signatures to disrupt infrastructure targets (DarkSeoul) the Lazarus Group's attacks (Ten Days of Rain) DETAILS ``` In the weeks following the Sony Pictures hack, US-CERT released an alert detailing a set of malware families used by unidentified attackers to compromise large network **ACRONYM KEY:** infrastructures and deploy hard-drive wiping malware, RATs, and proxy trojans. ###### US-CERT: Novetta’s analysis of the base set of malware revealed that common code libraries were United States Computer Emergency used across multiple malware families. The Operation Blockbuster team used these libraries Readiness Team to generate signatures to detect additional malware samples, including more than 45 ###### RAT: distinct malware families that fall under the Lazarus Group’s domain. “Remote access trojan,” a malware that includes backdoor access for control over a targeted computer **Novetta, with the help of operation partners, made available signatures that identified** **Lazarus Group tools on a broad scale, effectively disrupting the group’s ability to use** **these tools for malicious intent.** ## INDUSTRY’S NEW ROLE In Operation Blockbuster, Novetta identified the specific attack tools of a well-connected, globally significant attack group. Novetta and industry partners worked together to understand and devise ways to degrade the malware toolset, eroding the group’s ability to use these tools for further harm. The industry team shared information and took decisive action to protect collective customers. ## BUSINESS IMPLICATIONS The Sony Pictures attack, and the long thread of related attacks documented in Operation Blockbuster, demonstrates that commercial enterprises are already living in a new era of cyber threats. As corporations’ cyber footprints continue to grow, security operations are often unable to scale. Malicious threat actors like the Lazarus Group remain a step ahead. The urgency for building and maintaining a robust and evolving cybersecurity practice has never been greater. As an executive, you know it’s your responsibility to maintain the integrity and security of your brand, and your customers’ data. Learn how to better protect your enterprise. Download Operation Blockbuster to read the full story and remediation suggestions. ways to degrade the malware toolset, eroding the group’s ability continue to grow, security operations are often unable to scale. Malicious to use these tools for further harm. The industry team shared threat actors like the Lazarus Group remain a step ahead. The urgency information and took decisive action to protect collective customers. for building and maintaining a robust and evolving cybersecurity practice has never been greater. As an executive, you know it’s your responsibility This sets a precedent for industry’s new role in the changing to maintain the integrity and security of your brand, and your customers’ dynamic of cyber defense. Industry is no longer only a watchdog. data. Learn how to better protect your enterprise. Download Operation As the work behind Operation Blockbuster continues, Novetta Blockbuster to read the full story and remediation suggestions. demonstrates that elite security professionals with the right skills and talents, working collaboratively, can and should take decisive **CONTACT NOVETTA:** action not only to protect against attacks, but to fight back against attackers. These industry teams can provide customers with }} Technical and security questions, contact additional protection while educating the general public about Novetta’s Threat Research & Interdiction Group: modern cyber threats. **trig@novetta.com** }} For information on Novetta security services, solutions and products, email: **contact@novetta.com** ###### DOWNLOAD THE FULL -----