Novetta Exposes Depth of Sony Pictures Attack

Leads Industry Effort to Disrupt 45+ Malware Families Going Back to 2009


MCLEAN, Va., Feb. 24, 2016 (GLOBE NEWSWIRE) -- Novetta, a leader in advanced analytics technology, today announced Operation Blockbuster, a Novetta-led effort to identify, understand and disrupt the adversary behind the 2014 Sony Pictures attack. Operation Blockbuster has tied the adversary, dubbed the Lazarus Group, both to the Sony breach and to numerous malicious attacks on commercial, military and government targets beginning as early as 2009. The Operation Blockbuster report provides details on the project's scope and the more than 45 malware families identified, and includes signatures and guidance to help organizations detect and stop the group's actions.

"The Lazarus Group is just one of many attack groups with the sophisticated operational techniques required to breach networks around the globe, and steal or destroy data and other assets," said Peter LaMontagne, CEO of Novetta. "By working with industry partners, we were able to better understand and devise ways to disrupt the tools and techniques used by malicious actors and share that information to protect our collective customers."

Novetta led Operation Blockbuster research and development efforts, and formed the coalition of technology industry partners that are working together to distribute the malware signatures and other information to commercial and government organizations. Operation Blockbuster partners include Kaspersky Lab, Symantec, AlienVault, Invincea, Trend Micro, Carbon Black, PunchCyber, RiskIQ, ThreatConnect, Volexity and others.

"As we predicted in 2013, the number of wiper attacks is growing at a steady rate and is proving to be a highly effective type of cyber-weapon," said Juan Guerrero, senior security researcher at Kaspersky Lab. "When a Computer Network Exploitation team has the power to wipe thousands of computers with the push of a button, it makes for a significant bounty and potentially causes paralyzing impacts for its victims. Working with Novetta and other industry partners, we are proud to put a dent in the operations of an unscrupulous threat actor leveraging these devastating techniques."

Operation Blockbuster was initiated in late 2014 when Novetta began to investigate the Sony attack using malware information released by US-CERT and other organizations. Initially Novetta uncovered tools and techniques used in the breach, established a baseline for the attack group's malware capabilities, and determined the attack was the work of a long standing, well-resourced, and superbly organized entity working under the moniker of a hacktivist group.

Based on its initial research, Novetta identified the specific attack tools, techniques and potential motivations of the Lazarus Group, and generated signatures to detect common code and libraries used by more than 45 malware families under the group's control. Operation Blockbuster partners worked together to distribute Novetta- and partner-developed signatures and other information on a broad scale to help organizations identify the Lazarus Group's tools and techniques and disrupt further malicious operations.

"Through Operation Blockbuster, Novetta and its partners have continued efforts to establish a methodology for disrupting the operations of globally significant attack groups and attempting to mitigate their efforts to inflict further harm," said Andre Ludwig, senior technical director, Novetta Threat Research and Interdiction Group. "The level of in-depth technical analysis conducted in Operation Blockbuster is rare, and sharing our findings with industry partners, so we all benefit from increased understanding, is even rarer."

"Tackling today's digital security challenges often requires a collective approach to keep our customers protected," said Orla Cox, director, Symantec Security Response team. "Our investigations have shown that the Lazarus Group is a well-resourced and aggressive adversary with the capabilities to carry out both espionage and subversive attacks. By pooling our respective insights, the Operation Blockbuster team hopes to deliver a considerable blow to this attack group while helping to ensure that all of our customers have robust protections to safeguard valuable information."

"This actor has the necessary skills and determination to perform cyber espionage operations with the purpose of stealing data or causing damage. Combining that with the use of disinformation and deception techniques, the attackers have been able to successfully launch several operations over the last few years," said Jaime Blasco, chief scientist, AlienVault. "Operation Blockbuster is an example of how industry-wide information sharing and collaboration can set the bar higher and prevent this actor from continuing its operations."

"Resourced threat actors such as the Lazarus Group have posed a significant risk to global public and private sector organizations for some time," said Rich Barger, chief intelligence officer, ThreatConnect. "We are happy to support Novetta's research by making indicators available to the community in our ThreatConnect threat intelligence platform."

"Invincea is pleased to assist the Novetta team in its analysis of the attacks perpetrated by the group that attacked Sony last year," said Norm Laudermilch, COO, Invincea. "Using our machine learning technology, Invincea's threat research team analyzed the binaries provided by Novetta in hours and confirmed that the same adversary in the Sony attack was active as recently as six months ago."

"Visibility into the attacker's infrastructure is important in threat investigations and was a key component in understanding the Lazarus Group," said Elias Manousos, CEO, RiskIQ. "RiskIQ's PassiveTotal product was made available to our industry partner analysts providing additional linkages and context to the Internet infrastructure used to carry out the attack."

To learn more about Operation Blockbuster and access the full report, visit The full report includes information about the operation's objectives and research methodologies used for investigation and analysis; details about the threat actor group's profiles, tools, scope of activities, and extensive footprint of exploits; and a complete set of hashes, signatures and other resources to help prevent further attacks.

About Novetta

Headquartered in McLean, VA with over 750 employees across the US, Novetta has over two decades of experience solving problems of national significance through advanced analytics for government and commercial enterprises worldwide. Grounded in its work for national security clients, Novetta has pioneered disruptive technologies in four key areas of advanced analytics: data, cyber, open source/media and multi-int fusion. Novetta enables customers to find clarity from the complexity of 'big data' at the scale and speed needed to drive enterprise and mission success. For more information, visit

A photo accompanying this release is available at: