AlienVault Helps Expose the Actors Behind the Sony Attacks

Leading Security Vendors Share Threat Intelligence to Identify Lazarus Group and Mitigate Further Malicious Operations

SAN MATEO, CA – February 24, 2016 – AlienVault™, the leading provider of Unified Security Management™ and crowd-sourced threat intelligence, together with Novetta and other industry partners, is proud to announce its contribution to Operation Blockbuster, a collaborative initiative created to share information about the Lazarus Group. This group was responsible for the attack against Sony Pictures Entertainment in 2014 and several other major operations since at least 2009, including DarkSeoul, a devastating attack conducted against companies in the financial and media sectors in 2013. To learn more about AlienVault’s findings on the Lazarus Group’s malicious activity, please visit:

“The Lazarus Group has the necessary skills and determination to perform cyber espionage operations for the purpose of stealing data or causing damage. By combining this with the use of sophisticated disinformation and deception techniques, the attackers have been able to launch several successful operations over the last few years,” said Jaime Blasco, chief scientist at AlienVault. “However, Operation Blockbuster serves as an example of how industry-wide information sharing and collaboration can set the bar higher to prevent this group from continuing its operations.”

As part of a joint investigation between AlienVault and Kaspersky Labs, researchers from both companies linked multiple technical indicators as well as TTP’s (Tactics, Techniques, and Procedures) to attribute several families to the same actor, as other participants in Operation Blockbuster confirmed in their own analysis. These indicators consisted of reuse of code as well as passwords and techniques used in different malware families. Armed with this information, AlienVault, Kaspersky and other Operation Blockbuster partners were able to determine that the Lazarus Group was also behind well-known destructive cyber espionage attacks including DarkSeoul, Operation Troy and Wild Positron / Duzzer among other operations.

“Not only are the number of wiper attacks growing at a steady rate, but this kind of malware is also proving to be a highly effective type of cyber-weapon,” said Juan Guerrero, senior security researcher at Kaspersky Lab. “With the power to wipe thousands of computers with the push of a button, a Computer Network Exploitation team can cause significant disruption to a targeted enterprise. Working with our industry partners, we are proud to put a dent in the operations of an unscrupulous threat actor leveraging these devastating techniques.”

“At AlienVault, we believe in the power of open and collaborative threat sharing. We developed AlienVault Open Threat Exchange back in 2012, to enable everyone in the OTX community to contribute their own threat data, and in return, get access to everyone else’s threat data. This exchange allows for a crowd-sourced, open and collaborative forum that collects global threat intelligence from attack victims and empowers organizations to better detect threats and mitigate damage from attacks,” continued Blasco.

“Through Operation Blockbuster, Novetta, AlienVault, and our partners have continued efforts to establish a methodology for disrupting the operations of globally significant attack groups and attempting to mitigate their efforts to inflict further harm,” said Andre Ludwig, senior technical director, Novetta Threat Research and Interdiction Group. “The level of in-depth technical analysis conducted in Operation Blockbuster is rare, and sharing our findings with industry partners, so we all benefit from increased understanding, is even rarer.”

Additional Resources


Leslie Johnson
AT&T Cybersecurity
Phone: 925.381.1237