The shadowy group of hackers behind the infamous Sony Pictures hack in late 2014 have carried out other digital attacks on U.S. and South Korean targets dating back at least to 2009, according to a report released Wednesday.
The report, released by a coalition of security firms led by Novetta, found that hacking software, techniques, passwords, and encryption keys used in the Sony attack can also be tied to a 2009 series of “denial of service” attacks and a number of attacks on South Korean media, financial, and political targets from 2011 to 2013, suggesting the same group of hackers is behind the attacks. Since the Sony attacks, a malware tool apparently developed by the group, which Novetta has dubbed the “Lazarus Group,” has been found in apparent phishing emails targeting a South Korean audience, according to the report.
As recently as October 2015, the malware was found linked to a forged Korean-language document “asking speakers at the Society for Aerospace System Engineering’s (SASE) 2015 autumn conference to register their papers.” The document exploited a bug in a Korean-language word processor to deliver malware, according to the report.
“This same vulnerability, patched in September 2015, was reportedly exploited in zero-day attacks tied by researchers to North Korean threat actors,” according to the report.
The Federal Bureau of Investigation has said it believes the North Korean government sponsored the Sony attack.
Novetta and other security firms involved in the report, including Kaspersky Lab, Symantec, AlienVault, and Trend Micro, have begun distributing digital signature data identifying the malware used by the group.