ThreatConnect Aids Novetta Research for Operation Blockbuster

ThreatConnect Supports the Novetta-led Research for Operation Blockbuster

Today, the Operation Blockbuster report was published by Novetta, a leader in advanced analytics. Novetta has once again led a coalition of private industry partners, including ThreatConnect, to understand and disrupt malicious capabilities and infrastructure that has been attributed to an adversary that Novetta has identified and dubbed, the Lazarus Group. Most notably tied to the 2014 Sony breach, the Lazarus Group has also been linked to numerous malicious attacks on commercial, military and government targets beginning as early as 2009.

ThreatConnect is supporting the Novetta-led research by availing indicators and signatures to the community via the ThreatConnect platform. To access Operation Blockbuster signatures and Lazarus Group indicators log in to the ThreatConnect Common Community. 

Novetta continues to work with us and other public and private partners in this Operation to ensure that the signatures and intelligence will have a meaningful impact on the Lazarus Group’s abilities to function, to help potential victims understand the technical and operational methods of this group, as well as the important underlying geopolitical and socioeconomic impacts. Novetta – and its partners including ThreatConnect – believe that this combination of sharing highly technical analysis with both the public and private industry is the best way to interdict these types of actors.

Novetta CEO Peter LaMontagne said, “By working with industry partners, we were able to better understand and devise ways to disrupt the tools and techniques used by malicious actors and share that information to protect our collective customers.”

Though the attack on Sony occurred over a year ago, retrospective analysis has been compiled into a comprehensive report which details Novetta’s technical findings, clarifies details surrounding the Sony breach, and profiles the Lazarus Group, who has continued to develop capabilities to target victims since then. Operation Blockbuster provides details on the group’s scope and the more than 45 malware families identified, including signatures and guidance to help organizations detect and stop the group’s activities.

Novetta Publishes Operation Blockbuster – ThreatConnect Aids Research

Lessons learned from Operation Blockbuster:

  • The Lazarus Group is a well-established group that appears to be comprised of various sets of developers and operators for their custom malware. Malware used in the November 2014 Sony Pictures attack is definitively linked to the malware developed as early as 2009.
  • The malware analyzed in this Operation and attributed to the Lazarus Group has been used to target government, media, military, aerospace, financial, and critical infrastructure entities in a limited geographic area, primarily South Korea and the United States.
  • The depth and scope of malware tools, structure of the analyzed code bases, the Sony attack was carried by a more structured, resourced, and motivated organization.
  • Novetta’s coordinated effort that included industry partners illustrates that in a new era of cyber defense, private industry’s role has changed from “observe and report” to observe and act.Learn learn more about Operation Blockbuster and access the full report, visit To access Operation Blockbuster signatures and Lazarus Group indicators log in to the ThreatConnect Common Community. 
Rich Barger
About the Author
Rich Barger

Rich is a pioneer in threat intelligence analysis and is the Chief Intelligence Officer and Director of Threat Intelligence at ThreatConnect. In 2011, Rich sought likeminded security experts and together they founded ThreatConnect. Rich has more than 15 years supporting DC’s most elite cyber defense and intelligence organizations from within both public and private sector as former U.S. Army Intelligence Analyst and security consultant. Rich is an analyst at heart, and his technical and operational vision is truly what makes ThreatConnect a disruptive new technology for organizations worldwide. Rich leads the ThreatConnect Intelligence Research Team , a globally recognized threat research team. Rich maintains a variety of professional industry certifications, and a BS in Information System Security. Rich is married and is a proud father.