Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
CONCLUSION<br />
The attack on Sony Pictures Entertainment incorporated the use of malware which contained a number of<br />
commonalities with malware used in previously known attacks.<br />
These previous attacks were mainly focused against South Korean entities such as financial institutions,<br />
government sites, think tanks and other important functions. Targets outside South Korea have also been affected,<br />
albeit to a lesser extent: Apart from the Sony intrusion, the Dozer DDOS attacks of 2009 were also directed towards<br />
US websites.<br />
The amount of common factors between the different incidents makes it in our opinion very likely that these<br />
incidents are perpetrated by the same group, or at least cooperating groups.<br />
In this paper, we are not commenting on geographical attribution for the Sony attack. We note that a number of<br />
the mentioned previous attacks (Dozer (15), Koredos, Korhigh (16), DarkSeoul (17)) have been associated with<br />
North Korean involvement, but these associations have not been examined or validated by us.<br />
It is worth noting that this threat actor is still active. We have seen Destover-samples compiled as recently as<br />
January 2016. DarkSeoul should be considered a constant risk factor, particularly for South Korean institutions.<br />
The Destover malware family seems to be the information gathering workhorse of this group – adapted and<br />
changed to fit the purpose du jour, but retaining a lot of the same overall design and methodology. For specific<br />
targets more customized malware is often deployed.<br />
Command and control connections are almost always going to raw IP addresses, and different malware generations<br />
tend to use different sets of addresses. It is our assumption that most of these IP’s are compromised computers<br />
which probably are running proxies, and as such are easily disposable.<br />
© 2016 Blue Coat Systems, Inc. All rights reserved. Blue Coat, the Blue Coat logos, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter, CacheOS, CachePulse, Crossbeam, K9, the K9<br />
logo, DRTR, MACH5, PacketWise, PolicyCenter, ProxyAV, ProxyClient, SGOS, WebPulse, Solera Networks, the Solera Networks logos, DeepSee, “See Everything. Know Everything.”,<br />
“Security Empowers Business”, and BlueTouch are registered trademarks or trademarks of Blue Coat Systems, Inc. or its affiliates in the U.S. and certain other countries. This list may<br />
not be complete, and the absence of a trademark from this list does not mean it is not a trademark of Blue Coat or that Blue Coat has stopped using the trademark. All other<br />
trademarks mentioned in this document owned by third parties are the property of their respective owners. This document is for informational purposes only. Blue Coat makes no