After Sony Pictures Entertainment was hacked shortly before Thanksgiving of 2014, the attackers – who dubbed themselves the "Guardians of Peace" – went quiet.
Or so it seemed.
But now researchers say they've linked the attackers – whom the U.S. government has said were directed by North Korea — to a chameleon-like group active since at least 2009 and still on the digital warpath, attacking systems in South Korea and elsewhere in Asia.
A new report from cybersecurity firm Novetta dubs the attackers the "Lazarus Group" – a reference to a biblical figure that comes back from the dead – because it seems to rise up with new identities for different campaigns.
Novetta, along with researchers from other companies including AlienVault and Kaspersky Lab, say they've pieced together evidence that suggests the Lazarus Group was behind the Sony attack along with a string of other attacks, including a 2013 campaign against South Korean television stations and financial institutions -- which the South Korean government blamed on North Korea -- and attempts to lure victims via spearphishing with documents purporting to be media coverage of the South Korean parliamentary election last year.
The Lazarus Group appears to have created monikers for previous unknown hacking groups including "NewRomanic Cyber Army Team," the "WhoIs Team," and "IsOne" to claim credit for hacks in the past, according to the report. But they were just as ephemeral as "Guardians of Peace."
"Once the attack subsides, that group disappears and is never heard from again -- but we know it's the same group using these same tools," said Andre Ludwig, a senior technical director at Novetta.
The researchers connected the different incidents by analyzing malware from attacks, finding clues that linked more than forty families of malware to the group, according to the report.
One chief detail linking them was the reuse of code across the different types of malware, the researchers said. "There's very hard evidence to suggest that a lot of the development is all originating from the same authors and codebases," said Ludwig. "These aren't pieces of malware that are being shared on underground forums -- these are very well guarded codebases that haven't leaked out or been thrown around publicly."
In some instances, particular misspellings appeared again and again, according to Juan Guerrero, a senior security researcher at Kaspersky Lab. And there was even a complex password the group appeared to use across attacks, said AlienVault chief scientist Jaime Blasco.
Although the Sony attack was destructive, many of the attacks researchers are connecting to the Lazarus Group have been more classic surveillance campaigns -- sneaking into networks to steal information and monitor activities.
"They’re just not wiping data left and right," said Guerrero. "Sabotage campaigns are very loud, but they aren't necessarily very effective from a counterespionage perspective."
The researchers say they've found evidence of campaigns by the group attacking targets across the government, military, financial, media and entertainment, and critical infrastructure sectors in the United States and several different countries in Asia, but they seem to pay special attention to South Korea.
"They're definitely investing resources into their South Korean hacking," said Guerrero. The group even developed an attack leveraging a previously unknown bug in a popular Korean word processing software suite, according to the researchers.
The researchers stopped short of tying the group to the North Korean government -- which the U.S. government blamed for the Sony hack. However, Novetta chief executive officer Peter LaMontagne, hinted at that attribution.
"We believe the U.S. government assertion that [the Sony attack] was the work of a nation-state is far more likely than this being the work of a hacktivist group or a vindictive former employee," he said.
And some of the evidence the companies presented seems compatible with that theory. For instance, the group's apparent working hours seem to roughly line up with North Korea's timezone, according to a blog post released by Kaspersky Wednesday. And they only appear to rest for six to seven hours per night.
However, chasing the attacks back to their sources has been difficult because the group has taken steps to hide their path. "They like to hack innocent servers and then use them as command and control structures," using the compromised systems to help shield the hackers' true location, said Guerrero.
Security researchers are often cautious about making definitive attribution claims because of those kind of hurdles. "It's very hard to prove things beyond a reasonable doubt," explained Tom Cross, the chief technology officer of cybersecurity firm Drawbridge Networks. And when governments point fingers, those claims may be based on classified information that outside observers aren't in a position to judge, he said.
But regardless of the Lazarus Group's origins, the researchers say it is a formidable digital opponent. "We have a very clear group or organization that is extremely well-organized, well-motivated, and has a continued trajectory and interest in a specific type and area or region of attack," said Ludwig.
To combat the group, Novetta is leading a coalition of cybersecurity firms in an effort called "Operation Blockbuster" to help spread information about how to fend off their known attacks and continuing tracking its activities.
And there seems to be a reason to stay vigilant: Kaspersky observed activity they believe to be from the group just last week, according to Guerrero.
"They're still going," he said.