More Evidence Points to Russian Hackers for the SolarWinds Attack

The evidence is mounting that the Russian government initiated the attack on the SolarWinds supply chain and other agencies.

What is the Link?

On Monday, Kaspersky Labs released a report that the “Sunburst” malware deployed in the SolarWinds attack bears a striking resemblance to another Russian-developed malware, “Kazuar.” Threat researchers employed at Kaspersky examined Sunburst and Kazuar and found duplicates of the same code references in both samples.

After various government agencies were attacked in the second wave of the SolarWinds incident, threat analysts pointed the finger at the Russian government who denied any involvement. However, the attack was sophisticated, well planned, and will probably go down as the most damaging in history. The data breach affected 18,000 SolarWinds Orion customers.

Various informed individuals have publicly said they suspect that the attack was carried out by a Russian APT (advanced persistent threat) known as APT29 or Cozy Bear.

What is the Evidence?

Data Breach Today reported that “Kaspersky researchers say they found three overlaps between Sunburst and Kazuar. That includes the “sleeping” algorithm that calculates the time between when the backdoors are planted within a network and when they connect to the attackers’ command-and-control server.”

The initial find was from FireEye security firm who discovered that the Sunburst malware was included as part of the Orion firmware update. After installation, the malware went dormant for two weeks to evade detection, and then it would contact the hackers’ command-and-control server.

Kaspersky warns that although similar code was used in both instances, it could be a “false flag” ruse. In their report, they commented that “On the other hand, it’s also possible the operators of Sunburst and Kazuar drew from the same source code, or that one or more developers who worked on Kazuar moved to the group that developed Sunburst, taking some malicious tools and knowledge with them.”

Kaspersky researchers urge others to compare code samples and look for further evidence and a direct link to the exact culprit.

What is Kazuar

The Kazuar backdoor was initially discovered by Palo Alto Networks, Unit 42, in 2017. It is written in .NET, and since its origins, it has been found numerous times linked to the Russian hacker group Turla who has a reputation for targeting government or military organizations.

Other cybersecurity researchers at Accenture discovered in October that Turla had modified Kazuar, adding additional features and functionality, allowing hackers to receive commands through uniform resource identifiers (URI). This latest discovery was made after an attack on a European government agency where the group exfiltrated data along with an espionage attack.

After another upgrade in November, Kazuar was enhanced further, making it even harder for tech researchers to analyze. Kaspersky’s notice mentioned that many of the same malware versions had been used by both APT29 and Turla. There is a lot of overlap, making it difficult to pin down exactly who is at the heart of the SolarWinds attack.

Technical Details

For those interested in how the two backdoors overlap, one is the algorithm used to wait between installation and connection to the command-and-control server. Both pieces of malware use the same two timestamps using a mathematical formula to calculate the time between the minimal sleeping time and maximum sleeping time.

However, one difference to note is that Kazuar waits between two to four weeks before waking back up, and Sunburst only waits for 12 to 14 days before activating.

Two additional noted similarities are that both pieces of code use the same hashing (FNV-1a) and an algorithm that assigns a unique identifier for each target.

The final word on the matter is that there are too many similarities between the code to ignore it. Investigators are probing further to uncover the absolute truth.