Security researchers Kaspersky they found that Sunburst backdoor, the malware developed during the supply-chain attack on SolarWinds, presents features common to Kazuar, a .NET backdoor linked to Russian hacking group Turla.
Turla, which is also known as VENOMOUS BEAR and Waterbug, carries out espionage campaigns and data theft since 1996 and for many experts, is the main suspect for attacks at the Pentagon, NASA, Central Command of USA and the Finnish Ministry of Foreign Affairs.
Kazuar is one of the tools used during previous attacks by the Russian Turla. According to Kaspersky researchers, it has a lot in common with the software used by the team behind the SolarWinds attack (this team is tracked by names UNC2452 and DarkHalo).
Kazuar backdoor samples show significant similarities to Sunburst.
One of the common features is algorithm used to create UIDs for victims (unique victim IDs), the extensive use of the FNV-1a hash in both malware and sleeping algorithm used by Kazuar and Sunburst backdoors.
Kaspersky points out also that, despite the similarities, the algorithms used to implement these overlapping capabilities are still not 100% identical. Therefore, they believe that there is some connection between the two malware but "the nature of this relationship is not yet entirely clear".
The code snippets that reveal the overlap show that “a kind of similar thought process was used to develop the Kazuar and Sunburst backdoor".
Kaspersky has given some possible explanations for the above similarities:
- Sunburst was developed by the same team that created the Kazuar backdoor
- Sunburst developers have adopted some ideas or code snippets from Kazuar without having a direct link (inspired by Kazuar)
- Both teams, DarkHalo / UNC2452 and the team using Kazuar (Turla), got their malware from the same source
- Some of the Kazuar developers became members of another hacking team, using ideas and tools from the past and creating similar malware
- The developers of Sunburst backdoor thought of leveraging other known malware to keep their attention from being linked to another hacking group.
Kaspersky researchers have pointed out that the latter explanation is very likely. Sunburst backdoor developers may have deliberately put common features to mislead experts and attribute responsibility for attack at SolarWinds Elsewhere.
"While Kazuar and Sunburst are connected, the nature of this relationship is still unclear", Said Kaspersky. "Through further analysis, evidence is likely to emerge to confirm one or more of the above explanations.".
"To clarify - We are NOT saying that DarkHalo / UNC2452, the team that uses Sunburst and Turla are necessarily the same team".
However, it seems that the developers of Sunburst and Kazuar were probably aware of the feature changes in each software, which shows a connection between the two.
The Sunburst backdoor appeared in December, when the SolarWinds attack became known. On the other hand, the Kazuar has been greatly modified from its original form when it was found in attacks in 2017. Kazuar samples, however, are rarely uploaded to malware analysis platforms such as VirusTotal, which is why it is very difficult to keep up with the changes that are taking place.
"This link does not indicate who was behind the attack on SolarWinds, however, it does provide more information that may help researchers in this investigation.Said Costin Raiu, director of the Kaspersky Global Research and Analysis Team (GReAT).
Source: Bleeping Computer