The malware used to hack Microsoft, the security company FireEye and at least half a dozen federal agencies has “interesting similarities” to the malicious software that has been around since at least 2015, the researchers said on Monday.
Sunburst is the name that security researchers gave to malware that infected some 18,000 organizations when they installed a malicious update for Orion, a network management tool sold by SolarWinds, based in Austin, Texas. The unknown attackers who planted Sunburst on Orion used it to install additional malware that has infiltrated even more selected networks of interest. With infections that hit the Departments of Justice, Commerce, Treasury, Energy and Homeland Security, the hack campaign is among the worst in modern United States history. The National Security Agency, the FBI and two other federal agencies said last week that the Russian government was “probably” behind the attack, which started no later than October 2019. While several news sources, citing unidentified officials , reported that the intrusions were In the work of the Kremlin’s SVR, or Foreign Intelligence Service, researchers continue to search for evidence that will definitely prove or disprove the claims.
Kind of suspicious
On Monday, researchers at Moscow-based security company Kaspersky Lab reported “curious similarities” in the code for Sunburst and Kazuar, a malware that first appeared in 2017. Kazuar, researchers at security company Palo Alto Networks they said, it was used alongside tools known to Turla, one of the most advanced hacker groups in the world, whose members speak fluent Russian.
In a report published on Monday, Kaspersky Labs researchers said they found at least three similarities in the code and functions of Sunburst and Kazuar. They are:
- The algorithm used to generate the victim’s unique identifiers
- The algorithm used to make the malware “hibernate” or delay action after infecting a network and
- Extensive use of the FNV-1a hashing algorithm to obfuscate code.
“It should be pointed out [out] that none of these code fragments are 100% identical, ”wrote Kaspersky Lab researchers Gregory Kucherin, Igor Kuznetsov and Costin Raiu. “However, these are curious coincidences, to say [the] at least. One coincidence would not be so unusual, two coincidences would definitely raise an eyebrow, while three of those coincidences are a little suspect for us. “
Monday’s post warns against drawing too many inferences from the similarities. They may mean that Sunburst was written by the same developers behind Kazuar, but they could also be the result of an attempt to mislead investigators about the true origins of the SolarWinds attack on the supply chain, something researchers call a false flag operation. .
Other possibilities include a developer who worked at Kazuar and later went to work for the group creating Sunburst, Sunburst developers doing reverse engineering in Kazuar and using it as inspiration, or Kazuar and Sunburst developers getting their malware from the same source.
Kaspersky Lab researchers wrote:
At the moment, we don’t know which of these options is true. Although Kazuar and Sunburst may be related, the nature of that relationship is not yet clear. Through further analysis, it is possible that evidence will emerge that confirms one or more of these points. At the same time, it is also possible that Sunburst developers were really good at opsec and made no mistake, this link being an elaborate false flag. In any case, this overlap does not change much for defenders. Supply chain attacks are some of the most sophisticated types of attacks today and have been used successfully in the past by APT groups such as Winnti / Barium / APT41 and several cybercriminal groups.
Federal officials and researchers said it could take months to understand the full impact of the months-long hacking campaign. Monday’s post called on other researchers to analyze the similarities for additional clues as to who is behind the attacks.