SolarWinds malware has “curious” connection with Russian-speaking hackers

Researchers said on Monday that the malware used to invade Microsoft, security company FireEye, and at least six federal agencies has “interesting similarities” to malware that has been circulating since at least 2015.

Sunburst is the name given to malware by security researchers. When they installed a malicious update for Orion, the malware infected approximately 1

8,000 organizations. Orion is a network management tool sold by SolarWinds in Austin, Texas . An unknown attacker who implanted Sunburst into Orion used it to install other malware that further penetrated into a specific target network. As the infected Department of Justice, Department of Commerce, Department of Treasury, Department of Energy and Department of Homeland Security were all infected, hacking activities are one of the worst attacks in modern American history. The National Security Agency, the FBI and two other federal agencies said last week that the Russian government “very likely” supported the attack, which will begin no later than October 2019. Although several news sources quoted unnamed officials as saying that the invasion was in the work of the Kremlin’s SVR (foreign intelligence service), researchers continue to look for evidence that can clearly prove or refute these statements.

A bit suspicious

On Monday, researchers from Moscow-based security company Kaspersky Lab reported “strange similarities” in the code of Sunburst and Kazuar, a piece of malware that debuted in 2017. Kazuar, a researcher at the security company Palo Alto Networks, said at the time: Use with known tools from Turla (one of the most advanced hacker organizations in the world), whose members speak fluent Russian.

Kaspersky Lab researchers said in a report published on Monday that they found at least three similarities in the code and functionality of Sunburst and Kazuar. they are:

• Algorithm for generating unique victim identification
• Algorithms used to “sleep” malware or delay action after infecting the network, and
• The FNV-1a hash algorithm is widely used to obfuscate the code.

“It should be pointed out [out] Kaspersky Lab researchers Gregory Kucherin, Igor Kuznetsov and Costin Raiu wrote: “These code snippets are not 100% identical.” “Nevertheless, what they say is strange coincidence. [the] The smallest. A coincidence merger is not so unusual, two coincidences will definitely attract people’s attention, and three such coincidences are a bit suspicious to us. “

Monday’s post warned against drawing too many inferences from similarities. They may mean that Sunburst was written by the same developer behind Kazuar, but it may also be the result of trying to mislead researchers about the true origin of the SolarWinds supply chain attack, which the researchers said was a false report operation.

Other possibilities include developers who worked on Kazuar and later went to the team that created Sunburst; Sunburst developers reverse-engineered Kazuar and used it as inspiration; or Kazuar and Sunburst developers got it from the same source malicious software.

Kaspersky Lab researchers wrote:

Currently, we do not know which of these options is correct. Although Kazuar and Sunburst may be related, the nature of this connection remains unclear. Through further analysis, evidence that confirms one or more of these opinions may emerge. At the same time, it is possible that Sunburst developers are really good at operations and did not make any mistakes, and this link is a well-designed error flag. In any case, for defenders, this overlap will not change much. Supply chain attacks are one of the most complex types of attacks today, and have been successfully used by APT organizations such as Winnti / Barium / APT41 and various cyber criminal organizations in the past.

Federal officials and researchers said it may take several months to understand the full impact of months-long hacking activities. Monday’s post called on other researchers to further analyze the similarities to understand who is the clue behind the attack.