Researchers said on Monday that the malware used to invade Microsoft, security company FireEye, and at least six federal agencies has “interesting similarities” to malware that has been circulating since at least 2015.
Sunburst is the name given to malware by security researchers. When they installed a malicious update for Orion, the malware infected approximately 1
A bit suspicious
On Monday, researchers from Moscow-based security company Kaspersky Lab reported “strange similarities” in the code of Sunburst and Kazuar, a piece of malware that debuted in 2017. Kazuar, a researcher at the security company Palo Alto Networks, said at the time: Use with known tools from Turla (one of the most advanced hacker organizations in the world), whose members speak fluent Russian.
Kaspersky Lab researchers said in a report published on Monday that they found at least three similarities in the code and functionality of Sunburst and Kazuar. they are:
- Algorithm for generating unique victim identification
- Algorithms used to “sleep” malware or delay action after infecting the network, and
- The FNV-1a hash algorithm is widely used to obfuscate the code.
“It should be pointed out [out] Kaspersky Lab researchers Gregory Kucherin, Igor Kuznetsov and Costin Raiu wrote: “These code snippets are not 100% identical.” “Nevertheless, what they say is strange coincidence. [the] The smallest. A coincidence merger is not so unusual, two coincidences will definitely attract people’s attention, and three such coincidences are a bit suspicious to us. “
Monday’s post warned against drawing too many inferences from similarities. They may mean that Sunburst was written by the same developer behind Kazuar, but it may also be the result of trying to mislead researchers about the true origin of the SolarWinds supply chain attack, which the researchers said was a false report operation.
Other possibilities include developers who worked on Kazuar and later went to the team that created Sunburst; Sunburst developers reverse-engineered Kazuar and used it as inspiration; or Kazuar and Sunburst developers got it from the same source malicious software.
Kaspersky Lab researchers wrote:
Currently, we do not know which of these options is correct. Although Kazuar and Sunburst may be related, the nature of this connection remains unclear. Through further analysis, evidence that confirms one or more of these opinions may emerge. At the same time, it is possible that Sunburst developers are really good at operations and did not make any mistakes, and this link is a well-designed error flag. In any case, for defenders, this overlap will not change much. Supply chain attacks are one of the most complex types of attacks today, and have been successfully used by APT organizations such as Winnti / Barium / APT41 and various cyber criminal organizations in the past.
Federal officials and researchers said it may take several months to understand the full impact of months-long hacking activities. Monday’s post called on other researchers to further analyze the similarities to understand who is the clue behind the attack.