The malware used to hack Microsoft, security firm FireEye and at least half a dozen federal agencies has “interesting similarities” to malicious software that has been circulating since at least 2015, researchers said Monday.
Sunburst is the name security researchers gave to malware that infected approximately 18,000 organizations when they installed a malicious update to Orion, a network management tool sold by SolarWinds of Austin, Texas. The unknown attackers who put Sunburst in Orion used it to install additional malware that burrowed further into certain networks of interest. With infections hitting the Departments of Justice, Commerce, Finance, Energy and Homeland Security, the hacking campaign is among the worst in modern US history. The National Security Agency, the FBI and two other federal agencies said last week that the Russian government was “probably” behind the attack, which began no later than October 2019. Due to the work of the Kremlin’s SVR, or Foreign Intelligence Service, investigators continue to search for evidence that definitively proves or disproves the statements.
a bit suspicious
On Monday, researchers at Moscow-based security firm Kaspersky Lab reported “strange similarities” in the code of Sunburst and Kazuar, a piece of malware first revealed in 2017. Kazuar, researchers at security firm Palo Alto Networks said at the time, had been used. alongside well-known tools from Turla, one of the world’s most advanced hacking groups, whose members are fluent in Russian.
In a report published Monday, researchers at Kaspersky Labs say they have found at least three similarities in Sunburst and Kazuar’s code and functions. They are:
- The algorithm used to generate the unique victim IDs
- The algorithm used to make the malware ‘sleep’ or delay taking action after infecting a network, and
- Extensive use of the FNV-1a hashing algorithm to obfuscate code.
“It must be pointed out” [out] that none of these code fragments are 100% identical,” Kaspersky Lab researchers Gregory Kucherin, Igor Kuznetsov and Costin Raiu wrote. “Nevertheless, they are curious coincidences, to say… [the] least. One coincidence would not be so unusual, two coincidences would definitely raise eyebrows, while three such coincidences are rather suspicious to us.”
Monday’s post warns against drawing too many conclusions from the agreements. They could mean Sunburst was written by the same developers behind Kazuar, but they could also be the result of an attempt to mislead researchers about the true origin of the attack on the SolarWinds supply chain, something researchers call a false flag operation.
Other possibilities include a developer who worked on Kazuar and later went on to work for the group that created Sunburst, Sunburst developers reverse-engineer Kazuar and use it as a source of inspiration, or developers from Kazuar and Sunburst who get their malware from the same source .
The Kaspersky Lab researchers wrote:
At this point, we don’t know which of these options is true. While Kazuar and Sunburst may be related, the nature of this relationship is still unclear. Further analysis may lead to evidence that confirms one or more of these points. At the same time, it’s also possible that the Sunburst developers were very good at their opsec and made no mistakes, with this link being an extended false flag. At least this overlap doesn’t change much for the defenders. Supply chain attacks are some of the most sophisticated types of attacks today and have been successfully used by APT groups such as Winnti/Barium/APT41 and various cybercriminal groups in the past.
Federal officials and researchers have said it could take months to understand the full impact of the months-long hacking campaign. Monday’s post called on other investigators to further analyze the similarities for additional clues as to who is behind the attacks.