Threat Management, Threat Intelligence, Threat Management

Researchers see links between SolarWinds Sunburst malware and Russian Turla APT group

Shishkova, an analst with Kaspersky, believes there is a pervasive “stereotype that programming and tech are for men.” To debunk such myths, Kaspersky and other Russian IT companies take part in an initiative called Data Lesson to teach children the basics of online security and provide information about opportunities of working in IT.   (Alexxsun/...

Researchers at Kaspersky said they found code similarities between the Sunburst malware deployed on SolarWinds Orion servers and known versions of Kazuar backdoors linked to the Russian APT group Turla.

In a blog post Monday, the researchers said the new findings offer insights that can ultimately help security teams in response efforts to the SolarWinds hack that was first reported in mid-December.

“The identified connection does not give away who was behind the SolarWinds attack, but it does provide more insights that can help researchers move forward in this investigation,” said Costin Raiu, director of Kaspersky’s global research and analysis team. “We believe it’s important that other researchers around the world investigate these similarities and discover more facts about Kazuar and the origin of Sunburst.”

The Kaspersky team said Kazuar functions as a .NET backdoor and was first reported in 2017 by Palo Alto’s Unit 42. In the initial report, Palo Alto tentatively linked Kazuar to Turla, although no solid attribution link has been made public. Kaspersky said its recent observations confirm that Kazuar was used together with other Turla tools during multiple breaches in past years.

Mark Carrigan, chief operating officer at PAS Global, said while it has been almost a month since the SolarWinds hack was disclosed, details are still being released as cybersecurity incident responders and forensics teams learn more about the hack. Carrigan said while The Cybersecurity and Infrastructure Security Agency's efforts to date indicate fewer than 10 U.S. government agencies compromised, many maintain sensitive data, such as the U.S. Energy Department. The number of private companies and other nongovernment entities that may have been impacted has not been disclosed to date.

“Given that as many as 18,000 SolarWinds installations may be affected, along with Microsoft Office 365 tokens, and potentially a DevOps service that could be used to create supply chain attacks with other software providers, the stakes remain very high,” Carrigan said. “What’s more, CISA has said the attack is very likely attributable to a sophisticated APT actor from Russia, which this independent research from Kaspersky also supports. Thus, it’s expected that it will take both a sustained and dedicated effort to remediate compromised systems and networks, and will not be a ‘quick fix’ for those affected."

Ivan Righi, cyber threat intelligence analyst at Digital Shadows, said while the similarities between Sunburst and Kazuar further strengths the links between the SolarWinds cyberattack and Russia, nobody can yet confirm attribution.

“It is realistically possible that the developers of Sunburst simply borrowed code from Kazuar or obtained the malware from a similar source,” Righi said.  “In addition, it is not uncommon for threat actors to adopt malware from other threat groups, making attribution a difficult task.”

Oliver Tavakoli, chief technology officer at Vectra, added that these types of findings reinforce the fact that attackers don’t reinvent their attack methodologies and tools from scratch. So while researchers may want to invest time and energy towards attributing the latest high-profile attack to a particular adversary, Tavakoli said it’s often more productive to see how similar the underlying techniques employed in the attack were to prior attacks.

“Modern detection and response solutions available today for networks and endpoints target these underlying techniques rather than looking for an exact signature match,” Tavakoli said. “True to form, legacy detection technology supplied signatures in the weeks after the attack had been detected.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.