The malware used to hack Microsoft, security company FireEye, and at least half a dozen federal agencies has “interesting similarities” with malicious software that has been circulating since at least 2015, researchers said Monday.
Sunburst is the name given by researchers to malware that infected approximately 18,000 organizations when they installed a malicious update for Orion, a network management tool sold by SolarWinds, Austin, Texas. The unknown attackers who planted Sunburst in Orion used it to install additional malware that further dug into certain networks of interest. With infections hitting the departments of justice, commerce, treasury, energy and homeland security, the hacking campaign is one of the worst in modern American history. The National Security Agency, the FBI, and two other federal agencies said last week that the Russian government was “likely” behind the attack, which began no later than October 2019. While several news sources, citing unnamed officials, reported that the intrusions were the work of the Kremlin’s SVR, or Foreign Intelligence Service, investigators continue to search for evidence that definitively proves or refutes the statements.
Kind of suspicious
On Monday, researchers from Moscow-based security company Kaspersky Lab reported ‘curious deals’ in the code of Sunburst and Kazuar, a piece of malware that first came to light in 2017. Kazuar, researchers from security firm Palo Alto Networks, then said use along with well-known tools from Turla, one of the world’s most advanced burglary groups, whose members speak fluent Russian.
In a report published Monday, researchers from Kaspersky Labs said they found at least three similarities in the code and features of Sunburst and Kazuar. They are:
- The algorithm used to generate the unique victim identifiers
- The algorithm used to make the malware “sleep”, or to slow down the action after a network has been infected, and
- Comprehensive use of the FNV-1a hashing algorithm to obscure code.
‘It needs to be pointed out [out] that none of these code fragments are 100% identical, ”wrote Kaspersky Lab researchers Gregory Kucherin, Igor Kuznetsov and Costin Raiu. ‘Nevertheless, these are curious coincidences, to say [the] the least. One coincidence would not be so unusual, two coincidences would certainly raise the eyebrow, while three such coincidences are for us kind of suspicious. ”
Monday’s message warns against making too many inferences from the agreements. This could mean that Sunburst was written by the same developers behind Kazuar, but it could also be the result of an attempt to mislead investigators into the true origins of the SolarWinds offer attack, something researchers call a false flag operation.
Other possibilities include a developer who worked on Kazuar and later worked for the group to create Sunburst, the Sunburst developers turned Kazuar around and used it as inspiration, or developers from Kazuar and Sunburst who obtained their malware from the same source .
The researchers from Kaspersky Lab wrote:
At the moment we do not know which one of these options is true. Although Kazuar and Sunburst are related, the nature of this relationship is still unclear. Through further analysis, it is possible that evidence may arise that confirms that one or more of these points exist. At the same time, it is also possible that the Sunburst developers were really good with their opsec and made no mistakes, with this link an extensive false flag. In any case, this overlap does not change much for the defenders. Supply chain attacks are one of the most sophisticated attacks these days and have been used successfully in the past by APT groups such as Winnti / Barium / APT41 and various cybercriminals.
Federal officials and researchers said it could take months to understand the full impact of the months-long burglary campaign. Monday’s message called on other researchers to further analyze the agreements for additional clues as to who was behind the attacks.