Security News > 2021 > January > Kaspersky Connects SolarWinds Attack Code to Known Russian APT Group

Kaspersky Connects SolarWinds Attack Code to Known Russian APT Group
2021-01-11 13:47

Researchers have identified some similarities between the Sunburst malware used in the SolarWinds supply chain attack and Kazuar, a backdoor that appears to have been used by the Russia-linked cyber-espionage group known as Turla.

On Monday, Kaspersky reported finding an interesting link between the Sunburst malware delivered by the SolarWinds attackers and Kazuar, a.NET backdoor that has been around since at least 2015 and which was first detailed in 2017 by Palo Alto Networks.

While attribution is often not an easy task and while no one has definitively linked Kazuar to a known threat actor, some evidence found by Palo Alto Networks at the time of its initial report on Kazuar suggested that it may have been used by Turla, a notorious cyberspy group linked to Russia and which has been known to attack many government organizations over the past 14 years.

"Several code fragments from Sunburst and various generations of Kazuar are quite similar," Kaspersky explained.

"We should point out that, although similar, these code blocks, such as the UID calculation subroutine and the FNV-1a hashing algorithm usage, as well the sleep loop, are still not 100% identical. Together with certain development choices, these suggest that a kind of a similar thought process went into the development of Kazuar and Sunburst. The Kazuar malware continued to evolve and later 2020 variants are even more similar, in some respect, to the Sunburst branch."

Sunburst and Kazuar may have been developed by the same group, but it's also possible that the developers of Sunburst only used some code or ideas from Kazuar without necessarily being directly connected, or both the SolarWinds attackers and the group using Kazuar may have obtained malware from the same source.


News URL

http://feedproxy.google.com/~r/Securityweek/~3/9rA7NBHbIlI/malware-used-solarwinds-attack-linked-backdoor-attributed-turla-cyberspies

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Solarwinds 45 1 84 103 43 231
Kaspersky 23 0 19 16 6 41