Security News > 2021 > January > SolarWinds Hack Potentially Linked to Turla APT
New details on the Sunburst backdoor used in the sprawling SolarWinds supply-chain attack potentially link it to previously known activity by the Turla advanced persistent threat group.
"After the Sunburst malware was first deployed in February 2020, Kazuar continued to evolve and later 2020 variants are even more similar, in some respects, to Sunburst," the firm noted in an analysis published on Monday.
"While these similarities between Kazuar and Sunburst are notable, there could be a lot of reasons for their existence, including Sunburst being developed by the same group as Kazuar [Turla], Sunburst's developers using Kazuar as inspiration, a Kazuar developer moving to the Sunburst team, or both groups behind Sunburst and Kazuar having obtained their malware from the same source," according to the report.
"By default, Kazuar chooses a random sleeping time between two and four weeks, while Sunburst waits from 12 to 14 days," according to the analysis, which also noted that such long sleep periods in C2 connections are not very common for typical APT malware.
Kaspersky researchers cautioned that while the evidence of collaboration is compelling, the seeming links between Turla and Sunburst should be taken with a grain of salt.
"A sample of Kazuar was released before Sunburst was written, containing the modified 64-bit hash function, and went unnoticed by everyone except the Sunburst developers," researchers noted.
News URL
https://threatpost.com/solarwinds-hack-linked-turla-apt/162918/