SolarWinds Hack Potentially Linked to Turla APT

2021-01-11 17:53

New details on the Sunburst backdoor used in the sprawling SolarWinds supply-chain attack potentially link it to previously known activity by the Turla advanced persistent threat group.

"After the Sunburst malware was first deployed in February 2020, Kazuar continued to evolve and later 2020 variants are even more similar, in some respects, to Sunburst," the firm noted in an analysis published on Monday.

"While these similarities between Kazuar and Sunburst are notable, there could be a lot of reasons for their existence, including Sunburst being developed by the same group as Kazuar [Turla], Sunburst's developers using Kazuar as inspiration, a Kazuar developer moving to the Sunburst team, or both groups behind Sunburst and Kazuar having obtained their malware from the same source," according to the report.

"By default, Kazuar chooses a random sleeping time between two and four weeks, while Sunburst waits from 12 to 14 days," according to the analysis, which also noted that such long sleep periods in C2 connections are not very common for typical APT malware.

Kaspersky researchers cautioned that while the evidence of collaboration is compelling, the seeming links between Turla and Sunburst should be taken with a grain of salt.

"A sample of Kazuar was released before Sunburst was written, containing the modified 64-bit hash function, and went unnoticed by everyone except the Sunburst developers," researchers noted.

News URL

https://threatpost.com/solarwinds-hack-linked-turla-apt/162918/

#APT #hack #solarwinds #turla

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Solarwinds		56	33	104	75	36	248