Security News > 2021 > September > New Tomiris backdoor likely developed by SolarWinds hackers
Kaspersky security researchers have discovered a new backdoor likely developed by the Nobelium hacking group behind last year's SolarWinds supply chain attack.
The new malware found by Kaspersky, dubbed Tomiris, was first spotted in June even though the first samples were deployed in the wild in February 2021, one month before the "Sophisticated second-stage backdoor" Sunshuttle was found by FireEye and linked to Nobelium.
Their victims were redirected to webmail login pages that helped the attackers to steal their email credentials and, in some cases, prompted them to install a malicious software update that instead downloaded the previously unknown Tomiris backdoor.
They also spotted the Kazuar backdoor who shares features with the Sunburst malware used in the SolarWinds attack on the same network as Tomiris.
Despite this, the researchers did not conclusively link the new backdoor to the Russian-backed Nobelium state hackers because of the possibility of a false flag attack designed to mislead malware researchers.
"A much likelier hypothesis is that Sunshuttle's authors started developing Tomiris around December 2020 when the SolarWinds operation was discovered, as a replacement for their burned toolset."