Researchers at Kaspersky have identified similarities between the backdoor used in the SolarWinds supply chain attack and another backdoor – Kazuar – which is believed to have been used by the Russian Advanced Persistent Threat (APT) group Turla. Turla has been linked to several attacks on foreign governments over the past 14 years.
The APT group behind the SolarWinds attack compromised the company’s Orion monitoring solution and used the software update mechanism to deliver the Sunburst backdoor to approximately 18,000 SolarWinds customers. Around 300 of the victims were subjected to more in-depth compromises and suffered breaches of their cloud and email environments. The victims include several government agencies such as the Department of Justice, Defense Department, Commerce Department, and the Centers for Disease Control and Prevention. Enterprise victims include the cybersecurity firm FireEye, Belkin International, Deloitte, Cisco, and Cox Communications.
Last week, the US. government issued a statement saying the attack was most likely led by the Russian government and was conducted for espionage purposes, but it is unclear which APT group is behind the attack. Some cybersecurity firms suggest the attack was the work of APT29/Cozy Bear, although evidence appears to be thin.
Kaspersky researchers identified code similarities between Sunburst and the .NET backdoor called Kazaur, which was first identified by Palo Alto Networks in 2017 and is believed to have been used in attacks since 2015. The Kazaur backdoor has been used in many attacks over the past 5 years and has been updated and improved several times. The last known attack involving the backdoor was in December 2020.
While the researchers identified similarities in the UID calculation subroutine, FNV-1a hashing algorithm usage, and the sleep loop, the code blocks were not identical, so it is not possible to say with a high degree of certainty whether Kazaur gave rise to Sunburst or was used by the same group. “Together with certain development choices, these [similarities] suggest that a kind of a similar thought process went into the development of Kazuar and Sunburst. The Kazuar malware continued to evolve and later 2020 variants are even more similar, in some respect, to the Sunburst branch,” explained the researchers.
Kaspersky suggested the two backdoors may have been developed by the same group, that the developers of each backdoor may have obtained malware from the same source and performed their own tweaks, or that both backdoors were developed using similar code ideas but are in no way connected. Another possibility is the code similarities were intentional to lead security researchers down the wrong track.
Kaspersky has suggested Russian threat groups have shared malware in the past, potentially even APT29 and Turla. Research conducted in 2014 indicates a webshell was used by Turla and a threat group known as The Dukes, with the Dukes potentially being another name for APT29. Kaspersky’s research indicates The Dukes may be an umbrella term covering multiple Russian threat groups.