Researchers reveal link between SolarWinds hack and Russian Turla group as details of a third malware strain emerge
Turla is associated with the Russian intelligence service FSB and has successfully carried out many espionage-focused hacking campaigns
Security researchers at cyber security firm Kaspersky say they have found clues suggesting a link between the SolarWinds attack and hacking tools used by the Russian Turla group in the past.
According to researchers, the source code for SunBurst, the malware used by SolarWinds hackers, overlaps with the Kazuar backdoor which has been used by well-known Russian hacker group Turla in the past to target various embassies and foreign ministers in Europe and across the world for sensitive data.
After the SolarWinds hack was uncovered last month, some media outlets reported that Russian group Cozy Bear (APT29) was responsible for attack. Cozy Bear is often linked to the Russian foreign intelligence service SVR.
Turla, on the other hand, is usually associated with the FSB, another Russian intelligence service. It is also known by the names Snake and Venomous Bear and has a long history of espionage-focused hacking.
Earlier this month, the US intelligence agencies said that the SolarWinds hack was "likely Russian in origin" and appeared to be an intelligence gathering effort, rather than an act of cyber warfare.
Kaspersky's researchers say they have found three distinct similarities between the SunBurst backdoor programme and Turla's Kazuar malware.
Costin Raiu, the head of Kaspersky's Global Research and Analysis team, described similarities in the way both types of malware attempt to conceal their capabilities and functions from security researchers, how their operators identify potential targets, and decisions by their operators decide as to when the malware becomes dormant to avoid detection.
"One such finding could be dismissed," Raiu said. "Two things definitely make me raise an eyebrow. Three is more than a coincidence."
Kaspersky's researchers are not claiming that Turla is behind the SolarWinds attack, but said their findings suggest that one group likely "inspired" the other, or that the malware was bought from the same developer, or even that SolarWind hackers tried to mislead security experts by planting "false flags". It is also possible that "some of the Kazuar developers moved to another team, taking knowledge and tools with them," according to the researchers.
The cyber intrusion, which sent shockwaves across the US and around the world last month, was disclosed after several media outlets claimed that the multiple government agencies in the US were compromised in a massive cyber campaign.
Cyber security firm FireEye later revealed that the attackers compromised SolarWinds' network monitoring software Orion by "Inserting malicious code into legitimate software updates for the Orion software that allow an attacker remote access into the victim's environment".
On Monday, cyber security firm CrowdStrike, which is assisting SolarWinds in investigating the hack, revealed details of a third malware strain that was deployed into SolarWinds' build environment to inject the backdoor into the firm's Orion network monitoring platform.
Called 'Sunspot', this implant adds to a growing list of previously revealed malicious programmes such as SunBurst (backdoor) and Teardrop (post-exploitation tool) which were used by hackers to breach SolarWinds' network and to target more than 18,000 customers of the firm.
"Sunspot monitors running processes for those involved in compilation of the Orion product and replaces one of the source files to include the Sunburst backdoor code," Crowdstrike researchers said in their technical analysis.
According to the CrowdStrike researchers, Sunspot developers added many safeguards into the malware to prevent the Orion builds from failing, potentially warning developers to the adversary's presence.
Moreover, they "maintained the persistence of Sunspot by creating a scheduled task set to execute when the host boots".