Similarities Found Between Malware Used in SolarWinds Attack and Backdoor Linked to Turla Cyberspies
Researchers have identified some similarities between the Sunburst malware used in the SolarWinds supply chain attack and Kazuar, a backdoor that appears to have been used by the Russia-linked cyber-espionage group known as Turla.
Hackers believed to be operating out of Russia have targeted Texas-based IT management solutions provider SolarWinds as part of a sophisticated operation that allowed the attackers to breach the system of hundreds of high-profile organizations.
The threat group used trojanized updates for SolarWinds’ Orion monitoring product to deliver a piece of malware named Sunburst. This backdoor was sent to as many as 18,000 SolarWinds customers, but a few hundred government and private sector organizations also received secondary payloads that allowed the attackers to gain deeper access into their networks.
There have been many questions regarding who is behind the attack. The U.S. government officially said it was most likely Russia and some unconfirmed reports named the threat group known as APT29 and Cozy Bear.
However, FireEye, one of the targets of the attack and the company that discovered and disclosed the SolarWinds breach, tracks the group as UNC2452 (naming system for uncategorized groups). Threat intelligence and incident response firm Volexity, which observed attacks launched by the group months before the SolarWinds incident came to light, tracks it as Dark Halo. This indicates that they have not found clear links to APT29 or other known groups.
On Monday, Kaspersky reported finding an interesting link between the Sunburst malware delivered by the SolarWinds attackers and Kazuar, a .NET backdoor that has been around since at least 2015 and which was first detailed in 2017 by Palo Alto Networks.
While attribution is often not an easy task and while no one has definitively linked Kazuar to a known threat actor, some evidence found by Palo Alto Networks at the time of its initial report on Kazuar suggested that it may have been used by Turla, a notorious cyberspy group linked to Russia and which has been known to attack many government organizations over the past 14 years.
According to Kaspersky, Kazuar has indeed been spotted in multiple breaches over the past years alongside other Turla tools. The Turla hackers may have used Kazuar as a second-stage backdoor.
Kaspersky on Monday published a technical blog post describing the similarities between Kazuar and Sunburst, noting that malware developers have continued improving the former, with new samples being seen as recently as late December 2020.
“Several code fragments from Sunburst and various generations of Kazuar are quite similar,” Kaspersky explained. “We should point out that, although similar, these code blocks, such as the UID calculation subroutine and the FNV-1a hashing algorithm usage, as well the sleep loop, are still not 100% identical. Together with certain development choices, these suggest that a kind of a similar thought process went into the development of Kazuar and Sunburst. The Kazuar malware continued to evolve and later 2020 variants are even more similar, in some respect, to the Sunburst branch.”
Kaspersky says there are several possible scenarios. Sunburst and Kazuar may have been developed by the same group, but it’s also possible that the developers of Sunburst only used some code or ideas from Kazuar without necessarily being directly connected, or both the SolarWinds attackers and the group using Kazuar may have obtained malware from the same source. It’s also possible that a Kazuar developer moved to the Sunburst team, or that the similarities between Sunburst and Kazuar are simply a false flag whose goal is to throw investigators off track.
As for reports that APT29 may be behind the SolarWinds hack, Kaspersky said there could be a connection between APT29 and Turla.
“Our research has placed APT29 as another potential name for ‘The Dukes’, which appears to be an umbrella group comprising multiple actors and malware families. We initially reported MiniDuke, the earliest malware in this umbrella, in 2013. In 2014, we reported other malware used by ‘The Dukes’, named CosmicDuke. In CosmicDuke, the debug path strings from the malware seemed to indicate several build environments or groups of ‘users’ of the ‘Bot Gen Studio’: ‘NITRO’ and ‘Nemesis Gemina’. In short, we suspect CosmicDuke was being leveraged by up to three different entities, raising the possibility it was shared across groups. One of the interesting observations from our 2014 research was the usage of a webshell by one of the ‘Bot Gen Studio’ / ‘CosmicDuke’ entities that we have seen before in use by Turla. This could suggest that Turla is possibly just one of the several users of the tools under the ‘Dukes’ umbrella.”