Security Experts:

Connect with us

Hi, what are you looking for?



Kaspersky Connects SolarWinds Attack Code to Known Russian APT Group

Similarities Found Between Malware Used in SolarWinds Attack and Backdoor Linked to Turla Cyberspies

Similarities Found Between Malware Used in SolarWinds Attack and Backdoor Linked to Turla Cyberspies

Researchers have identified some similarities between the Sunburst malware used in the SolarWinds supply chain attack and Kazuar, a backdoor that appears to have been used by the Russia-linked cyber-espionage group known as Turla.

Hackers believed to be operating out of Russia have targeted Texas-based IT management solutions provider SolarWinds as part of a sophisticated operation that allowed the attackers to breach the system of hundreds of high-profile organizations.

The threat group used trojanized updates for SolarWinds’ Orion monitoring product to deliver a piece of malware named Sunburst. This backdoor was sent to as many as 18,000 SolarWinds customers, but a few hundred government and private sector organizations also received secondary payloads that allowed the attackers to gain deeper access into their networks.

There have been many questions regarding who is behind the attack. The U.S. government officially said it was most likely Russia and some unconfirmed reports named the threat group known as APT29 and Cozy Bear.

However, FireEye, one of the targets of the attack and the company that discovered and disclosed the SolarWinds breach, tracks the group as UNC2452 (naming system for uncategorized groups). Threat intelligence and incident response firm Volexity, which observed attacks launched by the group months before the SolarWinds incident came to light, tracks it as Dark Halo. This indicates that they have not found clear links to APT29 or other known groups.

On Monday, Kaspersky reported finding an interesting link between the Sunburst malware delivered by the SolarWinds attackers and Kazuar, a .NET backdoor that has been around since at least 2015 and which was first detailed in 2017 by Palo Alto Networks.

While attribution is often not an easy task and while no one has definitively linked Kazuar to a known threat actor, some evidence found by Palo Alto Networks at the time of its initial report on Kazuar suggested that it may have been used by Turla, a notorious cyberspy group linked to Russia and which has been known to attack many government organizations over the past 14 years.

Continuous Updates: Everything You Need to Know About the SolarWinds Attack

According to Kaspersky, Kazuar has indeed been spotted in multiple breaches over the past years alongside other Turla tools. The Turla hackers may have used Kazuar as a second-stage backdoor.

Kaspersky on Monday published a technical blog post describing the similarities between Kazuar and Sunburst, noting that malware developers have continued improving the former, with new samples being seen as recently as late December 2020.

“Several code fragments from Sunburst and various generations of Kazuar are quite similar,” Kaspersky explained. “We should point out that, although similar, these code blocks, such as the UID calculation subroutine and the FNV-1a hashing algorithm usage, as well the sleep loop, are still not 100% identical. Together with certain development choices, these suggest that a kind of a similar thought process went into the development of Kazuar and Sunburst. The Kazuar malware continued to evolve and later 2020 variants are even more similar, in some respect, to the Sunburst branch.”

Kaspersky says there are several possible scenarios. Sunburst and Kazuar may have been developed by the same group, but it’s also possible that the developers of Sunburst only used some code or ideas from Kazuar without necessarily being directly connected, or both the SolarWinds attackers and the group using Kazuar may have obtained malware from the same source. It’s also possible that a Kazuar developer moved to the Sunburst team, or that the similarities between Sunburst and Kazuar are simply a false flag whose goal is to throw investigators off track.

As for reports that APT29 may be behind the SolarWinds hack, Kaspersky said there could be a connection between APT29 and Turla.

“Our research has placed APT29 as another potential name for ‘The Dukes’, which appears to be an umbrella group comprising multiple actors and malware families. We initially reported MiniDuke, the earliest malware in this umbrella, in 2013. In 2014, we reported other malware used by ‘The Dukes’, named CosmicDuke. In CosmicDuke, the debug path strings from the malware seemed to indicate several build environments or groups of ‘users’ of the ‘Bot Gen Studio’: ‘NITRO’ and ‘Nemesis Gemina’. In short, we suspect CosmicDuke was being leveraged by up to three different entities, raising the possibility it was shared across groups. One of the interesting observations from our 2014 research was the usage of a webshell by one of the ‘Bot Gen Studio’ / ‘CosmicDuke’ entities that we have seen before in use by Turla. This could suggest that Turla is possibly just one of the several users of the tools under the ‘Dukes’ umbrella.”

Related: Investigation Launched Into Role of JetBrains Product in SolarWinds Hack: Reports

Related: SolarWinds Taps Firm Started by Ex-CISA Chief Chris Krebs, Former Facebook CSO Alex Stamos

Related: Justice Department Says It’s Been Affected by Russian Hack

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.