Kaspersky Lab reckons the SolarWinds hackers may have hailed from the Turla malware group, itself linked to Russia’s FSB security service.
Referring to the hidden backdoor secretly implanted in SolarWinds’ Orion product, Kaspersky’s Georgy Kucherin wrote in a blog post on Monday: “While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar.”
Kaspersky, itself a Russian company, linked that Kazuar remote-access hole (a .NET nasty) with previous research by Palo Alto Networks which attributed it to the Russian state-sponsored Turla crew, who were last spotted targeting the Armenian government and Austria’s Foreign Office.
“While Kazuar and Sunburst may be related, the nature of this relation is still not clear,” summarised Kaspersky. “Through further analysis, it is possible that evidence confirming one or several of these points might arise. At the same time, it is also possible that the Sunburst developers were really good at their opsec and didn’t make any mistakes, with this link being an elaborate false flag.”
Ah, right on time: Hacker-slammed SolarWinds sued by angry shareholders
Palo Alto’s Unit 42 research division published its findings on Turla last summer, stating: “We suspect the Kazuar tool may be linked to the Turla threat actor group (also known as Uroburos and Snake), who have been reported to have compromised embassies, defense contractors, educational institutions, and research organizations across the globe.”
Taking these two snippets together, they suggest an even stronger link between the Russian state and the hackers who successfully compromised SolarWinds. The firm has taken the problem seriously, hiring a consultancy run by US infosec veterans Chris Krebs (former chief of the Cybersecurity and Infrastructure Agency) and Alex Stamos, whose CV includes stints at Yahoo! and Facebook.
“This has been a multiyear effort by one of the very best, the most sophisticated intelligence operations in the world,” Krebs told the Financial Times.
The SolarWinds compromise came to public attention in December 2020 after infosec behemoth FireEye, a SolarWinds customer, admitted its systems were unlawfully accessed in “a state-sponsored attack.” ®
Meanwhile… CrowdStrike has detailed how it reckons Orion was infected with a hidden backdoor: a source file was automatically swapped at the right moment when the software was being built on a build server compromised by highly customized malware.