SolarWinds Malware Has ‘Curious’ Ties To Russian-Speaking Hackers

An anonymous reader quotes a report from Ars Technica: The malware used to hack Microsoft, security company FireEye, and at least a half-dozen federal agencies has “interesting similarities” to malicious software that has been circulating since at least 2015, researchers said on Monday. Sunburst is the name security researchers have given to malware that infected about 18,000 organizations when they installed a malicious update for Orion, a network management tool sold by Austin, Texas-based SolarWinds. The unknown attackers who planted Sunburst in Orion used it to install additional malware that burrowed further into select networks of interest. With infections that hit the Departments of Justice, Commerce, Treasury, Energy, and Homeland Security, the hack campaign is among the worst in modern US history. The National Security Agency, the FBI, and two other federal agencies last week said that the Russian government was “likely” behind the attack, which began no later than October 2019. While several news sources, citing unnamed officials, have reported the intrusions were the work of the Kremlin’s SVR, or Foreign Intelligence Service, researchers continue to look for evidence that definitively proves or disproves the statements.

On Monday, researchers from Moscow-based security company Kaspersky Lab reported “curious similarities” in the code of Sunburst and Kazuar, a piece of malware that first came to light in 2017. Kazuar, researchers from security firm Palo Alto Networks said then, was used alongside known tools from Turla, one of the world’s most advanced hacking groups, whose members speak fluent Russian. In a report published on Monday, Kaspersky Labs researchers said they found at least three similarities in the code and functions of Sunburst and Kazuar. They are: The algorithm used to generate the unique victim identifiers; The algorithm used to make the malware “sleep,” or delay taking action, after infecting a network; and Extensive use of the FNV-1a hashing algorithm to obfuscate code.

Monday’s post cautions against drawing too many inferences from the similarities. They could mean that Sunburst was written by the same developers behind Kazuar, but they might also be the result of an attempt to mislead investigators about the true origins of the SolarWinds supply chain attack, something researchers call a false flag operation. Other possibilities include a developer who worked on Kazuar and later went to work for the group creating Sunburst, the Sunburst developers reverse engineering Kazuar and using it as inspiration, or developers of Kazuar and Sunburst obtaining their malware from the same source.

Read more of this story at Slashdot.