On Monday, researchers from Moscow-based security company Kaspersky Lab reported “curious similarities” in the code of Sunburst and Kazuar, a piece of malware that first came to light in 2017. Kazuar, researchers from security firm Palo Alto Networks said then, was used alongside known tools from Turla, one of the world’s most advanced hacking groups, whose members speak fluent Russian. In a report published on Monday, Kaspersky Labs researchers said they found at least three similarities in the code and functions of Sunburst and Kazuar. They are: The algorithm used to generate the unique victim identifiers; The algorithm used to make the malware “sleep,” or delay taking action, after infecting a network; and Extensive use of the FNV-1a hashing algorithm to obfuscate code.
Monday’s post cautions against drawing too many inferences from the similarities. They could mean that Sunburst was written by the same developers behind Kazuar, but they might also be the result of an attempt to mislead investigators about the true origins of the SolarWinds supply chain attack, something researchers call a false flag operation. Other possibilities include a developer who worked on Kazuar and later went to work for the group creating Sunburst, the Sunburst developers reverse engineering Kazuar and using it as inspiration, or developers of Kazuar and Sunburst obtaining their malware from the same source.
Read more of this story at Slashdot.