The malware used to hack Microsoft, safety firm FireEye, and a minimum of a half-dozen federal companies has “attention-grabbing similarities” to malicious software program that has been circulating since a minimum of 2015, researchers stated on Monday.
Sunburst is the title safety researchers have given to malware that infected about 18,000 organizations once they put in a malicious replace for Orion, a community administration software bought by Austin, Texas-based SolarWinds. The unknown attackers who planted Sunburst in Orion used it to install additional malware that burrowed additional into choose networks of curiosity. With infections that hit the Departments of Justice, Commerce, Treasury, Power, and Homeland Safety, the hack marketing campaign is among the many worst in fashionable US historical past.
The Nationwide Safety Company, the FBI, and two different federal companies last week stated that the Russian authorities was “seemingly” behind the assault, which started no later than October 2019. Whereas a number of information sources, citing unnamed officers, have reported the intrusions had been the work of the Kremlin’s SVR, or Overseas Intelligence Service, researchers proceed to search for proof that definitively proves or disproves the statements.
Form of suspicious
On Monday, researchers from Moscow-based safety firm Kaspersky Lab reported “curious similarities” within the code of Sunburst and Kazuar, a chunk of malware that first came to light in 2017. Kazuar, researchers from safety agency Palo Alto Networks stated then, was used alongside identified instruments from Turla, one of many world’s most advanced hacking groups, whose members converse fluent Russian.
In a report published on Monday, Kaspersky Labs researchers stated they discovered a minimum of three similarities within the code and capabilities of Sunburst and Kazuar. They’re:
- The algorithm used to generate the distinctive sufferer identifiers
- The algorithm used to make the malware “sleep,” or delay taking motion, after infecting a community, and
- In depth use of the FNV-1a hashing algorithm to obfuscate code.
“It ought to be pointed [out] that none of those code fragments are 100% equivalent,” Kaspersky Lab researchers Gregory Kucherin, Igor Kuznetsov, and Costin Raiu wrote. “Nonetheless, they’re curious coincidences, to say [the] least. One coincidence wouldn’t be that uncommon, two coincidences would definitively increase an eyebrow, whereas three such coincidences are sort of suspicious to us.”
Monday’s submit cautions in opposition to drawing too many inferences from the similarities. They might imply that Sunburst was written by the identical builders behind Kazuar, however they could even be the results of an try to mislead investigators concerning the true origins of the SolarWinds provide chain assault, one thing researchers name a false flag operation.
Different prospects embody a developer who labored on Kazuar and later went to work for the group creating Sunburst, the Sunburst builders reverse engineering Kazuar and utilizing it as inspiration, or builders of Kazuar and Sunburst acquiring their malware from the identical supply.
The Kaspersky Lab researchers wrote:
In the meanwhile, we have no idea which considered one of these choices is true. Whereas Kazuar and Sunburst could also be associated, the character of this relation continues to be not clear. By additional evaluation, it’s potential that proof confirming one or a number of of those factors would possibly come up. On the identical time, it is usually potential that the Sunburst builders had been actually good at their opsec and didn’t make any errors, with this hyperlink being an elaborate false flag. In any case, this overlap doesn’t change a lot for the defenders. Provide chain assaults are a few of the most refined forms of assaults these days and have been efficiently used prior to now by APT teams resembling Winnti/Barium/APT41 and varied cybercriminal teams.
Federal officers and researchers have stated that it may take months to know the total impression of the months-long hacking marketing campaign. Monday’s submit known as on different researchers to additional analyze the similarities for extra clues about who’s behind the assaults.
