The Solorigate/Sunburst malware deployed against SolarWinds Orion customers at the end of 2020 shares some code similarities with known versions of the Kazuar backdoors, suggesting some form of genetic relationship between the two, according to Kasperksy’s security research team.
Kazuar is a backdoor written using the .NET framework and was first spotted in 2017 by Palo Alto’s Unit 42 security team, and tentatively linked at the time to the Moscow-backed Turla advanced persistent threat (APT) group. It has been heavily used in cyber espionage attacks around the world over the past few years, and Kaspersky’s findings lend more weight to the theory that the December 2020 cyber attack was a Russian-ordered espionage operation.
The overlapping features between the two include the victim UID generation algorithm, the sleeping algorithm, and use of the FNV-1a hash, said Kasperksy’s Costin Raiu, director of the firm’s Global Research and Analysis Team.
Raiu said the code fragments were not 100% identical, meaning that the nature of the relationship, if any, is not entirely clear, but he added that since Solorigate/Sunburst was first deployed almost 12 months ago, Kazaur itself has also evolved further, with its most recent variants even more similar in some respects.
“The identified connection does not give away who was behind the SolarWinds attack; however, it provides more insights that can help the researchers move forward in this investigation,” said Raiu. “We believe it is important that other researchers around the world investigate these similarities and attempt to discover more facts about Kazuar and the origin of Sunburst, the malware used in the SolarWinds breach.
“Judging from past experience, for instance looking back to the WannaCry attack, in the early days there were very few facts linking them to the Lazarus group. In time, more evidence appeared and allowed us, and others, to link them together with high confidence. Further research on this topic is crucial for connecting the dots.”
Raiu said there were several possible explanations for the similarities. For example, Solorigate/Sunburst and Kazuar could have been developed by the same group or the developers of Solorigate/Sunburst, known as Dark Halo or UNC2452, could have been inspired by the makers of Kazuar. Alternatively, both groups could have obtained their malware from a third party, or someone could have swapped teams, taking knowledge and tools with them.
The coding similarities could even be a false flag, said Kaspersky – Turla has itself been noted for its opportunistic “hijacking” of others’ infrastructure as an obfuscation technique in the past.
The Kaspersky team added that whatever the overlap signified, their research should not change anything for defenders – supply chain attacks are, in general, highly sophisticated and extremely dangerous, regardless of their lineage.
To limit potential exposure to such attacks, Kaspersky recommends that defenders take three key steps. First, network management software should be isolated on a separate VLAN and monitored separately from the user network. Second, outgoing internet connections from servers or other appliances that run third-party software should be limited. Third, defenders should put in place regular memory dumping and analysis, checking for malicious code that is running in a decrypted state using a code similarity tool that matches it against malware databases – Kaspersky’s own Threat Attribution Engine is one such tool, others are available.
The supplier also recommends giving security teams access to a threat intelligence service.
More information on the apparent links between the two malwares, including in-depth technical details, can be found on Kaspersky’s SecureList blog.