The malware used to hack Microsoft, safety firm FireEye, and not less than a half-dozen federal businesses has “fascinating similarities” to malicious software program that has been circulating since not less than 2015, researchers mentioned on Monday.
Sunburst is the title safety researchers have given to malware that infected about 18,000 organizations once they put in a malicious replace for Orion, a community administration device bought by Austin, Texas-based SolarWinds. The unknown attackers who planted Sunburst in Orion used it to install additional malware that burrowed additional into choose networks of curiosity. With infections that hit the Departments of Justice, Commerce, Treasury, Vitality, and Homeland Safety, the hack marketing campaign is among the many worst in fashionable US historical past.
The Nationwide Safety Company, the FBI, and two different federal businesses last week mentioned that the Russian authorities was “possible” behind the assault, which started no later than October 2019. Whereas a number of information sources, citing unnamed officers, have reported the intrusions had been the work of the Kremlin’s SVR, or International Intelligence Service, researchers proceed to search for proof that definitively proves or disproves the statements.
Form of suspicious
On Monday, researchers from Moscow-based safety firm Kaspersky Lab reported “curious similarities” within the code of Sunburst and Kazuar, a chunk of malware that first came to light in 2017. Kazuar, researchers from safety agency Palo Alto Networks mentioned then, was used alongside identified instruments from Turla, one of many world’s most advanced hacking groups, whose members converse fluent Russian.
In a report published on Monday, Kaspersky Labs researchers mentioned they discovered not less than three similarities within the code and features of Sunburst and Kazuar. They’re:
- The algorithm used to generate the distinctive sufferer identifiers
- The algorithm used to make the malware “sleep,” or delay taking motion, after infecting a community, and
- Intensive use of the FNV-1a hashing algorithm to obfuscate code.
“It ought to be pointed [out] that none of those code fragments are 100% equivalent,” Kaspersky Lab researchers Gregory Kucherin, Igor Kuznetsov, and Costin Raiu wrote. “However, they’re curious coincidences, to say [the] least. One coincidence wouldn’t be that uncommon, two coincidences would definitively elevate an eyebrow, whereas three such coincidences are type of suspicious to us.”
Monday’s put up cautions towards drawing too many inferences from the similarities. They may imply that Sunburst was written by the identical builders behind Kazuar, however they may even be the results of an try to mislead investigators in regards to the true origins of the SolarWinds provide chain assault, one thing researchers name a false flag operation.
Different potentialities embody a developer who labored on Kazuar and later went to work for the group creating Sunburst, the Sunburst builders reverse engineering Kazuar and utilizing it as inspiration, or builders of Kazuar and Sunburst acquiring their malware from the identical supply.
The Kaspersky Lab researchers wrote:
For the time being, we have no idea which one in every of these choices is true. Whereas Kazuar and Sunburst could also be associated, the character of this relation remains to be not clear. By additional evaluation, it’s potential that proof confirming one or a number of of those factors may come up. On the identical time, it’s also potential that the Sunburst builders had been actually good at their opsec and didn’t make any errors, with this hyperlink being an elaborate false flag. In any case, this overlap doesn’t change a lot for the defenders. Provide chain assaults are a few of the most subtle sorts of assaults these days and have been efficiently used up to now by APT teams equivalent to Winnti/Barium/APT41 and numerous cybercriminal teams.
Federal officers and researchers have mentioned that it may take months to grasp the complete affect of the months-long hacking marketing campaign. Monday’s put up referred to as on different researchers to additional analyze the similarities for added clues about who’s behind the assaults.