turla-group

Researchers Find Links Between Sunburst and Kazuar

Kaspersky researchers found that the Sunburst backdoor, the malware deployed during the SolarWinds supply-chain attack, shows feature overlaps with Kazuar, a .NET backdoor tentatively linked to the Russian Turla hacking group.

Turla (aka VENOMOUS BEAR and Waterbug) has been coordinating information theft and espionage campaigns as far back as 1996 and is the main suspect behind attacks targeting the Pentagon and NASA, the U.S. Central Command, and the Finnish Foreign Ministry.

Kazuar is one of the tools used during past Turla operations and, according to Kaspersky, it shares several of its features with the malware created by the group behind the hack (tracked as UNC2452 and DarkHalo).

A week ago, the FBI, CISA, and the NSA also said that a Russian-backed Advanced Persistent Threat (APT) group is likely behind the SolarWinds hack.

Code similarities

Samples of the Kazuar backdoor discovered in the wild since February 2020 when Sunburst was first deployed have been tweaked continuously with the similarities deepening towards November 2020 but, at the moment, the connection between the two still remains unknown.

The features found to be overlapping in both Kazuar and Sunburst include the algorithm used to generate victim UIDs (unique identifiers), the extensive usage of the FNV-1a hash throughout the malware, and the sleeping algorithm used by both backdoors.

Kaspersky also points out that, despite similarities, the algorithms used to implement these overlapping features are still not 100% identical which hints at a potential relationship between the two malware strains and their developers, although “the nature of this relation is still not entirely clear.”

The code parts that reveal the feature overlap further show that “a kind of a similar thought process went into the development of Kazuar and Sunburst.”

Some of the explanations for these similarities highlighted by Kaspersky’s report include:

  • Sunburst was developed by the same group as Kazuar
  • The Sunburst developers adopted some ideas or code from Kazuar, without having a direct connection (they used Kazuar as an inspiration point)
  • Both groups, DarkHalo/UNC2452 and the group using Kazuar, obtained their malware from the same source
  • Some of the Kazuar developers moved to another team, taking knowledge and tools with them
  • The Sunburst developers introduced these subtle links as a form of false flag, in order to shift blame to another group

However, as Kaspersky’s researchers pointed out, “[o]ne coincidence wouldn’t be that unusual, two coincidences would definitively raise an eyebrow, while three such coincidences are kind of suspicious to us.”

Potential of deliberately introduced false flags

Kaspersky also highlighted the risk that these similarities in code could very well be false flags planted by the authors of the Sunburst malware to divert investigators’ efforts to another threat actor.

“While Kazuar and Sunburst may be related, the nature of this relation is still not clear,” Kaspersky added. “Through further analysis, it is possible that evidence confirming one or several of these points might arise.”

“At the same time, it is also possible that the Sunburst developers were really good at their opsec and didn’t make any mistakes, with this link being an elaborate false flag.

“To clarify – we are NOT saying that DarkHalo / UNC2452, the group using Sunburst, and Kazuar or Turla are the same.”

However, Kaspersky found that the Sunburst and Kazuar developers were potentially aware of feature changes in each others’ malware which points to a connection between the two given that Sunburst was only discovered in December 2020, after FireEye was breached in the  supply-chain attack.

Kazuar’s developers have also continuously tweaked the feature set and refactored the malware’s codebase since the first time it was deployed in attacks in 2017.

Additionally, Kazuar samples are very rarely uploaded to malware analysis platforms such as VirusTotal which makes it extremely hard if not impossible to keep track of changes between variants.

“The identified connection does not give away who was behind the attack, however, it provides more insights that can help researchers move forward in this investigation,” Costin Raiu, the director of the Kaspersky Global Research and Analysis Team (GReAT), said.

“We believe it’s important that other researchers around the world investigate these similarities and attempt to discover more facts about Kazuar and the origin of Sunburst, the malware used in the breach.”

Further technical information regarding the Sunburst and Kazuar code similarities and indicators of compromise can be found in Kaspersky’s full report.

IOCs

E220EAE9F853193AFE77567EA05294C8 (First detected Kazuar sample, compiled in 2015)
150D0ADDF65B6524EB92B9762DB6F074 (Kazuar sample compiled in 2016)
54700C4CA2854858A572290BCD5501D4 (Kazuar sample compiled in 2017)
053DDB3B6E38F9BDBC5FB51FDD44D3AC (Kazuar sample compiled in 2018)
1F70BEF5D79EFBDAC63C9935AA353955 (Kazuar sample compiled in 2019)
9A2750B3E1A22A5B614F6189EC2D67FA (Kazuar sample used in November 2020)
804785B5ED71AADF9878E7FC4BA4295C (Kazuar sample used in December 2020)
024C46493F876FA9005047866BA3ECBD (Most recent Kazuar sample)
2C4A910A1299CDAE2A4E55988A2F102E (Sunburst sample)


0b764a8a78ce0cbadcf18ca57c62a43ce393d7dd
2f26c6f5a9dbf6bfb7690cb6949536775d1def92
27002628fe06bb3d5fe180b35313e75b35c5e5fe
2f1a5a7411d015d01aaee4535835400191645023


60000bc2598eff85a6a83d5302fc3ed2565005d8fd0d9f09d837123a1599ef8d
2d8151dabf891cf743e67c6f9765ee79884d024b10d265119873b0967a09b20f
1749c96cc1a4beb9ad4d6e037e40902fac31042fa40152f1d3794f49ed1a2b5c
019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134