Kaspersky researchers found that the Sunburst backdoor, the malware deployed during the SolarWinds supply-chain attack, shows feature overlaps with Kazuar, a .NET backdoor tentatively linked to the Russian Turla hacking group.
Turla (aka VENOMOUS BEAR and Waterbug) has been coordinating information theft and espionage campaigns as far back as 1996 and is the main suspect behind attacks targeting the Pentagon and NASA, the U.S. Central Command, and the Finnish Foreign Ministry.
Kazuar is one of the tools used during past Turla operations and, according to Kaspersky, it shares several of its features with the malware created by the group behind the SolarWinds hack (tracked as UNC2452 and DarkHalo).
A week ago, the FBI, CISA, and the NSA also said that a Russian-backed Advanced Persistent Threat (APT) group is likely behind the SolarWinds hack.
Samples of the Kazuar backdoor discovered in the wild since February 2020 when Sunburst was first deployed have been tweaked continuously with the similarities deepening towards November 2020 but, at the moment, the connection between the two still remains unknown.
The features found to be overlapping in both Kazuar and Sunburst include the algorithm used to generate victim UIDs (unique identifiers), the extensive usage of the FNV-1a hash throughout the malware, and the sleeping algorithm used by both backdoors.
Kaspersky also points out that, despite similarities, the algorithms used to implement these overlapping features are still not 100% identical which hints at a potential relationship between the two malware strains and their developers, although “the nature of this relation is still not entirely clear.”
The code parts that reveal the feature overlap further show that “a kind of a similar thought process went into the development of Kazuar and Sunburst.”
Some of the explanations for these similarities highlighted by Kaspersky’s report include:
- Sunburst was developed by the same group as Kazuar
- The Sunburst developers adopted some ideas or code from Kazuar, without having a direct connection (they used Kazuar as an inspiration point)
- Both groups, DarkHalo/UNC2452 and the group using Kazuar, obtained their malware from the same source
- Some of the Kazuar developers moved to another team, taking knowledge and tools with them
- The Sunburst developers introduced these subtle links as a form of false flag, in order to shift blame to another group
However, as Kaspersky’s researchers pointed out, “[o]ne coincidence wouldn’t be that unusual, two coincidences would definitively raise an eyebrow, while three such coincidences are kind of suspicious to us.”
Potential of deliberately introduced false flags
Kaspersky also highlighted the risk that these similarities in code could very well be false flags planted by the authors of the Sunburst malware to divert investigators’ efforts to another threat actor.
“While Kazuar and Sunburst may be related, the nature of this relation is still not clear,” Kaspersky added. “Through further analysis, it is possible that evidence confirming one or several of these points might arise.”
“At the same time, it is also possible that the Sunburst developers were really good at their opsec and didn’t make any mistakes, with this link being an elaborate false flag.
“To clarify – we are NOT saying that DarkHalo / UNC2452, the group using Sunburst, and Kazuar or Turla are the same.”
However, Kaspersky found that the Sunburst and Kazuar developers were potentially aware of feature changes in each others’ malware which points to a connection between the two given that Sunburst was only discovered in December 2020, after FireEye was breached in the SolarWinds supply-chain attack.
Kazuar’s developers have also continuously tweaked the feature set and refactored the malware’s codebase since the first time it was deployed in attacks in 2017.
Additionally, Kazuar samples are very rarely uploaded to malware analysis platforms such as VirusTotal which makes it extremely hard if not impossible to keep track of changes between variants.
“The identified connection does not give away who was behind the SolarWinds attack, however, it provides more insights that can help researchers move forward in this investigation,” Costin Raiu, the director of the Kaspersky Global Research and Analysis Team (GReAT), said.
“We believe it’s important that other researchers around the world investigate these similarities and attempt to discover more facts about Kazuar and the origin of Sunburst, the malware used in the SolarWinds breach.”
Further technical information regarding the Sunburst and Kazuar code similarities and indicators of compromise can be found in Kaspersky’s full report.
E220EAE9F853193AFE77567EA05294C8 (First detected Kazuar sample, compiled in 2015)
150D0ADDF65B6524EB92B9762DB6F074 (Kazuar sample compiled in 2016)
54700C4CA2854858A572290BCD5501D4 (Kazuar sample compiled in 2017)
053DDB3B6E38F9BDBC5FB51FDD44D3AC (Kazuar sample compiled in 2018)
1F70BEF5D79EFBDAC63C9935AA353955 (Kazuar sample compiled in 2019)
9A2750B3E1A22A5B614F6189EC2D67FA (Kazuar sample used in November 2020)
804785B5ED71AADF9878E7FC4BA4295C (Kazuar sample used in December 2020)
024C46493F876FA9005047866BA3ECBD (Most recent Kazuar sample)
2C4A910A1299CDAE2A4E55988A2F102E (Sunburst sample)