Kaspersky: SolarWinds Sunburst backdoor resembles Russian ATP malware

[German]A code analysis of the SolarWinds Sunburst backdoor by security researchers from Kaspersky fuels the suspicion that the originators are to be found in Russia. The code resembles malware attributed to Russian ATP groups in some parts.


Hackers have succeeded in infecting 18,000 computers worldwide via the Sunburst backdoor in the Orion software from the US software provider SolarWinds. It is currently known that around 200 targets in the US were actively attacked via this backdoor. I had reported extensively in the blog posts linked at the end of the article. 

Suspicion falls on Russian state sponsored hackers

In the case of the SolarWinds Sunburst backdoor, there were relatively quick suspicions of the authorship of state-backed Russian hackers, as the attack was quite sophisticated and the intruders were able to investigate US authorities and companies unnoticed for months. In the blog post News from the SolarWinds hack; JetBrains software as a gateway? I had mentioned a joint statement by FBI, CISA, ODNI and NSA (see also) blaming Russia for the attack.

Now more information has surfaced that at least raises questions along these lines. Russian security vendor Kaspersky has just published its analysis of the SolarWinds Sunburst backdoor with interesting findings on securelist.com. I came across this analysis on Twitter a few hours ago.  

SolarWinds Solarburst analysis

While the security analysts at FireEye, who first uncovered the cyber attack, revealed the details of the attack in their analysis but gave the attacker the tentative name "UNC2452," Kaspersky has uncovered interesting details. The security researchers write that this attack is remarkable in many ways, including its stealth, targeting accuracy and the custom sunburst malware used by the attackers.


Similarities in code with Kazur backdoor

In examining the Sunburst backdoor, security researchers discovered several characteristics that overlap with a previously identified backdoor called Kazuar. Kazuar is a .NET backdoor first described by Palo Alto in 2017. Palo Alto linked Kazuar to the APT group Turla, although no clear attribution has been publicly disclosed. Kaspersky's own observations confirm the finding that the Kazuar backdoor, along with other Turla tools, has been used in several cyber attacks in recent years.

Turla (also known as VENOMOUS BEAR and Waterbug) coordinated cyber attacks as early as 1996, siphoning information and conducting espionage. The Russian Turla group is the prime suspect behind attacks on the Pentagon and NASA, U.S. Central Command and the Finnish Foreign Ministry, Bleeping Computer writes here.

Among the unusual features shared by Sunburst and Kazuar are the algorithm used to generate the UIDs used for the victims. However, the algorithm used to calculate the period of time the malware remains inactive after infecting the victim system and the extensive use of the FNV-1a hash also have strong similarities to the Kazuar implementations. Kaspersky writes that the code is not identical, but has very strong similarities.

Strong evidence of common roots

This is at least a strong indication that the development of the Sunburst backdoor could have been done by the same group that implemented the Kazuar backdoor. Of course, it would also be possible that the developers of the Sunburst backdoor were inspired by the Turla group or that developers switched between the teams. Another explanation is also that a false trail was deliberately laid. However, Kaspersky researchers point out that no less than three very strong similarities in the techniques used is very suspicious.

Kaspersky does not present any hard evidence regarding the authorship. Kazuar developers have been continuously tweaking features and revising the malware's codebase since the malware was first deployed in 2017. Kazuar samples are very rarely uploaded to malware analysis platforms such as VirusTotal. This makes it extremely difficult to impossible to track changes between different malware variants.

Nevertheless, Kaspersky now found that the developers of Sunburst and Kazuar were most likely aware of feature changes in each other's malware. This points to a connection between the two groups of developers. The security researchers hope that in cooperation with other researchers, these similarities can be investigated and more facts about Kazuar as well as the origin of Sunburst can be found out. In the WannaCry attack, there were very few facts linking it to the Lazarus group from North Korea in the early days. Over time, more evidence emerged, confirming these suspicions. The hope of Kaspersky researchers is that analysis by other security researchers will shed further light on the matter and tie up the loose ends.

Similar articles:
FireEye hacked, Red Team tools stolen
US Treasury and US NTIA hacked
SolarWinds products with SunBurst backdoor, cause of FireEye and US government hacks?
Sloppiness at SolarWinds responsible for compromised software?
News in the fight against SUNBURST infection, domain seized
SUNBURST malware: Analytic Tool SolarFlare, a 'Kill Switch' and EINSTEIN's fail
SUNBURST malware was injected into SolarWind's source code base
SUNBURST: US nuclear weapons agency also hacked, new findings
SolarWinds hack: Microsoft and others also affected?
SUNBURST hack: Microsoft's analysis and news
2nd backdoor found on infected SolarWinds systems
SolarWinds hackers had access to Microsoft source code
SolarWinds hack: Hacker goals; outsourcing are under investigation?
News from the SolarWinds hack; JetBrains software as a gateway?

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *