The malware used to hack Microsoft, security company FireEye, and at least a half-dozen federal agencies has “interesting similarities” to malicious software that has been circulating since at least 2015, researchers said on Monday.
Sunburst is the name security researchers have given to malware that infected about 18,000 organizations when they installed a malicious update for Orion, a network management tool sold by Austin, Texas-based SolarWinds. The unknown attackers who planted Sunburst in Orion used it to install additional malware that burrowed further into select networks of interest. With infections that hit the Departments of Justice, Commerce, Treasury, Energy, and Homeland Security, the hack campaign is among the worst in modern US history.
The National Security Agency, the FBI, and two other federal agencies last week said that the Russian government was “likely” behind the attack, which began no later than October 2019. While several news sources, citing unnamed officials, have reported the intrusions were the work of the Kremlin’s SVR, or Foreign Intelligence Service, researchers continue to look for evidence that definitively proves or disproves the statements.
Kind of suspicious
On Monday, researchers from Moscow-based security company Kaspersky Lab reported “curious similarities” in the code of Sunburst and Kazuar, a piece of malware that first came to light in 2017. Kazuar, researchers from security firm Palo Alto Networks said then, was used alongside known tools from Turla, one of the world’s most advanced hacking groups, whose members speak fluent Russian.
In a report published on Monday, Kaspersky Labs researchers said they found at least three similarities in the code and functions of Sunburst and Kazuar. They are:
- The algorithm used to generate the unique victim identifiers
- The algorithm used to make the malware “sleep,” or delay taking action, after infecting a network, and
- Extensive use of the FNV-1a hashing algorithm to obfuscate code.
“It should be pointed [out] that none of these code fragments are 100% identical,” Kaspersky Lab researchers Gregory Kucherin, Igor Kuznetsov, and Costin Raiu wrote. “Nevertheless, they are curious coincidences, to say [the] least. One coincidence wouldn’t be that unusual, two coincidences would definitively raise an eyebrow, while three such coincidences are kind of suspicious to us.”
Monday’s post cautions against drawing too many inferences from the similarities. They could mean that Sunburst was written by the same developers behind Kazuar, but they might also be the result of an attempt to mislead investigators about the true origins of the SolarWinds supply chain attack, something researchers call a false flag operation.
Other possibilities include a developer who worked on Kazuar and later went to work for the group creating Sunburst, the Sunburst developers reverse engineering Kazuar and using it as inspiration, or developers of Kazuar and Sunburst obtaining their malware from the same source.
The Kaspersky Lab researchers wrote:
At the moment, we do not know which one of these options is true. While Kazuar and Sunburst may be related, the nature of this relation is still not clear. Through further analysis, it is possible that evidence confirming one or several of these points might arise. At the same time, it is also possible that the Sunburst developers were really good at their opsec and didn’t make any mistakes, with this link being an elaborate false flag. In any case, this overlap doesn’t change much for the defenders. Supply chain attacks are some of the most sophisticated types of attacks nowadays and have been successfully used in the past by APT groups such as Winnti/Barium/APT41 and various cybercriminal groups.
Federal officials and researchers have said that it could take months to understand the full impact of the months-long hacking campaign. Monday’s post called on other researchers to further analyze the similarities for additional clues about who is behind the attacks.