Federal investigators still can’t say with certainty who was behind the recent hacking campaign that compromised countless government agencies and private companies. But cybersecurity researchers say they’ve found evidence linking tools used in the months-long espionage campaign to malware used by Russian cyber operators.
Moscow-based cybersecurity firm Kaspersky said on Monday that its researchers have uncovered code similarities between Sunburst, the backdoor used in the SolarWinds campaign, and Kazuar, a hacking tool that researchers at Palo Alto Networks linked to a suspected Russian state-sponsored hacking group known as Turla in 2017. Although it’s possible that the similarities could be a false flag or the result of the two groups acquiring the tools from the same developer, they are important digital clues for investigators.
The researchers identified overlapping code blocks in three locations: the UID generation algorithm, used to identify compromised machines; a sleeping algorithm that told the malware how long to remain dormant before connecting back to a server controlled by the hackers; and the extensive use of FNV-1a hashing algorithm.
Though not completely identical, the commonalities indicated that a “similar thought process went into the development of Kazuar and Sunburst,” according to the report.
Researchers at Kaspersky declined to speculate on attribution, observing that the two groups might have obtained their malware from the same third-party developer or borrowed the other’s code in an effort to confuse researchers, among other possibilities.
“At the moment, we do not know which one of these possibilities is the right one or even if one is more likely than the other. All of them are possibilities and none of them should be excluded from analysis,” Costin Raiu, director of global research and analysis at Kaspersky, wrote in an email.
Raiu asserted on Twitter that the false flag option is “less likely” than the others, pointing out that some of the code similarities appeared in Sunburst before they were found in Kazuar.
Though the research leaves several questions unanswered, it offers some tantalizing hints about who exactly was behind the SolarWinds campaign.
Turla, the hacking group suspected of developing the Kazuar backdoor, is one of Russia’s elite hacking groups. It is known for using custom tools and targeted operations to spy on governments, militaries, and research organizations, though its operations have traditionally focused on Europe.
Previous media reports attributed the SolarWinds campaign to Russia’s SVR, its foreign intelligence service, but Turla has been linked to the FSB, Russia’s federal security service.A recent statement from the Cyber Unified Coordination Group, the multi-agency task force charged with investigating and remediating the SolarWinds intrusions, did not delve into that level of detail. It stated simply that the attack was “likely” Russian in origin.