The massive global cyber espionage campaign that was uncovered last month was carried out using tools similar to those developed by a known Russian hacking group, according to a new study.
U.S. security agencies said last week that Russia was likely for being behind the spy attempt, which hijacked software created by the Texas-based tech company SolarWinds and putting 18,000 of its government and corporate clients at risk.
Investigators at Moscow-based cybersecurity firm Kaspersky went further on Monday, releasing new evidence linking the malicious code used to breach SolarWinds to spy tools developed by a Russian hacking group known as Turla.
While previous reports in the US media had attributed the spy campaign to APT29, a hacking group backed by the Russian foreign intelligence service, the SVR, Turla is believed to be linked to another Russian agency: its main internal security service. , the FSB.
Kaspersky experts say the code overlaps they identified represent “the first identified potential link to a previously known family of malware.” While the researchers stress that they do not attribute the SolarWinds hack to the Turla group, they say the similarities between the hack tools are curious.
“A coincidence wouldn’t be so unusual, two coincidences would definitely raise an eyebrow, while three of those coincidences are a bit suspicious to us,” their blog post on the code similarities reads.
Kaspersky investigators also point out that there could be reasons for the code overlap, such as transferring the developers of the Turla malware to another hacking team and taking the same tools with them. The SolarWinds hackers may even have intentionally imitated another cyber espionage group in order to deny responsibility, the researchers wrote.
According to the UK’s National Cyber Security Center – a branch of the electromagnetic intelligence agency GCHQ – Turla Group targets governments, as well as military, tech and energy companies, and has a habit of using malware that steals sensitive data and is then used to carry out future cyber attacks.
The Estonian intelligence service revealed two years ago that it believed Turla was “linked” to the Russian FSB.
Ciaran Martin, former director of the NCSC and now a professor at the Blavatnik School at the University of Oxford, said the impact of Kaspersky’s findings could be significant. “Some parts of the Russian state are just hacking for espionage; others have a more grim record of disruptive attacks after an initial hack, ”he said.
“So it’s very important to understand exactly which part of Russia is behind SolarWinds.”
“I’m sure the US government and its partners are looking very closely at all of this evidence,” he added, adding that so far there is no evidence that the SolarWinds hack was motivated. by “other than espionage”.
In a joint statement last week, the FBI, the National Security Agency, the Cybersecurity and Infrastructure Security Agency and the Office of the Director of National Intelligence said they had identified “less than 10” US federal agencies as potentially compromised.
Only the US departments of commerce, energy and the Treasury admitted to being hacked, along with companies such as Microsoft and cybersecurity firm FireEye.