Since December revelation that hackers raped computer management software company SolarWinds, along with countless numbers of its clients, Russia has been the prime suspect. But even though U.S. officials have pinned down the attack on the Kremlin with varying degrees of certainty, no technical evidence has been released to support these conclusions. Today, Russian cybersecurity firm Kaspersky revealed the first verifiable clues – three of them, in fact – that seem to link SolarWinds hackers and a known Russian cyberespionage group.
Monday morning, Kaspersky published new evidence technical similarities between the malware used by the mysterious SolarWinds hackers, known by security industry names including UNC2452 and Dark Halo, and the well-known hacker group Turla, of Russian origin and also known under the names of Venomous Bear and Snake. The group is widely believed to be working on on behalf of the FSB, Russia’s successor to the KGB, and has led decades of espionage-focused hacking. Kaspersky researchers have made it clear that they are not claiming UNC2452 East Turla; in fact, they have reason to believe that the SolarWinds pirates and Turla are not the same. But they say their findings suggest that at least one group of hackers “inspired” the other, and that they may have common members among themselves or a shared software developer who builds their malware.
Kaspersky researchers have discovered three similarities between a UNC2452 backdoor program known as SunBurst and five-year-old Turla malware called Kazuar, which was first discovered by security researchers at Palo Alto Networks in 2017. The head of Kaspersky’s global research and analysis team, Costin Raiu, notes that the three similarities between hacker tools are not identical pieces of code, but rather revealing techniques that the two have incorporated. It actually makes the connection more meaningful, Raiu argues. “It’s not a cut and paste effort. It’s more like I’m a programmer and I write tools, and they ask me to write something similar, I’ll write it with the same. philosophy, ”says Raiu. “It’s more handwriting. This handwriting or style spreads to different projects written by the same person.”
Since the SolarWinds flaw was first discovered, Kaspersky says it has searched its malware archives for connections. It was only after weeks of examining past malware samples that one of its researchers, Georgy Kucherin, 18, was able to find the connections to Kazuar, which had been hidden by the techniques used by Turla. to obscure its code. Kucherin has now discovered that Kazuar and Sunburst use a very similar cryptographic technique throughout their code: in particular, a 64-bit hash algorithm called FNV-1a, with an additional step called XOR to modify the data. Both malware also used the same cryptographic process to generate unique identifiers in order to track different victims, in this case an MD5 hash followed by an XOR.
Finally, the two malware specimens used the same mathematical function to determine a random “sleep time” before the malware communicated to a command control server in an attempt to evade detection. These timescales could be as long as two weeks for Sunburst and as long as four weeks for Kazuar, unusually long timescales that indicate a similar level of patience and discretion built into the tools.
Together, these three matches in malware functionality are probably more than a coincidence, says Kaspersky’s Raiu. “Each of these three similarities, if you take it alone, is not that rare,” he says. “Two of these similarities, it doesn’t happen every day. Three is really an interesting finding.”
More than just “interesting”, these connections represent a “great find,” says Dmitri Alperovitch, co-founder and former chief technology officer of security firm CrowdStrike. “This confirms the attribution at least to Russian intelligence,” Alperovich said.