Resemblances have actually been found by Kaspersky in between the Sunburst backdoor and Kazuar, a.NET backdoor supposedly connected to the Russian Turla hacking group. Throughout the examination the FBI, CISA, and the NSA likewise presumed that the SolarWinds attacks too had Russian links.
They have actually been gotten as the main suspects behind the attacks targeting the Pentagon and NASA. And The U.S. Central Command.
The algorithm utilized to create victim UIDs, the extensive use of the FNV-1a hash and the sleeping algorithm of both the backdoors are a few of the significant resemblances found in between Kazuar and Sunburst.
Turla also goes by the names Venemous Bear and Waterbug. Turla concentrates on collaborating info theft and espionage campaigns and has a performance history going back as far as 1996.
Over the previous few weeks FireEye, Microsoft, SolarWinds and several US federal government departments have actually undergone attack by the “Sunburst” malware injected through the infected SolarWinds Orion software application.
In spite of these resemblances, the extent of the resemblances and nature of the relationship is still uncertain.
A few of the explanations for these resemblances highlighted by Kasperskys report consist of:
Kaspersky researchers feel that a coincidence or 2 would not be too unexpected, nevertheless, when there are 3 such coincidences it is definitely rather suspicious.
Having stated that, researchers at Kaspersky have actually not eliminated the possibility that these could be planted to misdirect the investigation. Further technical details can be found in the in-depth report published by Kaspersky.
Sunburst was established by the very same group as Kazuar
The Sunburst developers embraced some concepts or code from Kazuar, without having a direct connection (they used Kazuar as a motivation point).
Both groups, DarkHalo/UNC2452 and the group using Kazuar, got their malware from the very same source.
Some of the Kazuar designers transferred to another team, taking knowledge and tools with them.
The Sunburst developers presented these subtle links as a form of incorrect flag, in order to move blame to another group.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity, and hacking news updates.