Connecting the dots between SolarWinds and Russia-linked Turla APT

Experts have found some similarities between the Sunburst backdoor used in the SolarWinds supply chain attack and Turla’s backdoor Kazuar.

Security experts from Kaspersky have identified multiple similarities between the Sunburst malware used in the SolarWinds supply chain attack and the Kazuar backdoor that has been employed in cyber espionage campaigns conducted by Russia-linked APT group Turla.

The discovery comes a few days after the US agencies FBI, CISA, ODNI, and the NSA released a joint statement that blames Russia for the SolarWinds supply chain attack.

The Turla APT group (aka Snake, Uroburos, Waterbug, Venomous Bear and KRYPTON) has been active since at least 2007 targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America, and former Soviet bloc nations.

The list of previously known victims is long and includes also the Swiss defense firm RUAG, US Department of State, and the US Central Command.

While dissecting the Sunburst malware, Kaspersky experts noticed several similarities with the Kazuar, including a number of unusual, shared features.

“While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Kazuar is a .NET backdoor first reported by Palo Alto in 2017. Palo Alto tentatively linked Kazuar to the Turla APT group, although no solid attribution link has been made public. Our own observations indeed confirm that Kazuar was used together with other Turla tools during multiple breaches in past years.” reads the report published by Kaspersky.

“A number of unusual, shared features between Sunburst and Kazuar include the victim UID generation algorithm, the sleeping algorithm and the extensive usage of the FNV-1a hash.”

Palo Alto Networks is the security firm that first collected evidence that could link Kazuar to Turla APT.

Kazuar is a fully featured .NET backdoor that was used by the Russia-linked APT group to replace the group’s second stage backdoors, including Carbon platform.

“We do not know who is behind the SolarWinds hack – we believe attribution is a question better left for law enforcement and judicial institutions. To clarify, our research has identified a number of shared code features between the Sunburst malware and Kazuar.” continues the report.

Kaspersky reported that the Kazuar malware was continuously improved, the newest sample was detected by Kaspersky in on December 29, 2020.

Experts noticed multiple similarities between the code fragments from Sunburst and Kazuar variants, while the UID calculation subroutine and the FNV-1a hashing algorithm usage, and the sleep loop are not identical.

Kaspersky made some assumptions on the causes of these similarities, one of them is that Sunburst and Kazuar may have been developed by the same threat actors. Another assumption is that the development team behind Sunburst borrowed part of codes from Kazuar without, but this doesn’t imply that the two attackers are connected.

Below the full list of assumptions made by Kaspersky:

• Sunburst was developed by the same group as Kazuar
• The Sunburst developers used some ideas or code from Kazuar, without having a direct connection (they used Kazuar code as “inspiration”)
• Both groups, that is, the DarkHalo/UNC2452 and the group using Kazuar obtained their malware from the same source
• One of the Kazuar developers moved to another team, taking his knowledge and tools with them
• The Sunburst developers introduced these subtle links as a form of a false flag, in order to shift the blame to another group

At the time of this report is, it is not possible which of the above assuptions is correc.  

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Turla)

[adrotate banner=”5″]

[adrotate banner=”13″]