Security experts from Kaspersky have identified multiple similarities between the Sunburst malware used in the SolarWinds supply chain attack and the Kazuar backdoor that has been employed in cyber espionage campaigns conducted by Russia-linked APT group Turla.
The Turla APT group (aka Snake, Uroburos, Waterbug, Venomous Bear and KRYPTON) has been active since at least 2007 targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America, and former Soviet bloc nations.
The list of previously known victims is long and includes also the Swiss defense firm RUAG, US Department of State, and the US Central Command.
While dissecting the Sunburst malware, Kaspersky experts noticed several similarities with the Kazuar, including a number of unusual, shared features.
“While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Kazuar is a .NET backdoor first reported by Palo Alto in 2017. Palo Alto tentatively linked Kazuar to the Turla APT group, although no solid attribution link has been made public. Our own observations indeed confirm that Kazuar was used together with other Turla tools during multiple breaches in past years.” reads the report published by Kaspersky.
“A number of unusual, shared features between Sunburst and Kazuar include the victim UID generation algorithm, the sleeping algorithm and the extensive usage of the FNV-1a hash.”
Palo Alto Networks is the security firm that first collected evidence that could link Kazuar to Turla APT.
Kazuar is a fully featured .NET backdoor that was used by the Russia-linked APT group to replace the group’s second stage backdoors, including Carbon platform.
“We do not know who is behind the SolarWinds hack – we believe attribution is a question better left for law enforcement and judicial institutions. To clarify, our research has identified a number of shared code features between the Sunburst malware and Kazuar.” continues the report.
Kaspersky reported that the Kazuar malware was continuously improved, the newest sample was detected by Kaspersky in on December 29, 2020.
Experts noticed multiple similarities between the code fragments from Sunburst and Kazuar variants, while the UID calculation subroutine and the FNV-1a hashing algorithm usage, and the sleep loop are not identical.
Kaspersky made some assumptions on the causes of these similarities, one of them is that Sunburst and Kazuar may have been developed by the same threat actors. Another assumption is that the development team behind Sunburst borrowed part of codes from Kazuar without, but this doesn’t imply that the two attackers are connected.
Below the full list of assumptions made by Kaspersky:
At the time of this report is, it is not possible which of the above assuptions is correc.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, Turla)