The ongoing investigation into the SolarWinds cyber attack reveals a possible suspect—and it wasn’t the notorious Russian hacking group preliminary reports first assumed.
The Russian-based cyber security firm, Kaspersky, published new evidence on Monday that points to a hacking group other than the suspected APT29, also known as Fancy Bear. Upon comparing the SolarWinds malware code with other malicious software from previous hacks, 18-year-old researcher Gregory Kucherin recognized several similarities to a hacking tool called Kazuar. The cyber security firm acknowledges that one or two similarities could be chalked up to coincidence, but the SolarWinds malware aligned with three distinct properties of the Kazuar malware: the method in which the malware hid itself, the victim identification and tracking process, and certain calculations and formulas that determine a random dormancy period before the malware sends information back to its home base.
The similarities go beyond the simple cutting and pasting of code. Instead, it appears the individual or individuals who coded both Kazuar and the malware used in the SolarWinds attack, dubbed UNC2452, Dark Halo, and SunBurst, have similar coding styles. Such a tell may offer more information than the simple lifting of code, because coding contains personalized techniques and patterns similar to the way handwriting does.
It is possible that the malware is a copy-cat created to throw investigators off track. However, the obscurity of the similarities and the timeline of the code’s usage makes this possibility unlikely. That is, the deployment of certain parts of the Kazuar malware code actually postdates the SunBurst hack. Other possibilities include the purchase of the Kazuar malware by the SolarWinds hackers or a career move and/or collaboration effort by one or more hackers who borrowed code from their previous employer. A final prospect is that the hacking group who first deployed Kazuar is responsible for this hack as well.
Turla, the originator of the Kazuar malware, is a known cyberespionage group. Their highly sophisticated hacking tools date as far back as 2004 and are constantly evolving. The group is also known as Venomous Bear and Snake and is linked to the FSB, Russia’s federal security service. They specialize in global espionage-related attacks, most recently across the Middle East.
Still, cyber security experts warn against accusing Turla directly for the attack. In fact, many believe Turla isn’t directly responsible at all. What the discovery does lead to is an increasing assumption that the hack originated from Russia or with the assistance of Russian operative. Whether it was a government-sanctioned or rogue act is yet to be proven. Russia continues to deny any responsibility.