On Monday morning Moscow-based Kaspersky Lab pointed on three technical similarities between the malware used by the hackers to affect SolarWinds systems – known by security industry names including UNC2452 and Dark Halo – and the well-known hacker group Turla APT.
The group, also named as Venomous Bear and Snake, has carried out a number of espionage-focused activities, primarily targeted at embassies.
In 2018, Estonian intelligence reported that Turla is “tied to the federal security service” (Russian FSB) – the claim which was confirmed by several cybersecurity companies.
For most of the cybersecurity community, the involvement of Russia in SolarWinds hack is barely surprising. A joint statement by the US Cybersecurity and Infrastructure Security Agency, the Office of the Director of National Intelligence, and the FBI, which was made last week, blamed hackers that were “likely Russian in origin” for the SolarWinds compromise. The conclusions drawn by Kaspersky Lab on Monday regarding the SolarWinds hack have become the first substantial argument in support of the claim.
Kaspersky’s researchers – Igor Kuznetsov, Georgy Kucherin, and Costin Raiu – do not claim that UNC2452 is Turla, however, they explain the reasons of why these hacker groups are probably connected.
Kaspersky Lab found three similarities between a UNC2452 backdoor program known as SUNBURST and a five-year-old piece of Turla malware known as Kazuar, which was first discovered by security researchers at Palo Alto Networks in 2017. The SUNBURST backdoor used in the attack allowed the hackers to receive reports on infected computers and, as a result, choose those needed for further exploitation.
[The vast majority of the 18,000 infected machines were not referred for further exploitation, showing that the attack was highly targeted.]
Costin Raiu, the head of Kaspersky’s Global Research and Analysis Team, mentions that the three similarities between the hackers’ tools are not identical chunks of code, but rather specific techniques that both have incorporated and made the connection more significant.
“It’s not a copy-paste effort. It’s more like if I’m a programmer and I write some tools, and they ask me to write something similar, I’ll write it with the same philosophy,” says Costin Raiu. “It’s more like handwriting. That handwriting or style propagates to different projects written by the same person.”
First, Kaspersky Lab has found that Kazuar and SUNBURST used a very similar cryptographic technique throughout their code: specifically, a 64-bit hashing algorithm called FNV-1a, with an added extra step known as XOR to alter the data.
Second, Turla’s Kazuar and SUNBURST used the same cryptographic process to generate unique identifiers to keep track of different victims – in this case an MD5 hashing function followed by an XOR.
And finally, both malwares used the same mathematical function to determine a random “sleeping time” before the malware communicates back to a command control server in an effort to escape detection. Those times could be as long as two weeks for SUNBURTS and as long as four weeks for Kazuar.
“Any one of these three similarities, if you take it by itself, is not that uncommon,” says Costin Raiu. “Two such similarities, that doesn’t happen every day. Three is definitely kind of an interesting find.”
Furthermore, the most recent results of the investigation conducted by SolarWinds company, security companies, intelligence services and law enforcement has shown that the hack was triggered much earlier than in February 2020 – a malware named SUNSPOT was injected into the system and operated for months before SUNBURST activation. CEO of SolarWinds Sudhakar Ramakrishna confirmed that hackers run a test in autumn 2019, to make sure SolarWinds would not detect their planned hack.
“When SUNSPOT finds an MsBuild.exe process [part of the Microsoft Visual Studio development tools], it will spawn a new thread to determine if the Orion software is being built and, if so, hijack the build operation to inject SUNBURST. The monitoring loop executes every second, allowing SUNSPOT to modify the target source code before it has been read by the compiler,” the researchers explained.
Investigators have not drawn final conclusions regarding the timeline and possible sources and tools of the hack yet.