Ever since the December revelation that hackers breached IT management software firm SolarWinds, along with an untold number of its customers, Russia has been the prime suspect. But even as US officials have pinned the attack on the Kremlin with varying degrees of certainty, no technical evidence has been published to support those findings. Now Russian cybersecurity firm Kaspersky has revealed the first verifiable clues— three of them, in fact—that appear to link the SolarWinds’ hackers and a known Russian cyberespionage group.
On Monday morning Kaspersky published new evidence of technical similarities between malware used by the mysterious SolarWinds hackers, known by security industry names including UNC2452 and Dark Halo, and the well-known hacker group Turla, believed to be Russian in origin and also known by the names Venomous Bear and Snake. The group is widely suspected to work on behalf the FSB, Russia’s successor to the KGB, and has carried out decades of espionage-focused hacking. Kaspersky’s researchers made clear that they’re not claiming UNC2452 is Turla; in fact, they have reason to believe the SolarWinds hackers and Turla aren’t one and the same. But they argue that their findings suggest one hacker group at the very least “inspired” the other, and may have common members between them or a shared software developer building their malware.
Kaspersky’s researchers found three similarities in the UNC2452 backdoor program known as SunBurst and a five-year-old piece of Turla malware known as Kazuar, which was first discovered by security researchers at Palo Alto Networks in 2017. The head of Kaspersky’s Global Research & Analysis Team, Costin Raiu, notes that the three similarities between the hackers’ tools aren’t identical chunks of code, but rather telltale techniques that both have incorporated. That actually makes the connection more significant, Raiu argues. “It’s not a copy-paste effort. It’s more like if I’m a programmer and I write some tools, and they ask me to write something similar, I’ll write it with the same philosophy,” says Raiu. “It’s more like handwriting. That handwriting or style propagates to different projects written by the same person.”
Since the SolarWinds breach was first exposed, Kaspersky says it’s been combing through its archive of malware to find any connections. Only after weeks reviewing past malware samples was one of its researchers, 18-year-old Georgy Kucherin, able to find the connections to Kazuar, which had been hidden by the techniques Turla used to obscure its code. Kucherin has now found that both Kazuar and Sunburst used a very similar cryptographic technique throughout their code: specifically a 64-bit hashing algorithm called FNV-1a, with an added extra step known as XOR to alter the data. The two pieces of malware also used the same cryptographic process to generate unique identifiers to keep track of different victims, in this case an MD5 hashing function followed by an XOR.
Finally, both malware specimens used the same mathematical function to determine a random “sleeping time” before the malware communicates back to a command control server in an effort to evade detection. Those times could be as long as two weeks for Sunburst and as long as four weeks for Kazuar, unusually long delays that indicate a similar level of patience and stealth built into the tools.
Together, those three matches in malware functionality likely represent more than a coincidence, says Kaspersky’s Raiu. “Any one of these three similarities, if you take it by itself, is not that uncommon,” he says. “Two such similarities, that doesn’t happen every day. Three is definitely kind of an interesting find.”
More than merely “interesting,” those connections represent a “great find,” says Dmitri Alperovitch, the cofounder and former chief technology officer of security firm CrowdStrike. “This is confirming the attribution to at least Russian intelligence,” Alperovitch says.