Security

Kaspersky Lab autopsies evidence on SolarWinds hack

In a brave move, Russian firm fingers its own govt as one possible source of cyber badness


Kaspersky Lab reckons the SolarWinds hackers may have hailed from the Turla malware group, itself linked to Russia’s FSB security service.

Referring to the hidden backdoor secretly implanted in SolarWinds' Orion product, Kaspersky’s Georgy Kucherin wrote in a blog post on Monday: “While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar.”

Kaspersky, itself a Russian company, linked that Kazuar remote-access hole (a .NET nasty) with previous research by Palo Alto Networks which attributed it to the Russian state-sponsored Turla crew, who were last spotted targeting the Armenian government and Austria’s Foreign Office.

“While Kazuar and Sunburst may be related, the nature of this relation is still not clear,” summarised Kaspersky. "Through further analysis, it is possible that evidence confirming one or several of these points might arise. At the same time, it is also possible that the Sunburst developers were really good at their opsec and didn’t make any mistakes, with this link being an elaborate false flag."

Ah, right on time: Hacker-slammed SolarWinds sued by angry shareholders

READ MORE

Palo Alto’s Unit 42 research division published its findings on Turla last summer, stating: “We suspect the Kazuar tool may be linked to the Turla threat actor group (also known as Uroburos and Snake), who have been reported to have compromised embassies, defense contractors, educational institutions, and research organizations across the globe.”

Taking these two snippets together, they suggest an even stronger link between the Russian state and the hackers who successfully compromised SolarWinds. The firm has taken the problem seriously, hiring a consultancy run by US infosec veterans Chris Krebs (former chief of the Cybersecurity and Infrastructure Agency) and Alex Stamos, whose CV includes stints at Yahoo! and Facebook.

“This has been a multiyear effort by one of the very best, the most sophisticated intelligence operations in the world," Krebs told the Financial Times.

The SolarWinds compromise came to public attention in December 2020 after infosec behemoth FireEye, a SolarWinds customer, admitted its systems were unlawfully accessed in “a state-sponsored attack.” ®

Meanwhile... CrowdStrike has detailed how it reckons Orion was infected with a hidden backdoor: a source file was automatically swapped at the right moment when the software was being built on a build server compromised by highly customized malware.

Send us news
21 Comments

Stalkerware usage surging, despite data privacy concerns

At least 31,031 people affected last year

US sanctions spree continues with 15 more for Russian entities

Financial firms that help evade existing restrictions in crosshairs

Is Russia using Starlink in Ukraine? Congress demands answers

And saying Starlink doesn't work inside Russian borders isn't sufficient...

Russia's Cozy Bear caught phishing German politicos with phony dinner invites

Forget the Riesling, bring on the WINELOADER

Kremlin accuses America of plotting cyberattack on Russian voting systems

Don't worry, we have a strong suspicion Putin's still gonna win

Microsoft confirms Russian spies stole source code, accessed internal systems

Still 'no evidence' of any compromised customer-facing systems, we're told

Russia plans to put a nuclear reactor on the Moon – with China's help

Roscosmos has had a few problems landing on the lunar surface recently

German defense chat overheard by Russian eavesdroppers on Cisco's WebEx

Officials can't tell whether the tape was edited, but fear Kremlin has more juicy bits to release in the future

LockBit's contested claim of fresh ransom payment suggests it's been well hobbled

ALSO: CISA warns Ivanti vuln mitigations might not work, SAML hijack doesn't need ADFS, and crit vulns

That home router botnet the Feds took down? Moscow's probably going to try again

Non-techies told to master firmware upgrades and firewall rules. For the infosec hardheads: have some IOCs

EU sanctions Indian tech outfit that has partnered with New Delhi's IT Ministry

Si2 Microsystems was tapped for silicon photonics expertise, but has Russian ties that worry Washington and Brussels

Russia's Cozy Bear dives into cloud environments with a new bag of tricks

Kremlin's spies tried out the TTPs on Microsoft, and now they're off to the races