Kaspersky: SolarWinds Backdoor Similar to Russian 'Kazuar'For Example, Both Backdoors Use Same 'Sleeping' Algorithm
The "Sunburst" backdoor deployed in the breach of SolarWinds’ Orion network monitoring tool uses some of the same code found in the "Kazuar" backdoor, which security researchers have previously tied to Russian hackers, according to an analysis released Monday by the security firm Kaspersky.
See Also: Threat Briefing: Ransomware
Earlier this month, the U.S. law enforcement and intelligence agencies investigating the SolarWinds supply chain hack said the attack likely was the work of a Russian advanced persistent threat group carrying out a cyberespionage campaign (see: SolarWinds Attack: Pointing a Finger at Russia).
The SolarWinds’ Orion breach, which is believed to have affected 18,000 organizations, led to follow-on attacks on government agencies and others.
Although the agencies did not name the hacking group responsible, The Washington Post and other news media outlets have reported that the threat actor is likely a Russian APT known as APT29 or Cozy Bear. Russia has denied playing any role the attack (see: SolarWinds Orion: Fixes Aim to Block Sunburst and Supernova).
Kaspersky researchers say they found three overlaps between Sunburst and Kazuar. That includes the "sleeping" algorithm that calculates the time between when the backdoors are planted within a network and when they connect to the attackers' command-and-control server.
In its initial report about the SolarWinds hack, security firm FireEye, which was one of the victims, found that after the Sunburst backdoor was sent as part of an update of SolarWinds’ Orion, the malware would remain dormant for two weeks before attempting to contact the hackers' command-and-control server. This helped ensure that security tools would not pick up the initial intrusion.
The new report from Moscow-based Kaspersky stresses that while there is code overlap between the Sunburst and Kazuar backdoors, there’s no direct link between the two malware variants.
The use of similar code in both backdoors could be a "false flag" operation, Kaspersky says. On the other hand, it's also possible the operators of Sunburst and Kazuar drew from the same source code, or that one or more developers who worked on Kazuar moved to the group that developed Sunburst, taking some malicious tools and knowledge with them, Kaspersky adds.
"The identified connection does not give away who was behind the SolarWinds attack,” Costin Raiu, director of Kaspersky's global research and analysis team, notes in the report. “However, it provides more insights that can help the researchers move forward in this investigation. We believe it’s important that other researchers around the world investigate these similarities and attempt to discover more facts about Kazuar and the origin of Sunburst, the malware used in the SolarWinds breach."
The Kazuar backdoor that shares some code similarities with Sunburst was originally uncovered by researchers at Palo Alto Networks’ Unit 42 in 2017.
Since then, Unit 42 and other researchers have attributed Kazuar, which is written in .NET, to a Russian-linked hacking group known as Turla, which has carried out a series of operations, usually targeting government or military agencies, in at least 35 countries since about 2008.
In October, researchers at Accenture found Turla had recently revamped Kazuar with added features, including the ability to receive commands through uniform resource identifiers - a sequence of characters that identifies a logical or physical resource - that point to internal command-and-control nodes attached to the victim's network (see: Russian Hacking Group Upgrades Malicious Toolset).
The Accenture researchers uncovered this updated version of Kazuar after the Turla group targeted an unnamed European government agency to exfiltrate data as part of an espionage campaign.
In its new report this week, the Kaspersky researchers note that Kazuar underwent a major upgrade around November that added features and also made the source code more difficult to analyze.
The Kaspersky report also notes that there have been similarities in malicious tools used by APT29 and Turla. It's possible that Turla is a subgroup of a larger, umbrella operation andtht its hackers sometimes borrow source code deployed by other threat actors.
The Kaspersky researchers describe three areas in which the Sunburst and Kazuar source code overlap.
Both use the same algorithm to calculate the time between when the backdoor is implanted in a device or network and when it connects to the command-and-control server. The backdoors use two time stamps. The first is the minimal sleeping time and the second is the maximum sleeping time. Sunburst and Kazuar then use a mathematical formula to calculate the waiting time before contacting the command-and-control server, the Kaspersky researchers say.
"It's noteworthy that both Kazuar and Sunburst wait for quite a long time before or in-between [command-control] connections," the Kaspersky researchers note. "By default, Kazuar chooses a random sleeping time between two and four weeks, while Sunburst waits from 12 to 14 days. Sunburst, like Kazuar, implements a command which allows the operators to change the waiting time between two [command-and-control] connections."
In another overlap, the researchers found Sunburst and Kazuar both use FNV-1a hashing throughout their code. Kazuar's developers first started using this algorithm in 2015 and have since upgraded from a 32-bit version to a 64-bit version, Kaspersky reports.
Sunburst deployed a 64-bit version of FNV-1a as a way to obfuscate strings in the source code, the researchers say.
Sunburst and Kazuar also both use a similar algorithm that allows them to create unique identifiers for each target, according to the report.
"Several code fragments from Sunburst and various generations of Kazuar are quite similar. We should point out that, although similar, these code blocks, such as the [user identification] calculation subroutine and the FNV-1a hashing algorithm usage, as well as the sleep loop, are still not 100% identical," Kaspersky says "Together with certain development choices, these suggest that a kind of a similar thought process went into the development of Kazuar and Sunburst."
Kaspersky's Raiu notes that while none of the algorithms used are unique, the overlap in these three areas warrants further investigation of a possible connection.
"This is why they shouldn't be looked at independently from the others," Raiu tells Information Security Media Group. "One coincidence wouldn't be that unusual. Two coincidences would definitively raise an eyebrow, while three such coincidences are kind of suspicious to us."
The ongoing investigation into the SolarWinds breach is attempting to determine which private companies and federal agencies have been most affected by the attack. The Treasury, Commerce, Energy, Homeland Security and Justice departments, as well as parts of the Pentagon, all were targeted, along with technology firms, including FireEye, Intel and Nvidia (see: Severe SolarWinds Hacking: 250 Organizations Affected?).
The weaponized Orion software update that contained Sunburst was sent to about 18,000 of SolarWinds' customers starting in March 2020. In some cases, the attackers dropped a second-stage malware called Teardrop that could exfiltrate data, install additional malware and backdoors and help hackers reach other systems, some security researchers say.
The U.S. Cybersecurity and Infrastructure Security Agency, which is one of the departments investigating the breach, has previously noted that the hackers may have used other attack vectors besides the Orion update to target certain victims. On Friday, CISA released a new report that found the threat actors may have used password guess and password spraying techniques to gain additional administrative privileges.
This would have allowed the hackers to forge authentication tokens and then gain access to additional cloud resources and environments, according to CISA.