Recent cybersecurity research has uncovered intriguing potential connections between the notorious SolarWinds hack and a previously identified malware strain called Kazuar. Kaspersky’s latest analysis highlights overlapping features that suggest a link between the two malicious software architectures.
The SolarWinds incident, disclosed in December 2020, was characterized by its unprecedented scale and stealthiness, where attackers exploited trust in the SolarWinds Orion software to infiltrate sensitive government and corporate networks. This infiltration facilitated the deployment of a unique malware variant named “Sunburst.”
Kaspersky researchers have indicated that the similarities between Sunburst and Kazuar are noteworthy. Both malware families appear to share characteristics such as the use of a sleeping algorithm, designed to keep the malware dormant between connections, and an extensive implementation of the FNV-1a hashing algorithm for code obfuscation. This raises intriguing questions regarding the possible origins of the Sunburst backdoor.
Attribution of the SolarWinds supply-chain compromise has proven challenging, with few clues linking it to past cyber campaigns. However, Kaspersky’s findings suggest a few possible scenarios: either both Sunburst and Kazuar were developed by the same threat group, or the creators of Kazuar transitioned to a distinct team after utilizing their original toolset. Another possibility posited by researchers is that the Sunburst developers may have intentionally established these connections as a deceptive tactic to mislead investigators.
Kazuar, a sophisticated backdoor leveraging the .NET Framework, allows operators to maintain control over compromised systems. It includes functionalities for executing malicious commands, capturing screenshots, and deploying additional features via plugins. This aligns with the capabilities expected of spyware, making it a formidable threat. The Unit 42 team from Palo Alto Networks has tentatively linked Kazuar to the Russian threat group Turla, suggesting a historical continuity in code lineage dating back to at least 2005.
On November 18, 2020, Kazuar underwent a significant redesign, introducing keylogger and password-stealing functionalities. Kaspersky researchers speculate that this redesign could have been an attempt to obscure its connection to the SolarWinds incident, thereby enhancing operational security as threats evolve.
In conjunction with these findings, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with the FBI and other federal entities, formally attributed the SolarWinds compromise to a likely Russian adversary. CISA’s update emphasized that initial access was achieved through techniques such as password guessing and the exploitation of poorly secured administrative credentials.
While Kaspersky’s findings mark a pivotal moment in understanding the potential links between Kazuar and Sunburst, the precise nature of this relationship remains uncertain. As further investigations unfold, researchers may discover additional evidence that clarifies the methodologies employed in this sophisticated attack. Notably, threat actors are continually improving their operational security strategies, making it imperative for organizations to stay vigilant against emerging cybersecurity threats.
