IT security experts from the company Kaspersky see, according to a Blog post at the recent Solarwinds hackwhich infiltrated NASA, the Pentagon, and other sensitive targets, has a connection to the Kazuar malware. Analyzing the Sunburst backdoor, the researchers found several features that were already used in the Kazuar backdoor created in the .NET Framework.
"Similarities in the code indicated a connection between Kazuar and Sunburst, albeit of an as yet undetermined nature."
Kaspersky
Kazuar malware known since 2017
According to Kaspersky, the Kazuar malware was first discovered in 2017 and was likely developed by APT actor Turla, who allegedly used Kazuar to conduct cyber espionage around the world. Several hundred military and government targets were reportedly infiltrated in the process. Turla was first reported by Kaspersky and Symantec at the Black Hat 2014 conference in Vegas.
However, this does not automatically mean that Turla is also responsible for the Solarwinds hack, in which 18,000 government agencies, businesses and organizations were attacked via a Trojanized version of the Orion IT management software.
Generation algorithm, wake-up algorithm and FNV1a hash
According to the Kaspersky analysis, the most striking similarities between Sunburst and Kazuar are the wake-up algorithm, the victim ID generation algorithm, and the use of the FNV1a hash. The code used in these cases has great similarities, but is not completely identical. Sunburst and Kazuar therefore appear to be "related", but details of the exact relationship between the two malwares have not yet been determined.
One likely explanation is that Sunburst and Kazuar were written by the same developers. However, it could also be that Sunburst was developed by a different group that used the successful Kazuar malware as a template. There is also the possibility that individual developers from the Kazuar development group joined the Sunburst team.
False Flag Operation
However, it's also possible that the similarities between Kazuar and Sunburst were intentionally built in to set up false leads in the expected malware analyses.
"The link found does not reveal who was behind the Solarwinds attack, but offers further insight that can help researchers take this analysis further."
Costin Raiu
