According to a recent report, Gregory Kucherin, Igor Kuznetsov and Costin Raiu, three researchers from security firm Kaspersky Lab said, “The malware introduced by SolarWinds has strange connections with Russian-speaking hacking groups.” The investigations conducted by these cybersecurity specialists could confirm the concerns of the FBI and CISA.
Was the attack on SolarWinds orchestrated by Russia?
Kaspersky Lab researchers firmly believe that the malware recently discovered in the SolarWinds hack has “obvious similarities” to other malware of Russian origin that has been around since at least 2015. The process is not new. Hackers broke into SolarWinds’ security systems to install other malware, which in turn infiltrated the software of several US companies and government agencies.
In the same category
With the SolarWinds hack, hackers were able to get emails from the US Department of Justice
For cybersecurity specialists, this hack is certainly one of the worst in modern American history. In particular, the researchers found similarities between Sunburst, the name of the malware that got onto the SolarWinds networks, and Kazuar, another malware that first appeared in 2017. Kazuar happened to be discovered by Turla, one of the world’s most “serious” hacker groups, whose members speak fluent Russian.
Strange similarities between Sunburst and Kazuar
To be precise, the researchers found three similarities in the code and functionality of Sunburst (the malware that infected SolarWinds) and Kazuar. These similarities are as follows:
The algorithm for generating unique identifiers. The algorithm that makes the malware invisible. The FNV-1a algorithm that hides the code
The researchers point out, “None of these things are 100% identical, yet these are strange coincidences to say the least. A coincidence would not be so unusual, two coincidences would definitely raise eyebrows, while three such coincidences seem rather suspicious to us. “
This conclusion could mean that the malware introduced into SolarWinds software was intended by the same developers who worked on Kazuar. The researchers do not rule out that it could also be an attempt to deceive investigators.
Kaspersky Lab prefers to remain cautious: “At the moment we don’t know what happened. Although Kazuar and Sunburst seem to have a very close relationship, the nature of that relationship is still unclear. A deeper analysis will certainly provide more factual evidence. “The cyber attack is certainly still ongoing and researchers know it will take months, maybe years, to understand the effects of this hacking campaign.