Woburn, MA – January 11, 2021 – On December 13, 2020, FireEye, Microsoft and SolarWinds announced the discovery of a large, sophisticated supply chain attack that deployed a new, previously unknown malware, Sunburst, against SolarWinds’ Orion IT customers. Today, Kaspersky announced that its experts found various specific code similarities between Sunburst and known versions of Kazuar backdoors – malware that provides remote access to a victim’s machine. The new findings provide insights that can help researchers move forward in the investigation of the attack.
While studying the Sunburst backdoor, Kaspersky experts discovered a number of features that overlap with Kazuar, which has been previously identified as a backdoor written using the .NET framework. It was first reported by Palo Alto in 2017 and used in cyber-espionage attacks across the globe. Multiple similarities in code suggest a connection between Kazuar and Sunburst, albeit of an undetermined nature.
The overlapping features between Sunburst and Kazuar include the victim UID generation algorithm, the sleeping algorithm and the extensive usage of the FNV-1a hash. According to the experts, these code fragments are not 100% identical, suggesting Kazuar and Sunburst may be related, though the nature of this relation is still not entirely clear.
After the Sunburst malware was first deployed in February 2020, Kazuar continued to evolve and later 2020 variants are even more similar, in some respects, to Sunburst.
Overall, during the years of Kazuar’s evolution, the experts observed continuous development, in which significant features bearing resemblance to Sunburst were added. While these similarities between Kazuar and Sunburst are notable, there could be a lot of reasons for their existence, including Sunburst being developed by the same group as Kazuar, Sunburst’s developers using Kazuar as inspiration, a Kazuar developer moving to the Sunburst team or both groups behind Sunburst and Kazuar having obtained their malware from the same source.
“The identified connection does not give away who was behind the SolarWinds attack, however, it provides more insights that can help researchers move forward in this investigation,” said Costin Raiu, director of Kaspersky’s Global Research and Analysis Team. “We believe it’s important that other researchers around the world investigate these similarities and attempt to discover more facts about Kazuar and the origin of Sunburst, the malware used in the SolarWinds breach. Judging from past experience, for instance, looking back to the WannaCry attack, in the early days, there were very few facts linking it to the Lazarus group. In time, more evidence appeared and allowed us, and others, to link them together with high confidence. Further research on this topic will be crucial for connecting the dots.”
Learn more technical details about the similarities between Sunburst and Kazuar in this report on Securelist. Read more Kaspersky research about Sunburst here and learn how Kaspersky protects its customers against the Sunburst backdoor here.
To avoid risks of being infected by malware such as the Sunburst backdoor, Kaspersky recommends:
- Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal grants access to the company’s TI, providing cyberattack data and insights gathered by Kaspersky for more than 20 years. Free access to its curated features that allow users to check files, URLs and IP addresses is available here.
- Organizations that would like to conduct their own investigations will benefit from the Kaspersky Threat Attribution Engine. It matches discovered malicious code against malware databases and, based on code similarities, attributes it to previously revealed APT campaigns.