Ever since the December revelation that hackers breached the IT-management software firm SolarWinds, along with an untold number of its customers, Russia has been the prime suspect. But even as US officials have pinned the attack on the Kremlin with varying degrees of certainty, no technical evidence has been published to support those findings. Now Russian cybersecurity firm Kaspersky has revealed the first verifiable clues— three of them, in fact—that appear to link the SolarWinds hackers and a known Russian cyberespionage group.
On Monday morning Kaspersky published new evidence of technical similarities between malware used by the mysterious SolarWinds hackers, known by security industry names including UNC2452 and Dark Halo, and the well-known hacker group Turla, believed to be Russian in origin and also known by the names Venomous Bear and Snake. The group is widely suspected to work on behalf the FSB, Russia’s successor to the KGB, and has carried out decades of espionage-focused hacking. Kaspersky’s researchers made clear that they’re not claiming UNC2452 is Turla; in fact, they have reason to believe the SolarWinds hackers and Turla aren’t one and the same. But they say their findings suggest that one hacker group at the very least “inspired” the other, and they may have common members between them or a shared software developer building their malware.
Kaspersky’s researchers found three similarities in a UNC2452 backdoor program known as SunBurst and a five-year-old piece of Turla malware known as Kazuar, which was first discovered by security researchers at Palo Alto Networks in 2017. The head of Kaspersky’s Global Research and Analysis Team, Costin Raiu, notes that the three similarities between the hackers’ tools aren’t identical chunks of code, but rather telltale techniques that both have incorporated. That actually makes the connection more significant, Raiu argues. “It’s not a copy-paste effort. It’s more like if I’m a programmer and I write some tools, and they ask me to write something similar, I’ll write it with the same philosophy,” says Raiu. “It’s more like handwriting. That handwriting or style propagates to different projects written by the same person.”
Since the SolarWinds breach was first exposed, Kaspersky says it’s been combing through its archive of malware to find any connections. Only after weeks reviewing past malware samples was one of its researchers, 18-year-old Georgy Kucherin, able to find the connections to Kazuar, which had been hidden by the techniques Turla used to obscure its code. Kucherin has now found that both Kazuar and Sunburst used a very similar cryptographic technique throughout their code: specifically, a 64-bit hashing algorithm called FNV-1a, with an added extra step known as XOR to alter the data. The two pieces of malware also used the same cryptographic process to generate unique identifiers to keep track of different victims, in this case an MD5 hashing function followed by an XOR.
Finally, both malware specimens used the same mathematical function to determine a random “sleeping time” before the malware communicates back to a command control server in an effort to evade detection. Those times could be as long as two weeks for Sunburst and as long as four weeks for Kazuar, unusually long delays that indicate a similar level of patience and stealth built into the tools.
Together, those three matches in malware functionality likely represent more than a coincidence, says Kaspersky’s Raiu. “Any one of these three similarities, if you take it by itself, is not that uncommon,” he says. “Two such similarities, that doesn’t happen every day. Three is definitely kind of an interesting find.”
More than merely “interesting,” those connections represent a “great find,” says Dmitri Alperovitch, the cofounder and former chief technology officer of security firm CrowdStrike. “This is confirming the attribution to at least Russian intelligence,” Alperovitch says.
But while Alperovitch notes that Turla is widely understood to be an FSB hacking group, he argues that Kaspersky’s clues don’t provide enough evidence to say the SolarWinds attack was carried out by the FSB. “To attribute this to FSB because Turla has used this code would be a mistake,” Alperovitch says. “We don’t know about the structure of these organizations to know if they’re using shared contractors, or if you have people who have moved from one to the other.”
If SolarWinds were tied to Turla, that attribution would make the most recent Russian intrusion campaign part of a long lineage of epic hacking. Turla is widely believed to be behind past spying operations, from the Agent.btz worm that was discovered inside US military networks in 2008 to more recent espionage campaigns that hijacked satellite internet connections to hide its command and control servers and silently commandeered Iranian hackers’ servers to piggyback on their spying. Some evidence even suggests that Turla—or a predecessor in the same organization–carried out the massive spying operation known as Moonlight Maze in the late 1990s.
But Kaspersky’s Raiu argues that the theory that Turla carried out SolarWinds isn’t merely unconfirmed, but also unlikely. Many of the distinctive tricks used in the SolarWinds hack don’t actually match Turla’s usual practices, including those Kaspersky has seen Turla continue to use against targets like foreign embassies around the world throughout 2020. And since the 2008 Agent.btz worm, he points out, there’s no evidence Turla that has spied on any US targets, whereas the SolarWinds hack has already been confirmed to have breached more than half a dozen US federal agencies.
Kaspersky’s evidence isn’t quite a “smoking gun” tying the SolarWinds hack directly to any known group, says Joe Slowik, a security researcher at DomainTools. But he adds that “this research does lend further, third-party, technical support to US government claims tying [the SolarWinds intrusion] activity to Russian intelligence services, even if the specific entity remains somewhat unclear.”
One possibility that can’t be entirely ruled out, Kaspersky notes, is a “false flag” attack that purposefully planted Turla-linked evidence to frame the group. But Kaspersky’s Raiu believes that’s unlikely. Aside from the sheer obscurity of the software similarities that Kaspersky has detected, one of the three clues—the FNV-1a hashing algorithm—actually appears only in a version of Turla’s Kazuar tool that was discovered in November 2020; the SolarWinds Sunburst malware dates back to at least February of this year. Barring the improbable scenario that the SolarWinds hackers saw an earlier version of the Kazuar malware that no one else in the cybersecurity industry spotted, that suggests Turla and the SolarWinds hackers are instead using tools that are part of the same chain of development. “We’re seeing branches of evolution,” says Raiu. “There’s this branch of Kazuar that evolved over the last five years, and a snapshot of it overlaps with the Sunburst deployment.”
For most of the cybersecurity community, any evidence that links the SolarWinds attack to Russia is hardly a surprise. A joint statement last week from the US Cybersecurity and Infrastructure Security Agency, the FBI, and the Office of the Director of National Intelligence blamed hackers that were “likely Russian in origin” for the SolarWinds intrusions. Senator Mark Warner, vice chairman of the Senate Select Committee on Intelligence, even accused the White House of watering down that statement to include the “likely” caveat.
But skeptics have nonetheless cast doubt on the Russia attribution—including president Donald Trump, who baselessly suggested China might be responsible for the SolarWinds intrusions in a tweet last month. So Kaspersky’s Raiu says he hopes the findings his team has published can help to move the conversation toward public, verifiable evidence. “Rather than any kind of a given storyline, or pushing out a theory without technical evidence, we want to establish a foundation of technical facts,” Raiu says. “We want to put something technical out there and offer a lead in the right direction.”
More Great WIRED Stories
📩 Want the latest on tech, science, and more? Sign up for our newsletters!
Real Life. Real News. Real Action
Zillion Things Mobile!Read More-Visit US
The right way to hook your laptop up to a TV
The oldest crewed deep sea submarine gets a big makeover
The best pop culture that got us through a long year
Death, love, and the solace of a million motorcycle parts
Hold everything: Stormtroopers have discovered tactics
🎮 WIRED Games: Get the latest tips, reviews, and more
Subscribe to the newsletter news
We hate SPAM and promise to keep your email address safe