At the end of 2020 a supply chain attack affecting SolarWinds rippled throughout the world as clients of the firm were compromised by what was called a highly sophisticated threat actor.
Now, Kaspersky has discovered links to a Russian hacking group within the so-called Sunburst malware that was used in the attack.
The cybersecurity firm notes specific code similarities between Sunburst and Kazuar which is tied to a a hacking group known as Turla.
“While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Kazuar is a .NET backdoor first reported by Palo Alto in 2017. Palo Alto tentatively linked Kazuar to the Turla APT group, although no solid attribution link has been made public. Our own observations indeed confirm that Kazuar was used together with other Turla tools during multiple breaches in past years,” wrote Kaspersky.
There are strong signs that Kazuar and Sunburst are linked, possibly even developed by the same group but this could simply be a matter of developers sharing notes and copying each other.
Of course, threat actors could have moved between hacking groups explaining the similarities.
The most worrying theory right now is that these links could be a red herring designed to shift blame.
“Supply chain attacks are some of the most sophisticated types of attacks nowadays and have been successfully used in the past by APT groups such as Winnti/Barium/APT41 and various cybercriminal groups,” wrote a trio of researchers at Kaspersky.
This sophistication in the development of these attacks lends credence to the fact that the similarities aren’t a mistake but intentional.
The cybersecurity firm says that additional investigation into Sunburst is still needed to fully understand who created it.
“Further research on this topic can be crucial to connecting the dots,” Kaspersky concluded.
Right now it’s still unclear who is behind a supply chain attack that has experts worried about the state of cybersecurity and we’re deadly curious to find out who is behind this attack.
[Image – CC 0 Pixabay]