The SolarWinds Hackers Shared Tricks With a Notorious Russian Spy Group

Ever since the December revelation that hackers breached the IT-management software firm SolarWinds, along with an untold number of its customers, Russia has been the prime suspect. But even as US officials have pinned the attack on the Kremlin with varying degrees of certainty, no technical evidence has been published to support those findings. Now Russian cybersecurity firm Kaspersky has revealed the first verifiable clues— three of them, in fact—that appear to link the SolarWinds hackers and a known Russian cyberespionage group.

On Monday morning Kaspersky published new evidence of technical similarities between malware used by the mysterious SolarWinds hackers, known by security industry names including UNC2452 and Dark Halo, and the well-known hacker group Turla, believed to be Russian in origin and also known by the names Venomous Bear and Snake. The group is widely suspected to work on behalf the FSB, Russia’s successor to the KGB, and has carried out decades of espionage-focused hacking. Kaspersky’s researchers made clear that they’re not claiming UNC2452 is Turla; in fact, they have reason to believe the SolarWinds hackers and Turla aren’t one and the same. But they say their findings suggest that one hacker group at the very least “inspired” the other, and they may have common members between them or a shared software developer building their malware.

Click Here
check this
browse around these guys
redirected here
visit this site right here
review
have a peek at this website
right here
why not try this out
article source
visite site
web link
you could try this out
description
my latest blog post
find out this here
wikipedia reference
find more information
continue reading this
this post
index
official website
go to these guys
learn the facts here now
Related Site
Click This Link
Visit This Link
you can try here
linked here
visit homepage
web
YOURURL.com
you can find out more
see this site
additional resources
Website
pop over to this site
view it now
their website
special info
you could try these out
site
Check Out Your URL
my explanation
helpful site
More Info
go right here
this article
visit their website
check out here
he said
official source
Look At This
see page
find out here
look these up
Find Out More
go now
that site
image source
useful content
sites
view it
Full Article
click over here now
visit this web-site
see
Our site
read the article
next page
look at this now
find out
Read Full Report
see here now
visit here
click here to find out more
why not check here
her response
published here
check

Kaspersky’s researchers found three similarities in a UNC2452 backdoor program known as SunBurst and a five-year-old piece of Turla malware known as Kazuar, which was first discovered by security researchers at Palo Alto Networks in 2017. The head of Kaspersky’s Global Research and Analysis Team, Costin Raiu, notes that the three similarities between the hackers’ tools aren’t identical chunks of code, but rather telltale techniques that both have incorporated. That actually makes the connection more significant, Raiu argues. “It’s not a copy-paste effort. It’s more like if I’m a programmer and I write some tools, and they ask me to write something similar, I’ll write it with the same philosophy,” says Raiu. “It’s more like handwriting. That handwriting or style propagates to different projects written by the same person.”

Since the SolarWinds breach was first exposed, Kaspersky says it’s been combing through its archive of malware to find any connections. Only after weeks reviewing past malware samples was one of its researchers, 18-year-old Georgy Kucherin, able to find the connections to Kazuar, which had been hidden by the techniques Turla used to obscure its code. Kucherin has now found that both Kazuar and Sunburst used a very similar cryptographic technique throughout their code: specifically, a 64-bit hashing algorithm called FNV-1a, with an added extra step known as XOR to alter the data. The two pieces of malware also used the same cryptographic process to generate unique identifiers to keep track of different victims, in this case an MD5 hashing function followed by an XOR.

Finally, both malware specimens used the same mathematical function to determine a random “sleeping time” before the malware communicates back to a command control server in an effort to evade detection. Those times could be as long as two weeks for Sunburst and as long as four weeks for Kazuar, unusually long delays that indicate a similar level of patience and stealth built into the tools.

Together, those three matches in malware functionality likely represent more than a coincidence, says Kaspersky’s Raiu. “Any one of these three similarities, if you take it by itself, is not that uncommon,” he says. “Two such similarities, that doesn’t happen every day. Three is definitely kind of an interesting find.”

Leave a Reply

Your email address will not be published. Required fields are marked *