SolarWinds Malware Has 'Curious' Ties To Russian-Speaking Hackers (arstechnica.com) 53
An anonymous reader quotes a report from Ars Technica: The malware used to hack Microsoft, security company FireEye, and at least a half-dozen federal agencies has "interesting similarities" to malicious software that has been circulating since at least 2015, researchers said on Monday. Sunburst is the name security researchers have given to malware that infected about 18,000 organizations when they installed a malicious update for Orion, a network management tool sold by Austin, Texas-based SolarWinds. The unknown attackers who planted Sunburst in Orion used it to install additional malware that burrowed further into select networks of interest. With infections that hit the Departments of Justice, Commerce, Treasury, Energy, and Homeland Security, the hack campaign is among the worst in modern US history. The National Security Agency, the FBI, and two other federal agencies last week said that the Russian government was "likely" behind the attack, which began no later than October 2019. While several news sources, citing unnamed officials, have reported the intrusions were the work of the Kremlin's SVR, or Foreign Intelligence Service, researchers continue to look for evidence that definitively proves or disproves the statements.
On Monday, researchers from Moscow-based security company Kaspersky Lab reported "curious similarities" in the code of Sunburst and Kazuar, a piece of malware that first came to light in 2017. Kazuar, researchers from security firm Palo Alto Networks said then, was used alongside known tools from Turla, one of the world's most advanced hacking groups, whose members speak fluent Russian. In a report published on Monday, Kaspersky Labs researchers said they found at least three similarities in the code and functions of Sunburst and Kazuar. They are: The algorithm used to generate the unique victim identifiers; The algorithm used to make the malware "sleep," or delay taking action, after infecting a network; and Extensive use of the FNV-1a hashing algorithm to obfuscate code.
Monday's post cautions against drawing too many inferences from the similarities. They could mean that Sunburst was written by the same developers behind Kazuar, but they might also be the result of an attempt to mislead investigators about the true origins of the SolarWinds supply chain attack, something researchers call a false flag operation. Other possibilities include a developer who worked on Kazuar and later went to work for the group creating Sunburst, the Sunburst developers reverse engineering Kazuar and using it as inspiration, or developers of Kazuar and Sunburst obtaining their malware from the same source.
On Monday, researchers from Moscow-based security company Kaspersky Lab reported "curious similarities" in the code of Sunburst and Kazuar, a piece of malware that first came to light in 2017. Kazuar, researchers from security firm Palo Alto Networks said then, was used alongside known tools from Turla, one of the world's most advanced hacking groups, whose members speak fluent Russian. In a report published on Monday, Kaspersky Labs researchers said they found at least three similarities in the code and functions of Sunburst and Kazuar. They are: The algorithm used to generate the unique victim identifiers; The algorithm used to make the malware "sleep," or delay taking action, after infecting a network; and Extensive use of the FNV-1a hashing algorithm to obfuscate code.
Monday's post cautions against drawing too many inferences from the similarities. They could mean that Sunburst was written by the same developers behind Kazuar, but they might also be the result of an attempt to mislead investigators about the true origins of the SolarWinds supply chain attack, something researchers call a false flag operation. Other possibilities include a developer who worked on Kazuar and later went to work for the group creating Sunburst, the Sunburst developers reverse engineering Kazuar and using it as inspiration, or developers of Kazuar and Sunburst obtaining their malware from the same source.
tl;dr (Score:3, Insightful)
Monday's post cautions against drawing too many inferences from the similarities.
Nothing to conclude here.
Re: (Score:1)
Re: (Score:2, Informative)
Right, so when they believe they have conclusive evidence there's nothing to see because they won't publish intelligence sources, but when they point out possible indicators and make it clear you can't draw too many inferences from it there's also nothing to see?
It's pretty clear people like you just want to support the Russian campaign and support it's plausible deniability efforts either way, because any time there's the slightest hit of Russian involvement in attacks on the West you just want to immediat
Comments (Score:2)
Many instances of "Cyka Blyat".
Re: (Score:2)
Re: (Score:2)
You must be the unlikiest SOB alive.
FNV? (Score:2, Interesting)
FNV is one of the most common hash functions used in code all over the world. That's like saying that both malware sources used loops or conditional jumps.
Re: (Score:3)
There was a hilarious one recently, which was claiming that some malware is Russian because uploads to its distribution centre in dropbox started at 7:30 am Moscow time and that would be 5:30 in the civilized world. Can't find it right now, but the curve was as if someone copied the CPU load curve of the Cisco build servers at Boxboro on the East Coast in the days when everyone had to ssh in to build. First peak at 9:30 Bangalor
Re: (Score:1)
"in the civilized world" (facepalm)
Re: (Score:2)
Re: (Score:2)
No, let's be honest here. I'll go with the country that has a history of lying and cheating was lying and cheating again. That's your reputation, soak in it.
You mean USA? Or UK? As far back as the Opium wars and USS Maine?
Casting a wide net (Score:4, Insightful)
whose members speak fluent Russian
Well, that does NOT rule out any major country's security or espionage services.
So, speaking foreign languages (Score:1)
is a crime again? Who would have thunk it. I better remove the five I speak fluently from my resume then.
Re: (Score:3)
Re: (Score:1)
Yeah, it appears you may be right. Sad.
This is terrible logic (Score:1)
Sorry, but this is crap. It's being proposed to believe that a nation state actor was sophisticated enough to pull a supply chain attack like the against the Pentagon et al, but enough to put some misdirection in their code? Does anyone here really think it would be that hard to rip off a bit of code from something to pin it on someone else? Seriously, whoever was behind this probably has people that speak Russian well enough to assist with the code snippets.
You can't tell anything by the code. The code cou
It's additive, choosing from the list of 8 (Score:5, Insightful)
> It's being proposed to believe that a nation state actor was sophisticated enough to pull a supply chain attack like the against the Pentagon et al,
Yeah from what they did within the target networks, and how long they remained undetected in all of them, it's a team of professionals.
We know that of the tens of thousands of organizations for which they had an open door, they choose to go in to top-level US government agencies and a very few strategic private enterprises. They didn't go where they could steal money, didn't go for identify theft, etc. They went for high level US government and similar targets only.
We know that when they owned the networks, they didn't install ransomware, they didn't deface things, they didn't ... What they did was espionage.
So we have:
A team of skilled professionals
Going after the US government
For espionage, not financial gain or anything else
That gives us a pretty short list. That be narrows it down to about 8 groups, and three or four of those eight are fairly interchangable.
OF THOSE EIGHT GROUPS, who routinely uses these particular methods to obfuscate their code?
OF THOSE EIGHT GROUPS, who defaults to Russian?
OF THOSE EIGHT GROUPS, who hits all the SQL servers even before the enumerate the rest of the network?
OF THOSE EIGHT GROUPS, who has used earlier variants of similar malware?
These are all hints to narrow it down from an already short list.
If APT40 (a group from China) regularly used Russian to try to throw people off track, those Russian dipthongs would suggest APT40 might be responsible.
None of these clues is dispositive by themselves; together they help narrow down from the list of 8 or so teams of skilled professionals whose job it espionage against the US government.
Re: (Score:2, Insightful)
I have never disputed that this was done by professionals for purposes of espionage. I agree with you on the well known short list (Fancy Bear, Cozy Bear, Naikon, 61398 etc). What was done was almost certainly done by a nation state and frankly risked being declared as an act of war.
If your risking war with a particular action your likely going to try to obfuscate your for plausible deniability. Any nation state capable of putting that hack in place is also going to have the resources and experience to mix
Re: (Score:2)
Yes, these are specific clues and you need to take the totality of clues into consideration.
> What was done was almost certainly done by a nation state and frankly risked being declared as an act of war.
Thinking in terms of pure logic, it could potentially be considered causus belli. On the other hand, these countries perform cyber attacks against the US daily, and the US government does nothing. They don't even complain very loudly, to be frank. :). On the third hand, predicting President Trump's respo
Re: (Score:2)
Re: (Score:1)
> If I put 'Yeah, da!' in my code, does that make me a Russian agent?
Da, comrade.
Racism (Score:1)
Re: Racism (Score:2)
Blaming Russia is okay. Saying it might be China is problematic because everyone is looking for excuses to just go back to tut-tutting them and never actually changing anything about the status quo. Then there's the allied nation with an extensive history of spying on the US no one is allowed to mention at all.
With all these awkward questions coming up when you don't just say it's Russia, it's better for a media/security researcher career to not speculate and just fake certainty.
Re: (Score:1)
Re: (Score:2)
Then there's the allied nation with an extensive history of spying on the US no one is allowed to mention at all
Do you mean like Isra...<gack>... transmission error
Russian-speaking. Lol. (Score:1)
I once ate Russian food too.
I was a 'hacker' once, in my youth.
I read about SolarWinds, not 20 seconds ago!
Ban me! Oooopohhhh! *makes scary noises*
Smells like Borscht? (Score:2)
One of the variables called Babushka?
perspective (Score:2)
the hack campaign is among the best in modern US history.
FTFY
Something Big is Afoot (Score:2)
- Using the turmoil over the 2020 US election as cover
- Trump allies are covering their tracks
- Anonymous is making a comeback, and gathering data on their enemies.
Re: (Score:2)
Really?
* Solarwinds was in March, discovered after the election but obviously unrelated.
* United Nations is clearly a pentesting team drumming up business.
* NZ Central Bank is real, but the timeline hasn't been disclosed.
Nobody is attacking the NZ Central Bank because of the US' exercise in self flagellation.
Re: (Score:2)
About as much eveidence as the election hacking... (Score:2)
ie... admittedly none.
It's a pity we keep seeing this political bullshit on slashdot.
Yes, But... (Score:2)
Specifically: how did this malicious code remain un-detected inside highly sensitive and secure networks for such a long period of time?
I haven't yet read any explanation or primer on this [it would be excellent if anyone aware of details could post some links please]... but from a generic cyber securit