Kaspersky Connects SolarWinds Attack Code to Known Russian APT Group
Turla cyberspies were linked to the SolarWinds breach due to similarities in the malware used in the attack and Kazuar, a backdoor used. The hackers are believed to be based in Russia and targeted the SolarWinds company in a sophisticated attempt to breach the system of hundreds of high-profile organizations. The attack used a malware called Sunburst. 18,000 SolarWinds and a few hundred government and private sector organizations received the backdoor malware.
Without a clear link between the attack and a known organization, Kaspersky discovered a link between the Sunburst Malware and Kazuar, a .NET backdoor that has been utilized since 2015. Evidence found by Palo Alto Networks from 2015 suggested Turla used the Kazuar malware. The cyberspy group linked to Russia has been known to attack government organizations through the past 14 days. Sunburst and Kazuar could have been developed by Turla, or Sunburst could have been developed from similar code and ideas without being directly connected. The similarities between the two could also be due to similarities in where the malware was sourced or they could be false evidence. The investigation is ongoing.