SolarWinds hackers linked to known Russian spying tools, investigators
say
Send a link to a friend
 [January 11, 2021]
By Jack Stubbs
LONDON (Reuters) - The group behind a
global cyber-espionage campaign discovered last month deployed malicious
computer code with links to spying tools previously used by suspected
Russian hackers, researchers said on Monday.
Investigators at Moscow-based cybersecurity firm Kaspersky said the
"backdoor" used to compromise up to 18,000 customers of U.S. software
maker SolarWinds closely resembled malware tied to a hacking group known
as "Turla," which Estonian authorities have said operates on behalf of
Russia's FSB security service.
The findings are the first publicly-available evidence to support
assertions by the United States that Russia orchestrated the hack, which
compromised a raft of sensitive federal agencies and is among the most
ambitious cyber operations ever disclosed.
Moscow has repeatedly denied the allegations. The FSB did not respond to
a request for comment.
Costin Raiu, head of global research and analysis at Kaspersky, said
there were three distinct similarities between the SolarWinds backdoor
and a hacking tool called "Kazuar" which is used by Turla.
The similarities included the way both pieces of malware attempted to
obscure their functions from security analysts, how the hackers
identified their victims, and the formula used to calculate periods when
the viruses lay dormant in an effort to avoid detection.
"One such finding could be dismissed," Raiu said. "Two things definitely
make me raise an eyebrow. Three is more than a coincidence."
Confidently attributing cyberattacks is extremely difficult and strewn
with possible pitfalls. When Russian hackers disrupted the Winter
Olympics opening ceremony in 2018, for example, they deliberately
imitated a North Korean group to try and deflect the blame.
[to top of second column]
|
SolarWinds Corp banner hangs at the New York Stock Exchange (NYSE)
on the IPO day of the company in New York, U.S., October 19, 2018.
REUTERS/Brendan McDermid//File Photo/File Photo
Raiu said the digital clues uncovered by his team did not directly
implicate Turla in the SolarWinds compromise, but did show there was
a yet-to-be determined connection between the two hacking tools.
It's possible they were deployed by the same group, he said, but
also that Kazuar inspired the SolarWinds hackers, both tools were
purchased from the same spyware developer, or even that the
attackers planted "false flags" to mislead investigators.
Security teams in the United States and other countries are still
working to determine the full scope of the SolarWinds hack.
Investigators have said it could take months to understand the
extent of the compromise and even longer to evict the hackers from
victim networks.
U.S. intelligence agencies have said the hackers were "likely
Russian in origin" and targeted a small number of high-profile
victims as part of an intelligence-gathering operation.
(Reporting by Jack Stubbs; Editing by Chris Sanders and Edward
Tobin)
[© 2021 Thomson Reuters. All rights
reserved.] Copyright 2021 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
Thompson Reuters is solely responsible for this content.
 |
