Min menu

Pages

SolarWinds hackers linked to well-known Russian spy tools

 


Researchers at cybersecurity firm Kaspersky said Monday that SolarWinds hackers responsible for a global espionage campaign discovered last month against the U.S. software maker are linked to well-known Russian spying tools.

The cybersecurity company explained that the back door used by SolarWinds hackers to hack up to 18,000 SolarWinds customers is very similar to malware linked to the hacking group known as Turla.

Estonian authorities said that the hacking group known as Turla was acting on behalf of the Russian Security Service FSB.

These findings are the first publicly available evidence to support U.S. assertions that Russia orchestrated the hack, which put a host of sensitive federal agencies at risk and is among the most ambitious cyber operations ever uncovered.

Costin Raiu, Head of Global Research and Analysis at Kaspersky, said there are three distinct similarities between the back door used by SolarWinds hackers and Turla's Kazuar hacking tool.

Similarities included the way malware tried to hide its functions from security analysts, how hackers identified their victims, and the formula used to calculate periods when viruses were inactive in an attempt to avoid detection.

It is extremely difficult to attribute cyber attacks in a documented manner, as when Russian hackers disrupted the opening ceremony of the 2018 Winter Olympics, they deliberately imitated a North Korean group to try to deflect blame.

Rayo said the digital evidence his team uncovered did not directly refer to Turla in the SolarWinds hack but showed an undetermined connection between the two hacking devices.

He explained that the software may have been published by the same group, but Kazuar inspired SolarWinds hackers, both tools were purchased from the same spyware developer, and attackers placed false tags to mislead investigators.

Security teams in the United States and other countries are still working to determine the full extent of the SolarWinds breach.

Investigators said it could take months to understand the extent of the hack and get the hackers out of the victims' networks.

U.S. intelligence agencies said SolarWinds hackers are likely of Russian origin, targeting a small number of high-profile victims as part of the intelligence gathering operation.

 

reaction: