Investigators at Moscow-based cybersecurity firm Kaspersky
said the “backdoor” used to compromise up to 18,000 customers of U.S. software
maker SolarWinds closely resembled malware tied to a hacking group known as
“Turla,” which Estonian authorities have said operates on behalf of Russia’s
FSB security service.
The findings are the first publicly-available evidence to
support assertions by the United States that Russia orchestrated the hack,
which compromised a raft of sensitive federal agencies and is among the most
ambitious cyber operations ever disclosed.
Moscow has repeatedly denied the allegations. The FSB did
not respond to a request for comment.
Costin Raiu, head of global research and analysis at
Kaspersky, said there were three distinct similarities between the SolarWinds
backdoor and a hacking tool called “Kazuar” which is used by Turla.
The similarities included the way both pieces of malware
attempted to obscure their functions from security analysts, how the hackers
identified their victims, and the formula used to calculate periods when the
viruses lay dormant in an effort to avoid detection.
“One such finding could be dismissed,” Raiu said. “Two
things definitely make me raise an eyebrow. Three is more than a coincidence.”
Confidently attributing cyberattacks is extremely difficult
and strewn with possible pitfalls. When Russian hackers disrupted the Winter
Olympics opening ceremony in 2018, for example, they deliberately imitated a
North Korean group to try and deflect the blame.
Raiu said the digital clues uncovered by his team did not
directly implicate Turla in the SolarWinds compromise, but did show there was a
yet-to-be determined connection between the two hacking tools.
It’s possible they were deployed by the same group, he said,
but also that Kazuar inspired the SolarWinds hackers, both tools were purchased
from the same spyware developer, or even that the attackers planted “false
flags” to mislead investigators.
Security teams in the United States and other countries are
still working to determine the full scope of the SolarWinds hack. Investigators
have said it could take months to understand the extent of the compromise and
even longer to evict the hackers from victim networks.
U.S. intelligence agencies have said the hackers were
“likely Russian in origin” and targeted a small number of high-profile victims
as part of an intelligence-gathering operation.