Kaspersky discovers overlap between SolarWinds hack, Turla

The overlap isn't totally definitive, researchers say.
Lubyanka Building - headquarters of the Federal Security Service (FSB) in Moscow, Russia (Getty Images)

Security researchers on Monday linked the SolarWinds breach to a different set of suspected Russian hacking tools, finding commonalities between that attack and the methods of the Turla group.

Moscow-based Kaspersky said the source code for Sunburst, one of the nicknames for the malware that attackers used in the SolarWinds hack, overlapped with the Kazuar backdoor that Turla has deployed in the past. The Turla group is known for stalking embassies and ministries of foreign affairs in Europe and elsewhere for sensitive data.

Sources have told reporters that the Russian hacking group APT29, or Cozy Bear, is responsible for the SolarWinds attack. Cozy Bear is most often linked to the SVR, the Russian foreign intelligence service. Turla, by contrast, is usually affiliated with another Russian intelligence service, the FSB. U.S. government investigators have only said the attack is “likely Russian in origin.”

Cyber threat intelligence firms have been cautious about publicly attributing the SolarWinds hack, even nearly a month after SolarWinds and FireEye disclosed the breach of SolarWinds’ Orion software, and more than a month after FireEye first disclosed that hackers had victimized the cybersecurity giant. Kaspersky, too, is being cautious: The overlap between the Kazuar backdoor and Sunburst isn’t totally definitive, the company said.


“The identified connection does not give away who was behind the SolarWinds attack, however, it provides more insights that can help researchers move forward in this investigation,” said Costin Raiu, director of Kaspersky’s global research and analysis team. “We believe it’s important that other researchers around the world investigate these similarities and attempt to discover more facts about Kazuar and the origin of Sunburst, the malware used in the SolarWinds breach.”

While Kaspersky said it’s possible that Sunburst was developed by Turla, there are other potential explanations, too.

Sunburst’s apparent developers adopted ideas from Kazuar; both groups obtained the malware from the same source; Kazuar developers switched teams and took their code with them; or Sunburst’s developers were using elements of Kazuar to shift blame to another group. Some threat researchers have linked APT29 to the FSB as well.

The SolarWinds breach has claimed an ever-lengthening list of victims, and officials have warned that more remain unrevealed. The victims of the sweeping cyber espionage campaign include U.S. government agencies and major tech companies. The Russian government has denied involvement with the attack.

Latest Podcasts