According to researcher probing the huge cyber espionage campaign on entities in the United States which was discovered last month, claimed that the suspected group that conducted the cyber attack used malicious computer code that had links to spying tools that are known to have been previously used by hackers with Russia links.
There was close resemblance of the “backdoor” that was used to compromise up to 18,000 customers of US software maker SolarWinds with the malware that are known to be used by a hacking group known as “Turla,” which according to Estonian authorities operates on behalf of Russia’s FSB security service, said investigators at Moscow-based cybersecurity firm Kaspersky.
The conclusions arrived at by Kaspersky are the first evidence that is publicly available that supports claims made previously by the United States of the attacks being organized by Russia. The hacking and cyber espionage campaign compromised a tranche of sensitive federal agencies and has been described by experts to be the most ambitious cyber operations ever discovered.
All such allegations have been repeatedly denied by Russia.
The researcher found three distinct similarities between the backdoor tools used to infiltrate SolarWinds and those that are used regularly by gthe hacking group called Turla – a hacking tool called “Kazuar”, said Costin Raiu, head of global research and analysis at Kaspersky.
The manner in which both the malware tools were used to obscure their functions from security analysts, the process of identification of the targets and the formula used to calculate the periods during which the virus would lay dormant so that it can avoid detection, are the three distinct similarities found by the researchers.
“One such finding could be dismissed,” Raiu said. “Two things definitely make me raise an eyebrow. Three is more than a coincidence.”
It is extremely difficult to identify confidently attributing cyber attacks and is known to be distributed with possible pitfalls. For example, Russian hackers deliberately imitated a North Korean group so that the blame can be shifted to them when they had hacked and disrupted the Winter Olympics opening ceremony in 2018.
Investigations into the SolarWinds hacking, it was not possible to directly implicate Turla based on the digital clues uncovered by his team, Raiu said, but added that the evidence did point to the fact to the presence of a yet-to-be determined relationship between the two hacking tools used.
He acknowledged the possibility of the malware were deployed by the same group but it was also possible that the the SolarWinds hackers were inspired by Kazuar or that both the tools were purchased from the same spyware developer, or even the possibility of “false flags” to mislead investigators being planted by the attackers.
The full scope of the SolarWinds hack is still being determined by security teams in the United States and other countries. Understanding the extent of the compromise could take months, investigators have said, and have added that evicting the hackers from victim networks could take longer.
(Adapted from HindustanTimes.com)