(Reuters) – The group behind a global cyber-espionage campaign that was discovered last month deployed malicious computer code with links to spy tools previously used by suspected Russian hackers, researchers said on Monday.
Investigators at the Moscow-based cybersecurity company Kaspersky said the "backdoor" that compromised up to 18,000 customers of US software maker SolarWinds was closely linked to malware linked to a hacking group called "Turla", which the Estonian authorities have said is working on a mission of Russia's FSB Security Service.
The results are the first publicly available evidence to support US claims that Russia orchestrated the hack, which compromised a number of sensitive federal agencies and is one of the most ambitious cyber operations ever uncovered.
Moscow has repeatedly denied the allegations. The FSB did not respond to a request for comment.
Costin Raiu, head of global research and analysis at Kaspersky, said there were three distinct similarities between SolarWind's backdoor and a hacking tool called "Kazuar", used by Turla.
The similarities included how both pieces of malware tried to hide their features from security analysts, how hackers identified their victims, and the formula for calculating periods when the virus was dormant in an attempt to avoid detection. [1
Attributing cyberattacks with confidence is extremely difficult and littered with possible pitfalls. For example, when Russian hackers interrupted the opening ceremony during the 2018 Winter Olympics, they deliberately imitated a North Korean group in an attempt to divert debt.
Mr. Raiu said the digital clues his team revealed did not directly involve Turla in the SolarWinds compromise, but showed that there was an as yet undecided link between the two hacking tools.
It is possible that they were driven out by the same group, he said, but also that Kazuar inspired the SolarWinds hackers, both tools were bought from the same spyware developer, or even that the attackers planted "false flags" to mislead investigators.
Security teams in the United States and other countries are still working to determine the full extent of the SolarWinds hack. Investigators have said it could take months to understand the extent of the compromise and even longer to expel the hackers from victim networks.
USA. intelligence services have said the hackers were "probably Russian in origin" and targeted a small number of high-profile victims as part of an intelligence operation. Catalog