Investigators said Monday that the hackers behind the global SolarWinds incident used computer code with links to known Russian spying tools, Reuters reports.
It recently came to light that cyber criminals hacked SolarWinds to gain access to at least 18,000 government and private networks. It is believed that the cyberattackers’ goal was to collect intelligence.
Now, researchers at Moscow-based cybersecurity company Kaspersky said the attackers deployed code that closely resembled malware associated with a Russian hacking group known as “Turla.”
The way in which the SolarWinds hack was carried out had three notable similarities to a hacking tool called “Kazuar,” which is used by Turla, according to Costin Raiu, head of global research and analysis at Kaspersky.
Similarities were noted in how the hackers identified their victims and how they avoided being detected through the use of a specific formula to calculate periods with the viruses lying dormant. Additionally, both pieces of malware attempted to obscure their functions from security analysts.
“One such finding could be dismissed,” Raiu said. “Two things definitely make me raise an eyebrow. Three is more than a coincidence.”
Raiu said the similarities point to the likelihood of a link between the two hacking tools, but they don’t necessarily imply that Turla played a role in the SolarWinds hack. He said there’s a possibility that the hackers behind the SolarWinds hack were merely inspired by Kazuar, or that they deliberately planted “false flags” in order to throw off investigators.
Although Moscow has denied involvement in the hack, U.S. intelligence agencies have said that the hackers were “likely Russian in origin.” Security firms in the U.S. and other countries are continuing to investigate the incident in order to determine its full scope, and the Department of Justice has vowed to take serious action.
“As part of the ongoing technical analysis, the Department has determined that the activity constitutes a major incident under the Federal Information Security Modernization Act, and is taking the steps consistent with that determination,” the agency said last week. “The Department will continue to notify the appropriate federal agencies, Congress, and the public as warranted."