The huge global cyber espionage campaign that was discovered last month was carried out using similar tools to those developed by a known Russian hacking group, according to new research.
US security agencies said last week that Russia was likely to have been behind the spying attempt, which hijacked software made by the Texas-based tech company SolarWinds and put 18,000 of its government and corporate clients at risk of exposure.
On Monday, investigators at Moscow-based cyber security company Kaspersky went further, publishing new evidence linking the malicious code used to breach SolarWinds to spying tools developed by a Russian hacking group known as Turla.
While previous reports in the US media had attributed the espionage campaign to APT29, a hacking group backed by Russia’s Foreign Intelligence Service, the SVR, Turla is thought to be linked to a different Russian agency: its top domestic security service, the FSB.
Experts at Kaspersky say the code overlaps they have identified represent “the first potential identified link to a previously known malware family”. While the researchers emphasise that they are not attributing the SolarWinds hack to the Turla group, they say the similarities between the hacking tools are curious.
“One coincidence wouldn’t be that unusual, two coincidences would definitively raise an eyebrow, while three such coincidences are kind of suspicious to us,” their blog post on the code similarities reads.
The Kaspersky investigators also point out that there could be reasons for the overlapping code, such as the developers of Turla’s malware moving to to another hacking team and taking the same tools with them. The SolarWinds hackers may even have intentionally mimicked another cyber espionage group in order to shift the blame, the researchers wrote.
According to the UK’s National Cyber Security Centre — a branch of signals intelligence agency GCHQ — Turla group targets governments, as well as military, technology and energy companies, and has a record of using malware that steals sensitive data and then is used to conduct future cyber attacks.
Estonia’s intelligence service revealed two years ago that it believes Turla to be “tied” to Russia’s FSB.
Ciaran Martin, former head of the NCSC and now a professor at the University of Oxford’s Blavatnik School, said the impact of Kaspersky’s findings could be significant. “Some parts of the Russian state just hack for spying purposes; others have a more sinister record of disruptive attacks following an initial hack,” he said.
“So understanding exactly which bit of Russia is behind SolarWinds is really important.”
“I’m sure the US government and its partners are looking very closely at all this evidence,” he added, although he made clear that so far there is no evidence of the SolarWinds hack having been motivated by “anything other than espionage”.
In a joint statement last week, the FBI, the National Security Agency, the Cybersecurity and Infrastructure Security Agency and the Office of the Director of National Intelligence said they had identified “fewer than 10” US federal agencies as having potentially been compromised.
Only the US commerce, energy and Treasury departments have acknowledged that they were hacked, alongside companies including Microsoft and cyber security firm FireEye.