Cybersecurity researchers, for the first time, may have found a potential connection between the backdoor used in the SolarWinds hack to a previously known malware strain.
In new research published by Kaspersky researchers today, the cybersecurity firm said it discovered several features that overlap with another backdoor known as Kazuar, a .NET-based malware first documented by Palo Alto Networks in 2017.
Disclosed early last month, the espionage campaign was notable for its scale and stealth, with the attackers leveraging the trust associated with SolarWinds Orion software to infiltrate government agencies and other companies so as to deploy a custom malware codenamed “Sunburst.”
Shared Features Between Sunburst and Kazuar
Attribution for the SolarWinds supply-chain compromise has been difficult in part due to little-to-no clues linking the attack infrastructure to previous campaigns or other well-known threat groups.
But Kaspersky’s latest analysis of the Sunburst backdoor has revealed a number of shared features between the malware and Kazuar, leading the researchers to suspect that —
- Both Sunburst and Kazuar were developed by the same threat group
- The adversary behind…