The SolarWinds Hackers Shared Tricks With a Notorious Russian Spy Group
Ever since the December revelation that hackers breached IT management software firm SolarWinds, along with an untold number of its customers, Russia has been the prime suspect. But even as US officials have pinned the attack on the Kremlin with varying degrees of certainty, no technical evidence has been published to support those findings. Now Russian cybersecurity firm Kaspersky has revealed the first verifiable clues— three of them, in fact—that appear to link the SolarWinds’ hackers and a known Russian cyberespionage group.
On Monday morning Kaspersky published new evidence of technical similarities between malware used by the mysterious SolarWinds hackers, known by security industry names including UNC2452 and Dark Halo, and the well-known hacker group Turla, believed to be Russian in origin and also known by the names Venomous Bear and Snake. The group is widely suspected to work on behalf the FSB, Russia’s successor to the KGB, and has carried out decades of espionage-focused hacking. Kaspersky’s researchers made clear that they’re not claiming UNC2452 is Turla; in fact, they have reason to believe the SolarWinds hackers and Turla aren’t one and the same. But they argue that their findings suggest one hacker group at the very least “inspired” the other, and may have common members between them or a shared software developer building their malware.