New analysis suggests Russian group Turla was behind Solarwinds Orion Sunburst attack


Breaking news out of the cybersecurity community shows experts are finding certain ‘tells’ in the case of the Solarwinds Orion malware attack that could end up being as evident as Teddy KGB’s Oreo cookie habit.

Reuters reports that Kaspersky has now found no less than three interesting congruities between the Orion problem and other projects initiated by a Russian hacking group called “Turla” which is purported to be working at the behest of the Russian FSB.

“Security teams in the United States and other countries are still working to determine the full scope of the SolarWinds hack,” writes Jack Stubbs. “Investigators have said it could take months to understand the extent of the compromise and even longer to evict the hackers from victim networks. U.S. intelligence agencies have said the hackers were ‘likely Russian in origin’ and targeted a small number of high-profile victims as part of an intelligence-gathering operation.”

The Orion backdoor, called Sunburst, worked through a DLL and compromised 18,000 customers, including high-level US government offices and large corporate interests in the United States.

At the time, people were accusing the Russian “Cozy Bear” hacking group, but there wasn’t hard proof of the connection, though reports often referred to a “nation-state actor.”

Currently, cybersecurity experts are sharing three examples they say point to a common modus operandi. These have to do with shielding, identification of victims, and dwell time. In the third case, the malware was formulated to lie dormant for a specific period of time in order to avoid detection.

Although these do look like the signs of the Russia group, some say the hackers targeting Orion through Sunburst created ‘false flags’ to put Turla’s fingerprints on the initiative. Meanwhile, the US president has expressed doubt that Russia was behind the initiative, and instead, has been blaming China.

More details continue to come out about this widespread cyberattack that compromised significant US infrastructure. Keep an eye out if you have technology holdings related to defense or national security.