back to article Kaspersky Lab autopsies evidence on SolarWinds hack

Kaspersky Lab reckons the SolarWinds hackers may have hailed from the Turla malware group, itself linked to Russia’s FSB security service. Referring to the hidden backdoor secretly implanted in SolarWinds' Orion product, Kaspersky’s Georgy Kucherin wrote in a blog post on Monday: “While looking at the Sunburst backdoor, we …

  1. chivo243 Silver badge
    WTF?

    That's poking the bear in the eye

    That's a gutsy thing to do. Was it smart jump on the bandwagon and toot the horn? Maybe a middle of the road tactic would have to been say when asked, "It was most likely them, but don't quote us on it."

    1. Anonymous Coward
      Anonymous Coward

      Re: That's poking the bear in the eye

      The Blogpost does say....

      "TLDR; just tell us who’s behind the SolarWinds supply chain attack?

      Honestly, we don’t know. What we found so far is a couple of code similarities between Sunburst and a malware discovered in 2017, called Kazuar. "

      So that should avoid falling from a 5th story balcony or dying from tea poisoning.

      (On a serious note, its a pretty interesting piece of technical analysis!)

    2. Anonymous Coward
      Anonymous Coward

      Re: That's poking the bear in the eye

      Kaspersky has been moving itself away (operationally, etc.) from under the shadow of the home country. (to Schweiz?) Consider that they might be now feeling confident they could survive as a company despite backlash. Consider also they might be trying to provoke a backlash, in order to demonstrate effective independence. After all, only a demonstrated autonomy will allow them to continue to sell their products.

      Full disclosure: I use their anti-virus product as it is the only one that hasn't betrayed me. Your opinion on my possible futures may be wildly different than mine. But consider we're all test cases and pause your smiling...

      1. osakajin Bronze badge

        Re: That's poking the bear in the eye

        Interesting if they are building trust in this way like an undercover cop doing dirty business to integrate to the gang...

        Mind games?

        1. You aint sin me, roit Silver badge

          Re: That's poking the bear in the eye

          Throw the NSA a bone, when they know the culprits have already been identified?

          Too obvious?

          1. Anonymous Coward
            Anonymous Coward

            @You aint sin me, roit - Re: That's poking the bear in the eye

            Actually to be fair, in their press statement NSA says the culprits have likely (read again the previous word) been identified.

            https://www.zdnet.com/article/us-government-formally-blames-russia-for-solarwinds-hack/

            A lot of politics involved is blurring the picture here.

  2. jgarbo
    Alien

    Invisibles

    Cracking 101: Successful penetration must be invisible. No log changes, all timestamps correct(ed), clean as a ghost's whistle. If these "hackers" left traces they weren't Russian state actors. Let's instead look for underpaid CIA interns or drunk NSA contractors.

    1. Anonymous Coward
      Anonymous Coward

      Re: Let's instead look for underpaid CIA interns or drunk NSA contractors.

      I couldn't agree more. Russian are *never* underpaid or drunk :-)

      1. seven of five Silver badge
        Joke

        Re: Let's instead look for underpaid CIA interns or drunk NSA contractors.

        I am unconvinced about them being able to get drunk. They (unfair generalisation, I know) do stop drinking, usually when they are dead.

        Otoh, sometime one falls over and sleeps a bit, but resumes drinking as soon as he wakes up.

        I'm not sure either counts as "getting dunk".

        1. slimshady76
          Joke

          Re: Let's instead look for underpaid CIA interns or drunk NSA contractors.

          I'm not sure either counts as "getting dunk".

          I think this act equals "stop being breastfeed" in the Motherland.

      2. martinusher Silver badge

        Re: Let's instead look for underpaid CIA interns or drunk NSA contractors.

        I've worked with quite a lot of Russians over the years and, curiously enough, the one thing they had in common is that they didn't drink, at least not a work or work functions.

        Saying that all Russians are careless drunks is like taking the evidence of a typical (pre-Covid) weekend night in a British town center and concluding that all British are hopeless drunks.

        As far as this paricular hack goes we shouldn't lose sight of the fact that it was caused by careless handling of code archives and insufficient attention to release building. This allowed some opportunist to slide code in that compromised the product. Its not the first time this has happened, hopefully it will be the last.

  3. GordonD

    What is going on

    First possibility: Just what it looks like, FSB hacking the world, Kaspersky calling them on it. Plausible ( and gutsy by Kaspersky).

    Second Possibility: FSB hacking the world, Kaspersky arm of Russian state, Tramp administration correctly points finger at Kaspersky, Russian state, knowing the FSB operation will be identified shortly, uses Kaspersky to out itself, making Kaspersky look good, and Tramp administration bad. Plausible until you consider the Tramp administration doing something right.

    Third Possibility: FSB hacks world; knowing that it won't stay secret forever, Russia lines up Kaspersky to out themselves. They then tell their komprimised lackey (who they know will soon be no longer a useful idiot, just an idiot) to accuse Kaspersky of working for Russia, so that they can later discredit the NSA et al.

    I think it is one, but three would make a better spy novel, and also fits the facts.

    1. You aint sin me, roit Silver badge

      Re: What is going on

      2a) Three letter agencies ignore compromised Trump and go public with findings. Russians realize they've been nabbed, FSB don't care but consider it a good opportunity to make Kaspersky look clean.

      I get the idea the standard Russian MO is now basically "Yeah, we did it. So what you gonna do about it?".

      1. Anonymous Coward
        Anonymous Coward

        Re: What is going on

        I just watched a gangster movie, that line "what you gonna do about it" was the theme among the gangster bosses. Like someone trying to blackmail a porn star with a nude photo...

    2. Anonymous Coward
      Anonymous Coward

      @GordonD - Re: What is going on

      How about SolarWinds trying to hide their uttermost incompetence at securing their network and put the blame on a mighty adversary, so powerful and merciless that nobody can oppose. Add to the mix a few TLAs with a strong reputation for openness, honesty and transparency together with a string of security companies addicted to fat government contracts and what we get is a tremendous business opportunity that should not be missed.

      Like the Frengi rule of acquisition #34 says, War is good for business.

      My oppinion is Russian speaking hackers probably did it but their carelesness in hiding their tracks makes it hard to accept they worked under direct orders from Kremlin. You don't just give a contract to a hitman that will advertise your name all over the place. Russia has enough headaches right now and starting a war would definitely not turn to their advantage.

    3. Palpy

      Re: What is going on

      Fourth possibility: The Solarwinds hack was ripe, and had started to rot. FSB knew it, the Turla group knew it. It became effectively abandonware, useful as long as it lasted. The Kaspersky analysis was unimportant to the ongoing ops, since the hackers were moving on anyway. The follow-on hack, more subtle, has not yet been detected. Except perhaps by muted chuckling heard inside a locked FSB office somewhere in Moscow.

      1. amanfromMars 1 Silver badge

        What is going on? Are there new kids in the chain on the block creating CHAOS***?

        Howdy, palpy,

        And let us not discount and ignore a fifth possibility in the future: one of those strange cyber-mercenary groupages - or Private Sector Offensive Actors (PSOAs) with Killer AAA+ 00 Licences to Thrill that national defences don't want you knowing anything about. ...... https://forums.theregister.com/forum/all/2021/01/08/uk_ai_council_roadmap/#c_4182947 ...... and something it is definitely wisest to make positive engagement with whenever renegade rogue, freelancer private and pirate contractors/plausibly deniable proxy agents/non-state state actors, given what you might know or what you might think you know, and what you certainly don't know they can easily do to/for you, if you are able and can be bovvered and are terrorised and have state sponsoring ‽ .

        And that is something which both the Donald [Rumsfeld]* and Ike [President Eisenhower]** did reveal and warn y'all about long before now, but not unsurprisingly, given the present dire crumbling state of general kowledge and specific intelligence, y'all appear to not have heeded the message for the messages are clearly enough written to not be easily misunderstood nor dismissed as errant crazy nonsense ......

        **In the councils of government, we must guard against the acquisition of unwarranted influence, whether sought or unsought, by the military-industrial complex. The potential for the disastrous rise of misplaced power exists and will persist. The prospect of domination of the nation's scholars by Federal employment, project allocations, and the power of money is ever present and is gravely to be regarded. *Reports that say that something hasn't happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns—the ones we don't know we don't know. And if one looks throughout the history of our country and other free countries, it is the latter category that tends to be the difficult ones.

        ...... and thus, in the event of continued wilful misdirections, is one likely to suffer suddenly without a priori warning, the consequences and reap the whirlwinds of despair which accompany all arrogant misguided hubristic feasts as just desserts that slay the beast with the simple removal of its glorious gluttonous feeds/fiat needs.

        * ........ https://en.wikipedia.org/wiki/There_are_known_knowns

        ** ...... https://www.ourdocuments.gov/doc.php?flash=false&doc=90&page=transcript

        *** .... Clouds Hosting Advanced Operating Systems ****

        **** ...A novel confection for the UK's AI Council to consider approving governments promote and fund with moonshot testing and ARPAesque tasting/proprietary intellectual property product sampling *****

        ***** One of those offers it is wisest to not refuse

        That's exclusive breaking news there, El Reg. And intelligently designed to create more than just a stir to shake up and wake up the living dead in the bubbles which lock them down. After all, do you not deserve to lead AI and IT with it ....... for is not Sticking IT to the Man akin to Biting the hand which feeds IT. :-)

  4. amanfromMars 1 Silver badge

    Stellar COSMIC Enterprise for Adults who Know What Needs to be Done in Order to Lead

    If you can believe what the West says, the East appears to be considerably smarter than anywhere else at gaining access to sensitive information secreted in and about the West, for they are never done complaining about the fact they have been practically violated and virtually compromised and venturing forth with the name of a popular media savvy scapegoat/rogue private pirate collective which may or may not be an autonomous state and non-state actor amalgam.

  5. Anonymous Coward
    Anonymous Coward

    this is not unusual for spy agencies....

    just repeat what everyone is saying to gain trust.

    this is also happening in Hong Kong right now......

    certain newspapers slag off the government and then commenters on the articles disappear.....

    it's shocking about how many families are saying other family members have disappeared...

    yet places like the US are worried about gender neutral pro-nouns in their congress...

    1. amanfromMars 1 Silver badge

      Fascism is alive and well in the USA ‽

      I wonder what spy agencies/Secret Intelligence Services think about what is happening in the USA today and if they are able and going to do something/anything about it, either to help or hinder its progress/decline ........ Ron Paul Posts Criticism Of Censorship On Social Media Shortly Before Facebook Blocks Him

      If you have the time [and who doesn't whenever enjoying a mandatory lockdown] and the equipment and the inclination, you can catch a view of a fascist Orwellian Big Brother future, with the roles of IT and media featured, in the 2005 film, V for Vendetta of which it has been written ...... The film is set in the late 2020s, and London is now under the authoritarian rule of the fascist High Chancellor Sutler (John Hurt), the leader of the extremely Nazi-looking Norsefire party. The parallels to real-world 2020 are alarming: the “St. Mary’s virus” has unleashed a pandemic on the world, crippling the United States (which doesn’t really factor into the film’s London-centric plot) and sending it on a path to economic ruination and civil war. ......... https://www.theverge.com/21349606/v-for-vendetta-movie-yesterdays-future-present

      1. Anonymous Coward
        Anonymous Coward

        Re: Fascism is alive and well in the USA ‽

        Thank you.

        Where does the Sisyphean Rolling Rock Stop after the N+1 iteration?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021