Advanced persistent threat (APT) actors rarely simply stop operations when their malware and techniques get exposed. Many just regroup, refresh their toolkits, and resume operations when the heat has died down a bit.
Such appears to be the case — at least circumstantially — with DarkHalo, the Russian-government affiliated threat actor behind the supply attack on SolarWinds that rattled the industry in a manner unlike any malicious campaign in recent memory.
Researchers at Kaspersky this week said they had detected a new backdoor they have dubbed "Tomiris," which has multiple attributes that suggest a link to "Sunshuttle," a second-stage malware that DarkHalo used in its SolarWinds campaign. This includes the programming language used to Tomiris, its obfuscation and persistence mechanisms, and the general workflow of the two malware samples.
Kaspersky discovered the Tomiris backdoor in June while investigating successful DNS hijacking incidents that impacted government agencies of a country that previously belonged to the Soviet Union and is now a member of the nine-country Commonwealth of Independent States. The security vendor described the DNS hijacking incidents as happening in brief periods in December 2020 and January 2021. In the attacks, the threat actor redirected traffic from the impacted government email servers to servers they controlled. Credential theft appears to have been the motive for the campaign, Kaspersky said in a report this week.
While the similarities between Tomiris and Sunshuttle alone are not enough to conclusively link the former to DarkHalo, they do suggest the two malware samples were developed by the same author or had shared development practices, according to Kaspersky.
"If our hypothesis proves true, it would show that DarkHalo is able to rebuild its capabilities relatively quickly after having been caught in the act," says Ivan Kwiatkowski, senior security researcher at Kaspersky. "It would also solidify our perception of them as sophisticated and careful threat actors who are able to set in motion complex attack scenarios, such as supply chain attacks or DNS hijacking."
DarkHalo, also tracked as Nobelium, UNC2452, and StellarParticle, is a threat group that several security vendors and others — including the US government — have linked to Russia's Foreign Intelligence Service, SVR. The group is responsible for breaking into SolarWinds' software development environment and embedding a Trojan in signed updates of the company's Orion network management technology. Some 18,000 organizations received the Trojanized updates, of which less than 100 are believed to have been targeted for subsequent attacks and data theft.
SolarWinds' investigation of the breach — after FireEye notified the company of it in December 2020 — showed DarkHalo actors had begun probing its networks as early as 2019 and subsequently gained access to its build environment. They used the access to embed a Trojan called Sunburst in the Orion product updates that were distributed to 18,000 organizations. The attackers later used Sunburst to download additional malware on systems belonging to the 100 or so organizations that were the campaign's main targets. Targets included US federal government agencies, security vendors, and large corporations.
Sunshuttle — the malware which bears a resemblance to Tomiris — was one of the tools DarkHalo actors dropped as part of this second-phase of its campaign. The malware, written in GoLang, gave the threat actors a way to communicate with compromised systems and to remotely execute malicious commands, such as file uploads and downloads. FireEye Mandiant discovered the DarkHalo actors had used the malware in attacks going back to at least August 2020, or four months before SolarWinds discovered its Orion updates had been poisoned.
According to Kaspersky, the new Tomiris malware it recently detected is coded in the Go programming language, just like Sunshuttle. Like its apparent predecessor, Tomiris uses a single, common obfuscation method to encode both configurations and network traffic. Both malware families use similar tactics, such as sleep delays for persistence, and have similar features built into their functions.
Misspellings in both Tomiris and Sunshuttle code suggest both malware tools were developed by a team who did not speak English natively. The researchers also discovered Tomiris on networks where machines had been infected with Kazuar, a malware tool associated with Russian APT group Turla, which has code overlaps with DarkHalo's Sunburst.
The researchers made it very clear that the similarities suggest only a tenuous link between Tomiris and DarkHalo. But if the two are indeed linked, it shows the DarkHalo group, which vanished without a trace after the SolarWinds breach was discovered, has resurfaced. To conclusively make that link, Kaspersky would need additional information, Kwiatkowski says.
"Ideally, we would need to find evidence that one of the families was used to deploy malware belonging to one of the other two," he says. "Barring this, if other members of the community confirmed our opinion about the similarities between Sunshuttle and Tomiris, it would increase our overall confidence."
Kaspersky has shared its research with victims of the DNS hijacking attacks and customers of its threat intelligence service. The company continues to track Tomiris activity but has reached the point where all of the data available to it has been analyzed, Kwiatkowski says. He invited the broader security community to replicate Kaspersky's findings to either confirm or disprove the link between Tomiris and DarkHalo.
Tomiris and its link to DarkHalo, if correct, is another reminder for enterprise organizations and government entities of just how determined their cyber adversaries can be, Kwiatkowski notes.
"It shows that perimeter defense is not enough and that steps should be taken to try and detect attackers while they are inside the network," he says.