Woburn, MA — September 29, 2021 — While investigating a yet unknown advanced persistence threat (APT), Kaspersky researchers came across new malware that contained several important attributes that potentially connect it to DarkHalo, the threat actor behind the Sunburst attack. Sunburst is considered one of the most impactful supply chain security incidents of recent years.
The Sunburst security incident hit headlines in December 2020. The DarkHalo threat actor compromised a widely used enterprise software provider, and used its infrastructure to distribute spyware under the guise of legitimate software updates. After an extensive hunt by the security community, the actor seemed to go under the radar with no major discoveries of incidents attributable to this actor following Sunburst. However, the results of recent research conducted by the Kaspersky Global Research and Analysis Team shows that this may no longer be the case.
In June 2021, more than six months after DarkHalo went dark, Kaspersky researchers found traces of a successful DNS hijacking attack against several government organizations in the same country. DNS hijacking is a type of malicious attack in which a domain name is modified in a way that reroutes network traffic to an attacker-controlled server. In the case that Kaspersky discovered, the targets of the attack were trying to access the web-interface of a corporate email service but were redirected to a fake copy of that web-interface and then tricked into downloading a malicious software update. Following the attackers’ path, Kaspersky researchers retrieved the “update” and discovered it deployed a previously unknown backdoor: Tomiris.
Further analysis showed that the main purpose of the backdoor was to establish a foothold in the attacked system and to download other malicious components. The latter, unfortunately, were not identified during the investigation. One other important observation was made: the Tomiris backdoor turned out to be suspiciously similar to Sunshuttle, a malware deployed as a consequence of the infamous Sunburst attack.
The list of similarities consists of, but is not limited to, the following:
“None of these items, taken individually, is enough to link Tomiris and Sunshuttle with sufficient confidence,” says Pierre Delcher, security researcher at Kaspersky. “We freely admit that a number of these data points could be accidental, but still feel that taken together they at least suggest the possibility of common authorship or shared development practices.”
“If our guess that Tomiris and Sunshuttle are connected is correct, it would shed new light on the way threat actors rebuild capacities after being caught,” adds Ivan Kwiatkowski, security researcher at Kaspersky. “We would like to encourage the threat intelligence community to reproduce this research and provide second opinions about the similarities we discovered between Sunshuttle and Tomiris.”
To read more about the connection between Tomiris and the Sunburst attack, please visit Securelist.
Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.