The group behind a global cyber-espionage campaign discovered malicious computer code last month with links to espionage tools previously used by suspected Russian hackers, researchers said on Monday.
Researchers from Moscow-based cybersecurity firm Kaspersky said the & # 39; back door & # 39; which was used to compromise up to 18,000 customers of the US software manufacturer SolarWinds, was very similar to malware linked to a hacking group known as & # 39; Turla & # 39 ;, which, according to Estonian authorities, operates on behalf of Russia's FSB security service.
The findings are the first publicly available evidence to support the United States' claims that Russia orchestrated the hack, which endangered a slew of sensitive federal agencies and is among the most ambitious cyber operations ever disclosed.
Moscow has repeatedly denied the allegations. The FSB did not respond to a request for comment.
Costin Raiu, Kaspersky's head of global research and analysis, said there are three clear similarities between the SolarWinds backdoor and a hacking tool called "Kazuar" used by Turla.
The similarities included the way both types of malware tried to hide their functions from security analysts, how the hackers identified their victims, and the formula used to calculate the time periods the viruses dormant in an attempt to avoid detection.
& # 39; One of those findings could be dismissed, & # 39; Raiu said. & # 39; Two things definitely make me raise an eyebrow. Three is more than a coincidence. "
Confidently attributing cyber attacks is extremely difficult and riddled with potential pitfalls. For example, when Russian hackers disrupted the opening ceremony of the 2018 Winter Olympics, they deliberately imitated a North Korean group to ward off the blame.
Raiu said the digital clues his team uncovered had not directly implicated Turla in the SolarWinds compromise, but did show that there was an as yet to be determined link between the two hacking tools.
It is possible that they were deployed by the same group, he said, but also that Kazuar inspired the SolarWinds hackers, both tools were bought from the same spyware developer, or even that the attackers "false flags" to mislead researchers.
Security teams in the United States and other countries are still trying to determine the full extent of the SolarWinds hack. Researchers have said it can take months to understand the scale of the compromise and even longer to drive the hackers out of victims' networks.
US intelligence agencies have said the hackers were "likely of Russian origin" and targeted a small number of high-profile victims as part of an intelligence-gathering operation.
(Reporting by Jack Stubbs; edited by Chris Sanders and Edward Tobin)
The most important insurance news, delivered to your inbox every working day.
Receive the trusted newsletter from the insurance industry