Researchers have uncovered a new connection between Tomiris and the APT behind the SolarWinds breach, DarkHalo.
On Wednesday at the Kaspersky Security Analyst Summit (SAS), researchers said that a new campaign revealed similarities between DarkHalo’s Sunshuttle, as well as “target overlaps” with Kazuar.
The SolarWinds incident took place in 2020. FireEye and Microsoft revealed the breach, in which SolarWinds’s Orion network management software was compromised to impact as many as 18,000 customers in a software update-based supply-chain attack.
While many thousands of clients may have received a malicious update, the threat actors appeared to cherry-pick the targets worthy of further compromise — including Microsoft, FireEye, and government agencies.
Microsoft president Brad Smith dubbed the incident as “the largest and most sophisticated attack the world has ever seen.”
Eventually, the finger was pointed at the advanced persistence threat (APT) group DarkHalo/Nobelium as the party responsible, which managed to deploy the Sunburst/Solorigate backdoor, Sunspot build server monitoring software, and Teardrop/Raindrop dropper, designed to deploy a Cobalt Strike beacon, on target systems.
The Russian, state-backed group’s campaign was tracked as UNC2452, which has also been linked to the Sunshuttle/GoldMax backdoor.
In June, after roughly six months of inactivity from DarkHalo, Kaspersky uncovered a DNS hijacking campaign against multiple government agencies in an unnamed CIS member state.
“These hijacks were for the most part relatively brief and appear to have primarily targeted the mail servers of the affected organizations,” Kaspersky commented. “We do not know how the threat actor was able to achieve this, but we assume they somehow obtained credentials to the control panel of the registrar used by the victims.”
The researchers say that the campaign operators redirected victims attempting to access an email service to a fake domain which then prompted them into downloading a malicious software update, made possible by switching legitimate DNS servers for compromised zones to attacker-controlled resolvers. This update contained the Tomiris backdoor.
“Further analysis showed that the main purpose of the backdoor was to establish a foothold in the attacked system and to download other malicious components,” Kaspersky added. “The latter, unfortunately, were not identified during the investigation.”
Tomiris, however, did prove to be an interesting discovery. The backdoor is described as “suspiciously similar” to Sunshuttle.
Both backdoors are written in the Golang (Go) programming language, the same English language spelling mistakes were in the payloads’ code, and each uses similar encryption and obfuscation setups for configuration and network traffic management purposes.
In addition, both Tomiris and Sunshuttle use scheduled tasks for persistence as well as sleep-based delay mechanisms. The team believes the “general workflow of the two programs” hints at the same development practices.
However, the backdoor has little function beyond the capability to download additional malware, which suggests Tomiris is likely part of a wider operator toolkit.
It should also be noted that Tomiris has been found in environments also infected with the Kazuar backdoor, malware that Kaspersky has tentatively linked to Sunburst — while Palo Alto has also connected Kazuar and the Turla APT. Cisco Talos has also recently uncovered a new, simple backdoor now deployed by the Turla APT on victim systems.
Kaspersky also acknowledges this may be a case of a ‘false flag’ designed to mislead researchers and send them down the wrong analysis or attribution paths. Pierre Delcher, senior security researcher at Kaspersky, commented:
“None of these items, taken individually, is enough to link Tomiris and Sunshuttle with sufficient confidence. We freely admit that a number of these data points could be accidental, but still feel that taken together they at least suggest the possibility of common authorship or shared development practices.”
Previous and related coverage:
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0