But in a blog post, the company also cautioned that these findings needed to be taken with a grain of salt and not to indicate that the two groups were related, as there could be many reasons why these similarities existed.
The supply chain attack came to light when FireEye announced on 9 December AEDT that it had been compromised and had its Red Team tools stolen.
Five days later, the firm issued details about attacks using malware which it called SUNBURST; it said this malware had been used to hit both private and public entities, by corrupting the Orion network management software, a product of SolarWinds.
"We believe it’s important that other researchers around the world investigate these similarities and attempt to discover more facts about Kazuar and the origin of Sunburst, the malware used in the SolarWinds breach," the Kaspersky trio wrote.
"If we consider past experience, looking back to the WannaCry attack, in the early days, there were very few facts linking them to the Lazarus group. In time, more evidence appeared and allowed us, and others, to link them together with high confidence. Further research on this topic can be crucial in connecting the dots."
Kucherin, Kuznetsov and Raiu said the following reasons could account for the similarities between SUNBURST and Kazuar:
- Sunburst was developed by the same group as Kazuar;
- The Sunburst developers adopted some ideas or code from Kazuar, without having a direct connection (they used Kazuar as an inspiration point);
- Both groups, DarkHalo/UNC2452 and the group using Kazuar, obtained their malware from the same source;
- Some of the Kazuar developers moved to another team, taking knowledge and tools with them; or
- The Sunburst developers introduced these subtle links as a form of false flag, in order to shift blame to another group.