Kaspersky reports finding code similarities between the Sunburst backdoor in SolarWinds’ Orion platform and a known backdoor, Kazuar, which Palo Alto Networks in 2017 associated with the Turla threat group. Kaspersky is cautious about attribution, and notes that there are several possibilities:
- Sunburst and Kazuar are the work of the same threat group.
- Sunburst’s developers borrowed from Kazuar.
- Both backdoors derived from a common source.
- Kazuar’s developers jumped ship to another threat group that produced Kazuar.
- Whoever developed Sunburst deliberately introduced subtle false flag clues into their code.
Reuters points out that Estonian intelligence services have long attributed Turla activity to Russia’s FSB (which was unavailable to Reuters for comment).
In an updated Solorigate advisory, CISA released detection and mitigation advice for post-compromise activity in the Microsoft 365 (M365) and Azure environment.
The US District Court for the Southern District of Ohio has responded to Solorigate by requiring that court documents be filed on paper, the Columbus Dispatch reports.
Other laptops, including one from Speaker of the House Pelosi’s office, have been reported missing after last week’s riot on Capitol Hill, according to Reuters. The Wall Street Journal describes how the unrest was inspired and organized via social media.
Many large Internet companies have deplatformed US President Trump and supporters in response to the President’s encouragement of demonstrations earlier in the week. Axios lists Reddit, Twitch, Shopify, Twitter, Google, YouTube, Facebook, Instagram, Snapchat, TikTok, Apple, Discord, Pinterest, and Stripe. The Wall Street Journal reports that both Apple and Amazon have taken action against Parler.