Kaspersky Lab and Kings College London researchers, looking for a link between a modern threat actor and the Moonlight Maze attacks that targeted the Pentagon, NASA and more in the late 1990s, have unearthed samples, logs and artifacts belonging to the ancient APT.
The findings show that a backdoor used in 1998 by Moonlight Maze to tunnel information out of victim networks connects to a backdoor used by Turla in 2011 and possibly as recently as 2017. If the link between Turla and Moonlight Maze is proven, it would place the evolved threat actor alongside the Equation Group in terms of its longevity, as some of Equation’s command-and-control servers date back to 1996.
Contemporary reports on Moonlight Maze show how, starting from 1996, US military and government networks, as well as universities, research institutions and even the Department of Energy began detecting breaches in their systems. In 1998, the FBI and the Department of Defense launched a massive investigation. The story became public in 1999, but much of the evidence has remained classified, leaving the details of Moonlight Maze shrouded in myth and secrecy.
Over the years, original investigators in three different countries have stated that Moonlight Maze evolved into Turla, a Russian-speaking threat actor also known as Snake, Uroburos, Venomous Bear, and Krypton. Turla is conventionally believed to have been active since 2007.
The “Cupboard Samples”
In 2016, while researching his book, Rise of the Machines, Thomas Rid of Kings College London tracked down a former system administrator whose organization’s server had been hijacked as a proxy by the Moonlight Maze attackers. This server, ‘HRTest’, had been used to launch attacks on the US. The now-retired IT professional had kept the original server and copies of everything relating to the attacks, and handed it to Kings College and Kaspersky Lab for further analysis.
Kaspersky Lab researchers, Juan Andres Guerrero-Saade and Costin Raiu, together with Thomas Rid and Danny Moore from Kings College, spent nine months undertaking a detailed technical analysis of these samples. They reconstructed the attackers’ operations, tools, and techniques, and conducted a parallel investigation to see if they could prove the claimed connection with Turla.
Moonlight Maze was an open-source Unix-based attack targeting Solaris systems, and the findings show that it made use of a backdoor based on LOKI2 (a program released in 1996 that enables users to extract data via covert channels). This led the researchers to take a second look at some rare Linux samples used by Turla that Kaspersky Lab had discovered in 2014. Named Penquin Turla, these samples are also based on LOKI2. Further, the re-analysis showed that all of them use code created between 1999 and 2004. So LOKI2 is the link between all attacks.
Remarkably, this code is still being used in attacks. It was spotted in the wild in 2011 when it was found in an attack on defense contractor Ruag in Switzerland that has been attributed to Turla. Then, in March 2017, Kaspersky Lab researchers discovered a new sample of the Penquin Turla backdoor submitted from a system in Germany. It is possible that Turla uses the old code for attacks on highly secure entities that might be harder to breach using its more standard Windows toolset.
“In the late 1990s, no-one foresaw the reach and persistence of a coordinated cyberespionage campaign. We need to ask ourselves why it is that attackers are still able to successfully leverage ancient code in modern attacks. The analysis of the Moonlight Maze samples is not just a fascinating archaeological study; it is also a reminder that well-resourced adversaries aren’t going anywhere, it’s up to us to defend systems with skills to match,” said Juan Andres Guerrero-Saade, Senior Security Researcher, Global Research and Analysis Team Kaspersky Lab.
The newly unearthed Moonlight Maze files reveal many fascinating details about how the attacks were conducted using a complex network of proxies, and the high level of skills and tools used by the attackers.