In the late 1990s, the FBI opened an investigation dubbed "Moonlight Maze" into a cyber attack whose targets included the Pentagon, NASA, and the Department of Energy.
The attack was shrouded in mystery; the story became public a year after the official investigation was launched, yet much of the evidence remains classified.
However, investigators claimed that a printed stack of all the stolen data would be three times taller than the Washington Monument.
In other words, this was a big f*cking deal.
Turla, a Russian-language threat actor, had previously been thought to date back to 2007. It's also referred to as Snake, Uroburos, Venomous Bear, and Krypton.
“In the late 1990s, no one foresaw the reach and persistence of a coordinated cyberespionage campaign,” said Juan Andres Guerrero-Saade, Senior Security Researcher at Kaspersky Lab. “We need to ask ourselves why it is that attackers are still able to successfully leverage ancient code in modern attacks. The analysis of the Moonlight Maze samples is not just a fascinating archaeological study; it is also a reminder that well-resourced adversaries aren’t going anywhere, it’s up to us to defend systems with skills to match.”
Together, Kaspersky's Guerrero-Saade and Costin Raiu, and King's College London's Thomas Rid and Danny Moore researched and analyzed ancient Moonlight Maze artifacts—thanks to a retired IT admin.
It took the team a year to find David Hedges, the retired IT administrator, who had kept a 1998 server that had originally been a relay proxy for Moonlight Maze. The machine, "HRTest," was turned into a complete log of the attacker's code, and was then used to spy on the threat actor.
Their hypothesis was this, according to a blog from Kaspersky:
“The Turla developers decided to dust down old code and recompile it for current Windows victims in the hope of getting a stealthier beachhead on systems that are less likely to be monitored.”
If their hypothesis is true, the APT would truly be one of the most persistent, alongside the Equation Group, which has servers dating back to 1996.
What they found upon nine months of analysis, was a connection from Moonlight Maze to some rare Linux samples used by Turla, dubbed "Penquin" Turla. Both sets of code use a backdoor based on LOKI2 (released in 1996).
A new batch of Penquin Turla was just discovered in March of 2017, from a system in Germany.
Joseph Carson, Chief Security Scientist at Thycotic, said:
“I see no surprises in today’s Kaspersky disclosure. The methods revealed by Kaspersky Lab and links to Moonlight Maze are well known and common techniques that have been used for many years.... These techniques were originally used for attackers to remain anonymous, making it difficult to trace the attacker and can even be seen in DDOS attacks as far back as 2001 in the GRC Tale. The main difference here is that Moonlight was not only meant to remain hidden, but also use the target as a stepping stone to get further deep into the network and additional targets.”
Read the full Kaspersky Lab report here, detailing the researchers' complete process.