Attackers prefer to reuse code and tools for as long as they keep working. In that tradition, researchers have found evidence suggesting a cyberespionage group is still successfully using tools and infrastructure that was first deployed in attacks 20 years ago.
The Moonlight Maze refers to the wave of attacks that targeted U.S. military and government networks, universities, and research institutions back in the mid-to-late 1990s. While the Moonlight Maze disappeared from the radar after the FBI and Department of Defense investigation became public in 1999, there were whispers within the security community that the cyberespionage group never entirely went away. Turla, a Russian-speaking attack group that’s also known as Venomous Bear, Uroburos, and Snake, was floated as a possibility, but until recently, all links were guesswork and speculation.
Now, researchers from Kaspersky Lab and Kings College London believe they have found the technical evidence linking Turla and Moonlight Maze.
After analyzing Penguin Turla (the Linux-based backdoor tool used by Turla) and the open source data extraction tool-based backdoor used in the Moonlight Maze attacks, the researchers concluded they were both established on the open source LOKI2 program released in Phrack magazine in 1996. The Moonlight Maze backdoor has not been deployed in modern attacks, but the fact that Penguin Turla uses the same code was significant, said Kaspersky Lab researcher Juan Andres Guerrero-Saade.
“It’s an interesting tool, and it obviously was a favorite of the Moonlight Maze attackers,” Guerrero-Saade said, noting that of the 43 Moonlight Maze binaries the researchers studied, nine were examples of the backdoor based on LOKI2.
On the surface, there aren’t a lot of commonalities between Moonlight Maze and Turla. Moonlight Maze targeted Sun Solaris systems and used the infected machines to look for more victims on the same network. A sniffer component collected all the activity on the victim machines, creating near-complete logs of everything the attackers did. “The attackers created their own digital footprint for perpetuity,” Kaspersky Lab researchers wrote in a blog post.
In contrast, Turla targets Windows machines and has several usual features, most notably the fact that it hijacks unencrypted satellite links to quietly exfiltrate data stolen from victim networks. However, Penguin Turla is typically used in second-wave attacks using *nix-based servers to exfiltrate data from compromised networks.
Cyberespionage operations and sophisticated attacks aren’t always about the latest new code. The attack group recycled and reused code in its arsenal, adding new functionality as their operations evolved. Researchers were able to trace the backdoor code to LOKI2, compiled for Linux versions 2.2.0 and 2.2.5 released in 1999, as well as to linked binaries libpcap and OpenSSL from the early 2000s. The code is still in use, as Kaspersky Lab saw new Penguin Turla samples aimed at a target in Germany last month.
Guerrero-Saade said it was “terrifying” that a 20-year-old hacking tool could still be relevant and succeed in attacks against modern operating systems and networks. Moonlight Maze attackers didn’t have to take advantage of any sophisticated tricks to bypass antivirus companies or security defenses. And it’s disturbing to see that old code evolve into Penguin Turla, link to old libraries, and still work against modern machines.
The evidence tying the two attack groups came from a server that was compromised during the Moonlight Maze attacks. After the compromise was detected, investigators started logging everything happening on the server, which the attackers were using as a relay server. Investigators gained full visibility into the attacks over a six-month period in 1998 and 1999, including attack logs and attack tools. A system administrator had hung onto the forensics images all these years and shared the information with the researchers.
“We uncovered a time capsule,” Guerro-Saade said.
While the evidence connecting Moonlight Maze and recent Turla campaigns is solid, researchers stopped short of saying the attackers are the same group. Kaspersky Lab does not engage in attribution, but there are intriguing implications. The FBI had sent investigators to Moscow in the 1990s as part of its investigation, and the investigators came back convinced Moonlight Maze was the work of Russian state actors, said Thomas Rid, the Kings College researcher who worked with Kaspersky Lab.
Researchers plan to keep digging to find more technical evidence linking Moonlight Maze and Turla, they said.
Write to us email@example.com