Her researchers Kaspersky Lab and the University King's College of London, looking for how a modern threatening player links with the attacks Moonlight Maze targeting the Pentagon, the NASA and other organizations in the late 90s, brought to light δείγματα, archives logging and objects belonging to the "ancient" type attack apt.
The findings show that a backdoor used by 1998 from the Moonlight Maze to channel information out of the victim's network is linked to a backdoor cuts used by Turla 2011 and possibly 2017.
If the relationship between Turla and Moonlight Maze proves, it will place the advanced threatening carrier alongside the carrier Equation Group regarding its longevity, as some of the command-and-control its servers Equation are dated by 1996.
Current reports on Moonlight Maze show that, starting with 1996, US military and governmental networks as well as universities, research institutes and even the Ministry of Energy have begun to detect violations in their systems. 1998, the FBI and the Ministry of Defense have launched a huge survey. History has seen 1999 be publicized, but many of the items have remained confidential, keeping the privacy secret and leaving the details for Moonlight Maze to be a myth.
Over the years, original researchers in three different countries have stated that Moonlight Maze evolved into Turla, a Russian-speaking threatening entity known as Snake, Uroburos, Venomous BearAnd Krypton. The Turla it is conventionally considered to be active by 2007.
Moonlight Maze: The "forgotten" samples
In 2016, Thomas Rid of Kings College University in London, while researching his book The Rise of Machines, spotted a former system administrator whose service server had been seized as a proxy by Moonlight Maze attackers. This server, called "HRTest", was used to launch attacks in the US. The most retired IT professional had kept the original server and copies of everything related to the attacks, which he gave to Kings College University and Kaspersky Lab for further analysis.
Kaspersky Lab researchers Juan Andres Guerrero-Saade and Costin Raiu, along with Thomas Rid and Danny Moore from Kings College, spent nine months conducting a detailed technical analysis of these samples. They rebuilt the functions, the tools and attacker techniques and conducted a parallel investigation to see if they could prove the purported link toν Turla.
The Moonlight Maze was an open source, Unix-based attack systems Solaris, with the findings suggesting he probably used it a gap security which existed in LOKI2 (a program released in 1996 that allowed users to export data from covert channels). This led researchers to have a second look at some rare specimens Linux used by Turla, which had been discovered by the Kaspersky Lab the 2014. By name , these samples are also based on LOKI2. The review also showed that all of them were using code created between 1999 and 2004.
It is remarkable that this code is still being used in attacks today. 2011 was freely identified on the Internet, attacking the Swiss defensive company Ruag, an attack attributed to Turla. Then, in March of 2017, Kaspersky Lab researchers discovered a new sample of backdoor cuts Penquin Turla σε ένα σύστημα στη Γερμανία. Είναι πιθανό ότι ο Turla χρησιμοποιεί τον παλιό κώδικα για επιθέσεις σε υψηλής ασφάλειας οργανισμούς, καθώς ενδέχεται να είναι δυσκολότερο να παραβιαστούν χρησιμοποιώντας τα περισσότερο τυπικά εργαλεία των Windows.
"At the end of the 1990, no one predicted the scope and persistence of a co-ordinated digital espionage campaign. We have to ask ourselves why the attackers are still able to make good use of the "ancient" code for modern attacks. Analysis of its samples Moonlight Maze is not just an exciting archaeological study. It's also a reminder that rivals with good sources will not go anywhere. It is up to us to defend systems by developing the appropriate skills, he said Juan Andrew Guerrero-Saade, A security researcher in the World Research and Analysis Group of the United Nations Kaspersky Lab.
His files Moonlight Maze which recently came to light revealed many fascinating details about how the attacks took place using a complex network of proxies, and the high level of skills and tools used by the attackers.
More information about the Moonlight Maze attack sequence and its typology can be found below:
For more information you can read it blogpost on the dedicated website Securelist.com.