Her researchers Kaspersky Lab and the University King's College of London, looking for how a modern threatening player links with the attacks Moonlight Maze targeting the Pentagon, the NASA and other organizations in the late 90, brought to light samples, logs and objects belonging to the "ancient" type assault APT.
The findings show that a backdoor used by 1998 from the Moonlight Maze to channel information out of the victim's network is linked to a backdoor used by Turla 2011 and possibly 2017.
If the relationship between Turla and Moonlight Maze proves, it will place the advanced threatening carrier alongside the carrier Equation Group in terms of its longevity, as some of its command-and-control servers Equation are dated by 1996.
Current reports on Moonlight Maze show that, starting with 1996, US military and governmental networks as well as universities, research institutes and even the Ministry of Energy have begun to detect violations in their systems. 1998, the FBI and the Ministry of Defense have launched a huge survey. History has seen 1999 be publicized, but many of the items have remained confidential, keeping the privacy secret and leaving the details for Moonlight Maze to be a myth.
Over the years, original researchers in three different countries have stated that Moonlight Maze evolved into Turla, a Russian-speaking threatening entity known as Snake, Uroburos, Venomous BearAnd Krypton. The Turla it is conventionally considered to be active by 2007.
Moonlight Maze: The "forgotten" samples
In 2016, Thomas Rid of Kings College University in London, while researching his book The Rise of Machines, spotted a former system administrator whose service server had been seized as a proxy by Moonlight Maze attackers. This server, called "HRTest", was used to launch attacks in the US. The most retired IT professional had kept the original server and copies of everything related to the attacks, which he gave to Kings College University and Kaspersky Lab for further analysis.
Kaspersky Lab researchers Juan Andres Guerrero-Saade and Costin Raiu, along with Thomas Rid and Danny Moore of Kings College University, spent nine months conducting a detailed technical analysis of these samples. They reconstructed the attackers' functions, tools, and techniques, and conducted a parallel investigation to see if they could prove the alleged connection to the attacker.ν Turla.
The Moonlight Maze was an open source, Unix-based attack systems Solaris, with the findings suggesting he probably used it a security gap that existed in LOKI2 (a program that released 1996 and enabled users to export data from disguised channels). This has led researchers to have a second look at some rare specimens Linux used by Turla, which had been discovered by the Kaspersky Lab the 2014. By name , these samples are also based on LOKI2. The review also showed that all of them were using code created between 1999 and 2004.
It is remarkable that this code is still being used in attacks today. 2011 was freely identified on the Internet, attacking the Swiss defensive company Ruag, an attack attributed to Turla. Then, in March of 2017, Kaspersky Lab researchers discovered a new sample of backdoor Penquin Turla in a system in Germany. It is likely that Turla uses the old code for attacks on high-security organizations, as it may be more difficult to violate using the most typical Windows tools.
"At the end of the 1990, no one predicted the scope and persistence of a co-ordinated digital espionage campaign. We have to ask ourselves why the attackers are still able to make good use of the "ancient" code for modern attacks. Analysis of its samples Moonlight Maze is not just an exciting archaeological study. It's also a reminder that rivals with good sources will not go anywhere. It is up to us to defend systems by developing the appropriate skills, he said Juan Andrew Warrior-Saade, A security researcher in the World Research and Analysis Group of the United Nations Kaspersky Lab.
His files Moonlight Maze which recently came to light revealed many fascinating details about how the attacks took place using a complex network of proxies, and the high level of skills and tools used by the attackers.
More information about the Moonlight Maze attack sequence and its typology can be found below:
For more information you can read it blogpost on the dedicated website Securelist.com.