Her researchers Kaspersky Lab and the University King's College of London, looking for how a modern threatening player links with the attacks Moonlight Maze targeting the Pentagon, the NASA and other organizations in the late 90s, brought to light samples, logs and artifacts belonging to the "ancient" attack type APT. 
The findings show that a backdoor used by 1998 from the Moonlight Maze to channel information out of the victim's network is linked to a backdoor cuts used by Turla 2011 and possibly 2017.
If the relationship between Turla and Moonlight Maze proves, it will place the advanced threatening carrier alongside the carrier Equation Group in terms of its longevity, as some of its command-and-control servers Equation are dated by 1996.
Current reports on Moonlight Maze show that, beginning in 1996, US military and government networks, as well as universities, research institutions, and even the Ministry Energy began to detect breaches in their systems. In 1998, the FBI and the Ministry DefenseThey started a huge investigation. The story came to light in 1999, but many of the data remained secret, keeping top secrets and leaving the details to Moonlight Maze to be a myth.
Over the years, original researchers in three different countries have stated that Moonlight Maze evolved into Turla, a Russian-speaking threatening entity known as Snake, Uroburos, Venomous BearAnd Krypton. The Turla it is conventionally considered to be active by 2007.
Moonlight Maze: The "forgotten" samples
In 2016, Thomas Rid from the University Kings College, London, while researching his book The Rise of the Machines, tracked down a former system administrator whose service server had been proxyed by the Moonlight Maze attackers. This server, named 'HRTest', had been used to launch attacks in the US. The now-retired IT professional had kept the original server and copies of everything related to the attacks, which he gave to Kings College and Kaspersky Lab for further analysis.
Kaspersky Lab researchers Juan Andres Guerrero-Saade and Costin Raiu, along with Thomas Rid and Danny Moore of Kings College University, spent nine months conducting a detailed technical analysis of these samples. They reconstructed the attackers' functions, tools, and techniques, and conducted a parallel investigation to see if they could prove the alleged connection to the attacker.ν Turla.
The Moonlight Maze was an open source, Unix-based attack systems Solaris, with the findings suggesting he probably used it a security gap that existed in LOKI2 (a program that released 1996 and enabled users to export data from disguised channels). This has led researchers to have a second look at some rare specimens Linux used by Turla, which had been discovered by the Kaspersky Lab the 2014. By name Penguin Turla, these samples are also based on LOKI2. The review also showed that all of them were using code created between 1999 and 2004.
It is remarkable that this code is still being used in attacks today. 2011 was freely identified on the Internet, attacking the Swiss defensive company Ruag, an attack attributed to Turla. Then, in March of 2017, Kaspersky Lab researchers discovered a new sample of backdoor cuts Penquin Turla in a system in Germany. It is likely that Turla uses the old code for attacks on high-security organizations, as it may be more difficult to violate using the most typical Windows tools.
"At the end of the 1990, no one predicted the scope and persistence of a co-ordinated digital espionage campaign. We have to ask ourselves why the attackers are still able to make good use of the "ancient" code for modern attacks. Analysis of its samples Moonlight Maze is not just an exciting archaeological study. It's also a reminder that rivals with good sources will not go anywhere. It is up to us to defend systems by developing the appropriate skills, he said Juan Andrew Guerrero-Saade, A security researcher in the World Research and Analysis Group of the United Nations Kaspersky Lab.
His files Moonlight Maze which recently came to light revealed many fascinating details about how the attacks took place using a complex network of proxies, and the high level of skills and tools used by the attackers.
More information about the Moonlight Maze attack sequence and its typology can be found below:
For more information you can read it blogpost on the dedicated website Securelist.com.
