跳到主体内容

The hunt for the dawn of APTs: a 20 year-old attack that remains relevant

2017年4月4日

The Moonlight Maze cyber-espionage attacks sent shockwaves through the US in the late 1990s – two decades later, researchers uncover the original attack tools and find a link to a modern APT

Kaspersky Lab and Kings College London researchers, looking for a link between a modern threat actor and the Moonlight Maze attacks that targeted the Pentagon, NASA and more in the late 1990s, have unearthed samples, logs and artefacts belonging to the ancient APT. The findings show that a backdoor used in 1998 by Moonlight Maze to tunnel information out of victim networks connects to a backdoor used by Turla in 2011 and possibly as recently as 2017. If the link between Turla and Moonlight Maze is proven, it would place the evolved threat actor alongside the Equation Group in terms of its longevity, as some of Equation’s command-and-control servers date back to 1996.

Contemporary reports on Moonlight Maze show how, starting from 1996, US military and government networks, as well as universities, research institutions and even the Department of Energy began detecting breaches in their systems. In 1998, the FBI and the Department of Defense launched a massive investigation. The story became public in 1999, but much of the evidence has remained classified, leaving the details of Moonlight Maze shrouded in myth and secrecy.

Over the years, original investigators in three different countries have stated that Moonlight Maze evolved into Turla, a Russian-speaking threat actor also known as Snake, Uroburos, Venomous Bear, and Krypton. Turla is conventionally believed to have been active since 2007.

The ‘Cupboard Samples’

In 2016, while researching his book, Rise of the Machines, Thomas Rid of Kings College London tracked down a former system administrator whose organization’s server had been hijacked as a proxy by the Moonlight Maze attackers. This server, ‘HRTest’, had been used to launch attacks on the US. The now-retired IT professional had kept the original server and copies of everything relating to the attacks, and handed it to Kings College and Kaspersky Lab for further analysis.

Kaspersky Lab researchers, Juan Andres Guerrero-Saade and Costin Raiu, together with Thomas Rid and Danny Moore from Kings College, spent nine months undertaking a detailed technical analysis of these samples. They reconstructed the attackers’ operations, tools, and techniques, and conducted a parallel investigation to see if they could prove the claimed connection with Turla.

Moonlight Maze was an open-source Unix-based attack targeting Solaris systems, and the findings show that it made use of a backdoor based on LOKI2 (a program released in 1996 that enables users to extract data via covert channels). This led the researchers to take a second look at some rare Linux samples used by Turla that Kaspersky Lab had discovered in 2014. Named Penquin Turla, these samples are also based on LOKI2. Further, the re-analysis showed that all of them use code created between 1999 and 2004. Remarkably, this code is still being used in attacks. It was spotted in the wild in 2011 when it was found in an attack on defense contractor Ruag in Switzerland that has been attributed to Turla. Then, in March 2017, Kaspersky Lab researchers discovered a new sample of the Penquin Turla backdoor submitted from a system in Germany. It is possible that Turla uses the old code for attacks on highly secure entities that might be harder to breach using its more standard Windows toolset.

“In the late 1990s, no-one foresaw the reach and persistence of a coordinated cyberespionage campaign. We need to ask ourselves why it is that attackers are still able to successfully leverage ancient code in modern attacks. The analysis of the Moonlight Maze samples is not just a fascinating archaeological study; it is also a reminder that well-resourced adversaries aren’t going anywhere, it’s up to us to defend systems with skills to match,” said Juan Andres Guerrero-Saade, Senior Security Researcher, Global Research and Analysis Team Kaspersky Lab.

The newly unearthed Moonlight Maze files reveal many fascinating details about how the attacks were conducted using a complex network of proxies, and the high level of skills and tools used by the attackers. Further information on the attack sequence and typology can be found here.

For further information please read the blog on Securelist.com.

Kaspersky Lab products successfully detect and block malware used by Moonlight Maze and Penquin Turla. Details of the Cupboard Samples logs and scripts, as well as Indicators of Compromise and hashes to help organizations search for traces of these attack groups in their corporate networks are here.

Detailed advance intelligence on the latest threats and threat actors is available to customers of Kaspersky Lab APT Intelligence reporting service Learn more here.

the-hunt-for-the-dawn-of-apts

The hunt for the dawn of APTs: a 20 year-old attack that remains relevant

The Moonlight Maze cyber-espionage attacks sent shockwaves through the US in the late 1990s – two decades later, researchers uncover the original attack tools and find a link to a modern APT
Kaspersky logo

关于卡巴斯基

卡巴斯基是一家成立于1997年的全球网络安全和数字隐私公司。卡巴斯基不断将深度威胁情报和安全技术转化成创新的安全解决方案和服务,为全球的企业、关键基础设施、政府和消费者提供安全保护。公司提供全面的安全产品组合,包括领先的端点保护解决方案以及多种针对性的安全解决方案和服务,以及用于应对复杂和不断变化的数字威胁的网络免疫解决方案。全球有超过4亿用户使用卡巴斯基技术保护自己,我们还帮助全球200,000家企业客户保护最重要的东西。要了解更多详情,请访问www.kaspersky.com.cn.

相关文章 企业新闻