How code from 20-year-old 'Moonlight Maze' cyber attacks was linked with Turla malware

Code analysis identifies 20-year history of malware linked to Russian government

A 20-year-old advanced persistent threat, labelled Moonlight Maze, has been linked with the Turla malware family following an in-depth code analysis by researchers at Kings College in London and security software company Kaspersky.

Moonlight Maze targeted Pentagon and NASA systems in the late 1990s, exploiting security flaws in Sun Microsystems' (now Oracle's) Solaris Unix operating system. While some details of these attacks were publicised at the time, much of it was hushed up.

The findings of the research by Kings College and Kaspersky indicate that a backdoor used in 1998 by Moonlight Maze to tunnel information out of targeted networks connects to a backdoor used by Turla in 2011 - and, possibly, this year, too.

The findings show that Moonlight Maze made use of a backdoor based on LOKI2, an application from 1996 that enables users to extract data via covert channels.

This led the researchers to take a second look at some rare Linux samples used by Turla that Kaspersky had discovered in 2014. Named Penquin Turla, these samples are also based on LOKI2. Further, the re-analysis showed that all of them use code created between 1999 and 2004.

Furthermore, the code is still being used in attacks today, claims Kaspersky.

It was spotted in the wild in 2011 when it was found in an attack on Swiss defence contractor Ruag. That had been attributed to Turla. In March 2017, Kaspersky researchers discovered a new sample of the Penquin Turla backdoor. This time submitted from a system in Germany.

It is possible that Turla uses the old code for attacks on highly secure entities that might be harder to breach using its more standard Windows toolset, suggest the researchers.

"In the late 1990s, no-one foresaw the reach and persistence of a coordinated cyber-espionage campaign. We need to ask ourselves why it is that attackers are still able to successfully leverage ancient code in modern attacks.

"The analysis of the Moonlight Maze samples is not just a fascinating archaeological study; it is also a reminder that well-resourced adversaries aren't going anywhere, it's up to us to defend systems with skills to match," said Juan Andres Guerrero-Saade, senior security researcher at Kaspersky.

As part of the research, Kaspersky and the researchers at Kings College were able to conduct forensics on a server that had been used as a proxy in the original Moonlight Maze attacks.

This server, ‘HRTest', had been used to launch attacks on the US and the now-retired IT professional responsible for it had kept it, and copies of everything relating to the attacks, making his files available to Kings College and Kaspersky for their analysis.

Although kept hushed up for 20 years, the Moonlight Maze story was covered by Thomas Rid, professor of security studies at King's College London, in ‘Rise of the Machines: The lost history of cybernetics', which was published in September last year