A 20-year-old cyberattack in US that remains relevant
The hunt for dawn of APTs
DUBAI, April 6: Kaspersky Lab and Kings College London researchers, looking for a link between a modern threat actor and the Moonlight Maze attacks that targeted the Pentagon, NASA and more in the late 1990s, have unearthed samples, logs and artefacts belonging to the ancient Advanced Persistent Treat (APT). The findings show that a backdoor used in 1998 by Moonlight Maze to tunnel information out of victim networks connects to a backdoor used by Turla in 2011 and possibly as recently as 2017. If the link between Turla and Moonlight Maze is proven, it would place the evolved threat actor alongside the Equation Group in terms of its longevity, as some of Equation’s command-and-control servers date back to 1996.
Contemporary reports on Moonlight Maze show how, starting from 1996, US military and government networks, as well as universities, research institutions and even the Department of Energy began detecting breaches in their systems. In 1998, the FBI and the Department of Defense launched a massive investigation. The story became public in 1999, but much of the evidence has remained classified, leaving the details of Moonlight Maze shrouded in myth and secrecy.
Over the years, original investigators in three different countries have stated that Moonlight Maze evolved into Turla, a Russian-speaking threat actor also known as Snake, Uroburos, Venomous Bear, and Krypton. Turla is conventionally believed to have been active since 2007.
Guerrero-Saade
The ‘Cupboard Samples’
In 2016, while researching his book, Rise of the Machines, Thomas Rid of Kings College London tracked down a former system administrator whose organization’s server had been hijacked as a proxy by the Moonlight Maze attackers. This server, ‘HRTest’, had been used to launch attacks on the US. The now-retired IT professional had kept the original server and copies of everything relating to the attacks, and handed it to Kings College and Kaspersky Lab for further analysis.
Kaspersky Lab researchers, Juan Andres Guerrero-Saade and Costin Raiu, together with Thomas Rid and Danny Moore from Kings College, spent nine months undertaking a detailed technical analysis of these samples. They reconstructed the attackers’ operations, tools, and techniques, and conducted a parallel investigation to see if they could prove the claimed connection with Turla.
Moonlight Maze was an opensource Unix-based attack targeting Solaris systems, and the findings show that it made use of a backdoor based on LOKI2 (a program released in 1996 that enables users to extract data via covert channels). This led the researchers to take a second look at some rare Linux samples used by Turla that Kaspersky Lab had discovered in 2014. Named Penquin Turla, these samples are also based on LOKI2. Further, the re-analysis showed that all of them use code created between 1999 and 2004.
Attributed
Remarkably, this code is still being used in attacks. It was spotted in the wild in 2011 when it was found in an attack on defense contractor Ruag in Switzerland that has been attributed to Turla. Then, in March 2017, Kaspersky Lab researchers discovered a new sample of the Penquin Turla backdoor submitted from a system in Germany. It is possible that Turla uses the old code for attacks on highly secure entities that might be harder to breach using its more standard Windows toolset.
“In the late 1990s, no-one foresaw the reach and persistence of a coordinated cyberespionage campaign. We need to ask ourselves why it is that attackers are still able to successfully leverage ancient code in modern attacks. The analysis of the Moonlight Maze samples is not just a fascinating archaeological study; it is also a reminder that well-resourced adversaries aren’t going anywhere, it’s up to us to defend systems with skills to match,” said Juan Andres GuerreroSaade, Senior Security Researcher, Global Research and Analysis Team Kaspersky Lab.
The newly unearthed Moonlight Maze files reveal many fascinating details about how the attacks were conducted using a complex network of proxies, and the high level of skills and tools used by the attackers.
In addition, the participants discussed the biodiversity strategy of the UAE National Climate Change Plan, the UAE Green Agenda, the National Environmental Awareness and Education Strategy, as well as community and local agriculture priorities. Various programs and initiatives for 2017 in support of the UAE Green Growth Strategy were also on the agenda.
The Council also discussed the outcomes of the national plan adopted at the first meeting, the most important of which is to reduce and adapt to the impacts of climate change by setting clear targets for reducing harmful emissions and carbon footprint.
Promote
Al Zeyoudi said: “The agenda of the UAE Council for Climate Change and Environment stems from the UAE leadership’s vision to adopt best international practices to promote sustainable lifestyle in the country.”
He added: “We have discussed the mechanisms for implementing the Council’s national environmental plan for the next four years to contribute to the UAE’s relentless efforts to identify solutions to pressing current and future environmental challenges. Cooperation with the private sector is essential to instill a culture of sustainability among the country’s citizens and residents, and to preserve our environment for future generations.”
The national environmental plan includes the preparation and implementation of a national strategy to facilitate better adaptation to climate change, a lowcarbon development program in collaboration with the private sector, and various measures related to the UAE Green Agenda.
The meeting drew the participation of senior officials from several ministries in the UAE.
These included Yacoub Yousef Al Hosani, Assistant Minister for International Organization Affairs at the Ministry of Foreign Affairs and International Cooperation, Engineer Ibrahim Al Wahabi Assistant Undersecretary at the Ministry of Infrastructure Development, Abdulla Sultan Alfan Alshamsi, Assistant Undersecretary for Industrial Affairs at the Ministry of Economy, Khalid Ali Al Bustani, Assistant Undersecretary for International Financial Relations at the Ministry of Finance, and Engineer Fatima Mohammed Al Foora Al Shamsi, Assistant Undersecretary for Electricity and Water Affairs at the Ministry of Energy.
Local authorities were represented by Razan Khalifa Al Mubarak, Secretary-General of Environment Agency — Abu Dhabi, Khalifa Mohammad Al Mazrouei, Undersecretary at the Department of Municipal Affairs and Transport of Abu Dhabi, Hussain Nasser Lootah, Director-General of Dubai Municipality, Ahmed Butti Muhairbi, Secretary-General at the Supreme Council for Taqah — Dubai, Salem Mohammed Al Naqbi, Head of the Sharjah Department of Municipal Affairs and Agriculture, Hana Saif Al Suwaidi, Chairperson of the Sharjah Environment and Protected Areas Authority, Abdul Rahman Mohammed Al Nuaimi, Director-General of Ajman Municipality and Planning Department, Engineer Khalid Mueen Al Hosani, Executive Director of the Public Health and Environment Sector at Ajman Municipality and Planning Department, Munther Mohammed bin Shekar, Director-General of Ras Al Khaimah Municipality, Obaid Sultan Towarish, Acting Director-General of Umm Al Quwain Municipality, Engineer Yousef Jassem Al-Mansouri, Deputy Director of the Department of Planning and Survey — Umm Al Quwain, Engineer Mohammed Saif Al Afkham, Director-General of Fujairah Municipality, and Engineer Hassan Salem Al Yamahi, Director-General of Dibba Fujairah Municipality.
Private sector representatives included Essa Abdulla Al Ghurair, Chairman of Al Ghurair Resources, Dr Dalya Al Muthanna, President and CEO of GE Gulf, May Ibrahim Bumajeed, Group Head of Marketing and Corporate Communications at National Bank of Abu Dhabi, and Ibrahim Al Zu’bi, Head of Sustainability at Majid Al Futtaim Group.