Credit: Kevin Dooley
Attackers prefer to reuse code and tools for as long as they keep working. In that tradition, researchers have found evidence suggesting a cyberespionage group is still successfully using tools and infrastructure that was first deployed in attacks 20 years ago.
The Moonlight Maze refers to the wave of attacks that targeted U.S. military and government networks, universities, and research institutions back in the mid-to-late 1990s. While the Moonlight Maze disappeared from the radar after the FBI and Department of Defense investigation became public in 1999, there were whispers within the security community that the cyberespionage group never entirely went away. Turla, a Russian-speaking attack group that's also known as Venomous Bear, Uroburos, and Snake, was floated as a possibility, but until recently, all links were guesswork and speculation.
Now, researchers from Kaspersky Lab and Kings College London believe they have found the technical evidence linking Turla and Moonlight Maze.
After analyzing Penguin Turla (the Linux-based backdoor tool used by Turla) and the open source data extraction tool-based backdoor used in the Moonlight Maze attacks, the researchers concluded they were both established on the open source LOKI2 program released in Phrack magazine in 1996. The Moonlight Maze backdoor has not been deployed in modern attacks, but the fact that Penguin Turla uses the same code was significant, said Kaspersky Lab researcher Juan Andres Guerrero-Saade.
"It's an interesting tool, and it obviously was a favorite of the Moonlight Maze attackers," Guerrero-Saade said, noting that of the 43 Moonlight Maze binaries the researchers studied, nine were examples of the backdoor based on LOKI2.
On the surface, there aren't a lot of commonalities between Moonlight Maze and Turla. Moonlight Maze targeted Sun Solaris systems and used the infected machines to look for more victims on the same network. A sniffer component collected all the activity on the victim machines, creating near-complete logs of everything the attackers did. "The attackers created their own digital footprint for perpetuity," Kaspersky Lab researchers wrote in a blog post.
In contrast, Turla targets Windows machines and has several usual features, most notably the fact that it hijacks unencrypted satellite links to quietly exfiltrate data stolen from victim networks. However, Penguin Turla is typically used in second-wave attacks using *nix-based servers to exfiltrate data from compromised networks.
Cyberespionage operations and sophisticated attacks aren't always about the latest new code. The attack group recycled and reused code in its arsenal, adding new functionality as their operations evolved. Researchers were able to trace the backdoor code to LOKI2, compiled for Linux versions 2.2.0 and 2.2.5 released in 1999, as well as to linked binaries libpcap and OpenSSL from the early 2000s. The code is still in use, as Kaspersky Lab saw new Penguin Turla samples aimed at a target in Germany last month.
Sign up for Computerworld eNewsletters.